Command injection is a vulnerability in which a web application receives
user input which eventually leads to the web application executing a system
function call, executing commands on the host machine to conduct operating
system related actions. An attacker can use this to obtain information about the
host operating system, gain code execution, and ultimately a shell and active
session. More about command injection from OWASP:
Input sanitization
Often developers will attempt to mitigate command injection vulnerabilities
using input sanitization. There are several ways to bypass this, examples being
encoding with either base64
or xxd
. Some examples are provided in the
resources below:
Blind injection
If responses from the host after executing a command are not returned to the
attacker via the web application, we can use methods like sleep
to execute
blind injection to determine if our input is being processed by the host
server.
Shells
With reliable command injection, attackers can create reverse or bind shells on the target through various means. Here are some great resources and snippets for reverse and bind shell payloads on web applications vulnerable to command injection: