Command injection is basically injection of operating system commands to be executed through a web-app. The purpose of the command injection attack is to inject and execute commands specified by the attacker in the vulnerable application. In situation like this, the application, which executes unwanted system commands, is like a pseudo system shell, and the attacker may use it as any authorized system user. However, commands are executed with the same privileges and environment as the web application has. Command injection attacks are possible due to lack of correct input data validation, which can be manipulated by the attacker (forms, cookies, HTTP headers etc.).
There is a variant of the Code Injection attack. In code injection, the attacker adds his own code to the existing code. Injected code is executed with the same privileges and environment as the application has.
An OS command injection attack occurs when an attacker attempts to execute system level commands through a vulnerable application. Applications are considered vulnerable to the OS command injection attack if they utilize user input in a system level command.
Used normally, the output is simply the contents of the file requested:
$ ./a.out exploit.txt my name is akash
However, if we add a semicolon and another command to the end of this line, the command is executed by catWrapper with no complaint:
$ ./a.out "exploit.txt; ls" my name is akash exploit.txt doubFree.c nullpointer.c unstosig.c www* a.out* format.c strlen.c useFree* catWrapper* misnull.c strlength.c useFree.c commandinjection.c nodefault.c trunc.c writeWhatWhere.c
The following PHP code snippet is vulnerable to a command injection attack(web app):
The following request and response is an example of a successful attack:
Response Please specify the name of the file to delete uid=33(www-data) gid=33(www-data) groups=33(www-data)
- Ideally, a developer should use existing API for their language. For example (Java): Rather than use Runtime.exec() to issue a ‘mail’ command, use the available Java API located at javax.mail.*
- If no such available API exists, the developer should scrub all input for malicious characters. Implementing a positive security model would be most efficient. Typically, it is much easier to define the legal characters than the illegal characters.
Please write comments if you find anything incorrect, or you want to share more information about the topic discussed above.