Questions about this topic? Sign up to ask in the talk tab.

Command Injection

From NetSec
Revision as of 05:19, 20 November 2010 by WillieArce (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
This article needs to be cleaned up, rewritten, updated or removed.

Overview

A Command Injection vulnerability occurs when unsanitized user input is passed to a system shell (system(), exec() etc).

UNIX

Consider this simple script which displays the output of the UNIX whois command:

<syntaxhighlight lang="php"> <?php $whois=system("whois $_GET['domain']"); echo($whois); ?> </syntaxhighlight>

On a UNIX shell, commands can be injected in a number of ways. Using a semicolon, which delimits commands: 

 cd ~; ls

Using an ampersand, a control operator: 

 cd ~ && ls

Using a pipe, a bash operator for stringing commands together: 

 ls | grep filename

Or using backticks or a $ for command substitution 

 ls /home/$(whoami)

or 

 ls /home/`whoami`

An attacker could use any of these to inject and execute a command using the above script by requesting: 

 /whois.php?domain=www.google.com;cat /etc/passwd

Windows

Perl

A slightly lesser known command injection technique uses Perl's open() function. This is useful for exploiting CGI scripts.

In addition to system() and exec(), Perl's open() function can also execute commands, because it is used to open pipes. In this case, you can use | as a delimiter, because Perl looks for | to indicate that open() is opening a pipe. An attacker can hijack an open() call which otherwise would not even execute a command by adding a | to his query.

Retrieved from "http://nets.ec/index.php?title=Command_Injection&oldid=741"