Skip to content

Testing for command injection

OWASP

OWASP Web Security Testing Guide 4.2 > 7. Data Validation Testing > 7.12. Testing for Command Injection

ID Link to Hackinglife Link to OWASP Description
7.12 WSTG-INPV-12 Testing for Command Injection - Identify and assess the command injection points with special characters (i.e.: | ; & $ > < ' !) For example: ?doc=Doc1.pdf+|+Dir c:|

Command injection vulnerabilities in the context of web application penetration testing occur when an attacker can manipulate the input fields of a web application in a way that allows them to execute arbitrary operating system commands on the underlying server. This type of vulnerability is a serious security risk because it can lead to unauthorized access, data theft, and full compromise of the web server.

Causes:

  • User Input Handling: Web applications often take user input through forms, query parameters, or other means.
  • Lack of Input Sanitization: Insecurely coded applications may fail to properly validate, sanitize, or escape user inputs before using them in system commands.
  • Injection Points: Attackers identify injection points, such as input fields or URL query parameters, where they can insert malicious commands.

Impact:

  • Unauthorized Execution: Attackers can execute arbitrary commands with the privileges of the web server process. This can lead to unauthorized data access, code execution, or system compromise.
  • Data Exfiltration: Attackers can exfiltrate sensitive data, such as database content, files, or system configurations.
  • System Manipulation: Attackers may manipulate the server, installmalware, or create backdoors for future access.

How to Test

Malicious Input: Attackers craft input that includes special characters, like semicolons, pipes, backticks, and other shell metacharacters, to break out of the intended input context and inject their commands. Command Execution: When the application processes the attacker's input, it constructs a shell command using the malicious input. The server, believing the command to be legitimate, executes it in the underlying operating system

Case Study: Perl

When viewing a file in a web application, the filename is often shown in the URL. Perl allows piping data from a process into an open statement. The user can simply append the Pipe symbol | onto the end of the filename.

1
2
3
4
5
# Example URL before alteration
http://sensitive/cgi-bin/userData.pl?doc=user1.txt 

# Example URL modified
http://sensitive/cgi-bin/userData.pl?doc=/bin/ls|

PHP code injection

PHP code injection vulnerabilities, also known as PHP code execution vulnerabilities, occur when an attacker can inject and execute arbitrary PHP code within a web application. These vulnerabilities are a serious security concern because they allow attackers to gain unauthorized access to the server, execute malicious actions, and potentially compromise the entire web application.

Malicious Input: Attackers craft input that includes PHP code snippets, often enclosed within PHP tags (<?php ... ?>) or backticks (`).

Code Execution: When the application processes the attacker's input, it includes the injected PHP code as part of a PHP script that is executed on the server.

This allows the attacker to run arbitrary PHP code in the context of the web application.

Command injection: Appending a semicolon to the end of a URL for a .PHP page followed by an operating system command, will execute the command. %3B is URL encoded and decodes to semicolon 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
# Directly injecting operating system commands:
http://sensitive/something.php?dir=%3Bcat%20/etc/passwd

########
# Injecting PHP commands
#########

# Validating that the injection is possible
http://example.com/page.php?message=test;phpinfo();
http://example.com/page.php?id=1'];phpinfo();

# Executing PHP commands
http://example.com/page.php?message=test;system(cat%20/etc/passwd)

Special characters for command injection

The following special character can be used for command injection such as:

1
| ; & $ > < ' ! 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
# Uses of | will make command 2 to be executed weather command 1 execution is successful or not.
cmd1|cmd2

# Uses of ; will make command 2 to be executed weather command 1 execution is successful or not.
cmd1;cmd2

# Command 2 will only be executed if command 1 execution fails. 
cmd1||cmd2


# Command 2 will only be executed if command 1 execution succeeds. 
cmd1&&cmd2

# For example, echo $(whoami) or $(touch test.sh; echo 'ls' > test.sh)
$(cmd)

# It’s used to execute specific command. For example, whoami 
cmd

>(cmd) : >(ls) 
<(cmd) : <(ls)

Code Review Dangerous API

Be aware of the uses of following API as it may introduce the command injection risks.

Java

1
Runtime.exec()

C/C++

1
2
3
system 
exec 
ShellExecute

Python

1
2
3
4
5
6
exec
eval
os.system
os.popen
subprocess.popen
subprocess.call

PHP

1
2
3
4
5
system
shell_exec 
exec
proc_open 
eval
Last update: 2024-04-03
Created: December 26, 2023 19:00:18