Command Injection

EXPLOITATION

Also known as a Remote Code Execution (RCE) a command injection is an exploit where an application is manipulated in order to execute commands on a target system. These commands would run under the same privileges as the user that's logged in or operating the application being exploited.

Command injections are a powerful type of exploit because it allows the attacker to directly interface with the exploited system and in some cases, could allow the attacker to view or manipulate system data and programs.

This type of vulnerability consistently ranks among the top three web application vulnerabilities by OWASP due to the proliferation of this vulnerability.

BLIND VS. VERBOSE

There are two major distinctions in command injection attacks: blind or verbose.

  • Blind: There is no direct output from the application when testing payloads. An attacker will have to investigate the application for more indirect indications to determine whether or not the payload execution was successful.

  • Verbose: There is direct output from the application once the payload is executed.


DETECTING BLIND INJECTIONS

Because there is no immediate output to let you know that a blind command injection worked, attackers must take extra steps to gauge to see if their payloads are executing code successfully on the target system.

Here are some common ways to check a blind injection's success:

  1. Create a time delay by using ping or sleep. Commands like ping can temporarily put applications in a hang state (a non-responsive state) in Linux and running commands which cause a time delay will cause an observable change in the system/application.

  2. Redirecting output into a new output file and then retrieving the file to see if output was successfully written is a good way to create visible output where none previously existed. More information here.

https://cobalt.io/blog/a-pentesters-guide-to-command-injection


USEFUL PAYLOADS

Below are some useful basic payloads from Try Hack Me's Command Injection room.

Here is a more comprehensive payload cheat sheet.