Command Injection
Command Injection occurs when an application passes unsafe user input directly into a system
shell or command-line interpreter. The attacker manipulates this input to execute arbitrary
system commands, potentially giving them control over the server.
For example, imagine a web app that lets users check if a server is online by pinging an IP
address. If the app runs a system command like:
ping 192.168.1.1
but does not sanitize user input, an attacker could enter:
192.168.1.1; rm -rf /
which would result in deletion of critical files — a catastrophic outcome.
Demo
This lab demonstrates how Command Injection vulnerabilities can occur in web applications and
how attackers can exploit them to execute arbitrary system commands on a server.
You will interact with a simple PHP-based web page that accepts user input to perform a
network check (e.g., using the curl command). The lab highlights the risk of unsanitized user
input, showing how attackers can manipulate input fields to inject additional commands.
For this example, we will test either a random website or our localhost to see how a command
injection might occur.
We can bypass the use of the pipe (|) by injecting a comment symbol (#) and appending the
whoami command as an argument.
�Injecting a comment symbol (#) can be used to ignore or bypass the rest of a legitimate
command. To carry out a more sophisticated attack, this technique can be escalated to launch a
reverse shell through the vulnerable web application. First, in your terminal, check your IP
address using the ip addr command. Then, open a port to listen for incoming connections from
the reverse shell using the command below.
nc -nvpl <port_number>
You can find a comprehensive cheatsheet for launching reverse shells in the
PayloadsAllTheThings GitHub repository. Launch one of the listed payloads to initiate a reverse
shell.
Yes, we successfully launched a reverse shell on our terminal through the web application.
�Conclusion
Command Injection remains one of the most dangerous web vulnerabilities due to its potential to
grant shell access. By exploiting unsanitized input fields, attackers can execute arbitrary system
commands. Even basic techniques like injecting comment symbols can disrupt normal command
flow. Advanced exploits, such as reverse shells, can lead to full system compromise.
Developers must enforce strict input validation and avoid direct system calls.
Use secure coding practices and rely on parameterized functions or safe APIs.
Implement monitoring and logging to detect suspicious command executions early.
Regular security testing is essential to prevent exploitation and maintain system integrity.
https://book.hacktricks.wiki/en/pentesting-web/command-injection.html
https://github.com/swisskyrepo/PayloadsAllTheThings
https://cheatsheetseries.owasp.org/cheatsheets/
OS_Command_Injection_Defense_Cheat_Sheet.html
https://hacktricks.boitatech.com.br/pentesting-web/command-injection
