Command Injection

Question 1

What is Command Injection?

Answer 1

Command Injection is an abuse of an applications behavior to execute commands on the operating system using the same privileges that the application on a device is running on.

Question 2

What is an example of Command Injection?

Answer 2

Achieving Command Injection on a web server running as a user named “JOE”, will execute commands under “JOE”, and therefore obtain any permissions that “JOE” would have.

Question 3

What does RCE mean and what does it do?

Answer 3

RCE stands for Remote Code Execution and can be used to trick an application to execute a series of payloads without having direct access to the machine.

Question 4

Whats the difference between Command Injection and XSS?

Answer 4

Unlike XSS, the web server is going to execute commands under the same user privileges.

Question 5

Why does this vulnerability happen?

Answer 5

It is often because functions in programming languages like php and python are used to pass data and make system calls.

Question 6

How do you determine whether or not a command injection can happen on a web application?

Answer 6

You can make the distinction by observing the behavior of the application

Question 7

What types of Command Injections are you going to be working with primarily?

Answer 7

Blind Command Injection: This type f command injection will have no direct output, meaning that you’ll have to investigate the behavior f the application to determine if your injection worked or not.

Verbose Command Injection: This type of command injection will have a direct output once you’ve had a payload. For example: executing the command whoami will output the username on the page directly.

Question 8

How do you test and detect Blind command injections?

Answer 8

Theres actually a couple ways to test whether or not a Blind command injection is actually possible:

1. Using the PING or SLEEP commands: ping will slow down an application by x the number of pings you’ve inputed, giving you a slight visual representation on the application
2. Redirecting to a file: You can use the command ‘>’ to execute a command regularly and send the results to a file. This option can be a bit complicated and require multiple attempts of trial and error.
3. Using the CURL command: The CURL command allows you to deliver data to and from an application making it very valuable for checking whether or not the injection worked.

Question 9

How do you test and detect Verbose Command Injections?

Answer 9

Testing a Verbose Command Injection is arguably easier to test and detect, they do provide some feedback output.

Question 10

What’re some ways that we can prevent Command Injections?

Answer 10

This can be done in several ways, two of the most notable would be: reviewing user inputs and avoiding dangerous functions that can lead to a vulnerability.

Question 11

What’re some of the Vulnerable Functions?

Answer 11

These are php functions that will interact with an Operating System to execute command via Shell:

• Exec()
• Passthru()
• System()

Also theres a command line cheat sheet:

https://github.com/payloadbox/command-injection-payload-list