Overview

A Command Injection vulnerability is an escape string or format string vulnerability occurs when unsanitized user input is passed to a system shell (system(), exec() etc). An attacker can exploit this vulnerability with a command sequence appended to the appropriate format or escape string to execute arbitrary commands. An attacker exploiting this vulnerability may as well have a remote shell.

Testing for Injection

Testing for command injections is possible by attaching a command to any of the following escape strings.

•  ;
• |
• &
• &&

• ``
• $()

Example vulnerability

This code is vulnerable. Do not use as a whois tool on your site.

  $whois=system("whois {$_GET['domain']}");
  echo($whois);

Exploitation

UNIX

On a UNIX shell, commands can be injected in a number of ways. Using a semicolon, which delimits commands:

 cd ~; ls

Using an ampersand, a control operator:

 cd ~ && ls

Using a pipe, a bash operator for stringing commands together:

 ls | grep filename

Or using backticks or a $ for command substitution

 ls /home/$(whoami)

or

 ls /home/`whoami`

An attacker could use any of these to inject and execute a command using the above script by requesting:

 /whois.php?domain=www.google.com;cat /etc/passwd

Perl

A slightly lesser known command injection technique uses Perl's open() function. This is useful for exploiting CGI scripts.

In addition to system() and exec(), Perl's open() function can also execute commands, because it is used to open pipes. In this case, you can use | as a delimiter, because Perl looks for | to indicate that open() is opening a pipe. An attacker can hijack an open() call which otherwise would not even execute a command by adding a | to his query.