Command Injection is a vulnerability that allows an attacker to submit system commands to a computer running a website. This happens when the application fails to encode user input that goes into a system shell. It is very common to see this vulnerability when a developer uses the
system() command or its equivalent in the programming language of the application.
import os domain = user_input() # ctf101.org os.system('ping ' + domain)
The above code when used normally will ping the
But consider what would happen if the
user_input() function returned different data?
import os domain = user_input() # ; ls os.system('ping ' + domain)
Because of the additional semicolon, the
os.system() function is instructed to run two commands.
It looks to the program as:
ping ; ls
The semicolon terminates a command in bash and allows you to put another command after it.
ping command is being terminated and the
ls command is being added on, the
ls command will be run in addition to the empty ping command!
This is the core concept behind command injection. The
ls command could of course be switched with another command (e.g. wget, curl, bash, etc.)
Command injection is a very common means of privelege escalation within web applications and applications that interface with system commands. Many kinds of home routers take user input and directly append it to a system command. For this reason, many of those home router models are vulnerable to command injection.