What are Command Injection Vulnerabilities?

Introduction

Command injection vulnerabilities are one of the most dangerous web vulnerabilities. Many security testers and bounty hunters aim to find command injection vulnerabilities due to the impact they can create on the target application. 

This article will provide an overview of command injection vulnerabilities, along with an introduction to various vulnerabilities that can eventually lead to command injection.

What is command injection?

Command injection is a type of web vulnerability that allows attackers to execute arbitrary operating system commands on the server, where the application is running. Command injection vulnerabilities occur when the applications make use of shell commands or scripts that execute shell commands in the background. 

Let’s consider the following URL of an application, which performs base64-encoding of user input.

http://target-site.com/encode.php?text=helloworld

This user input is passed as a get parameter to the encode.php file.

The following is the source code of encode.php:

<?php

$input=$_GET[‘text’];

system(“echo -n”. $input.” | base64″);

?>

As we can notice from the preceding code snippet, the user input is passed to the php system() function, which is used to execute operating system commands in PHP. 

If a user appends a system command to the input, it will be executed as an operating system command, which looks like this:

http://target-site.com/encode.php?text=test;id

The following is the response returned to the user:

testdWlkPTMzKHd3dy1kYXRhKSBnaWQ9MzMod3d3LWRhdGEpIGdyb3Vwcz0zMyh3d3ctZGF0YSkK

As we can see, the word test is not encoded but there is a long encoded text returned in response. Decoding this text looks like this:

$ echo -n “dWlkPTMzKHd3dy1kYXRhKSBnaWQ9MzMod3d3LWRhdGEpIGdyb3Vwcz0zMyh3d3ctZGF0YSkK” | base64 -d

uid=33(www-data) gid=33(www-data) groups=33(www-data)

$

As you can see, the encoded text is the output of the id command passed to the application. 

Why are command injection vulnerabilities dangerous? 

The command injection class of vulnerabilities is considered one of the most dangerous web vulnerabilities because they give control on the underlying operating system to an attacker. This control can be used in several different ways, including lateral movement through the internal network using the trust the target server has with other systems on the network.

Vulnerabilities that can lead to command execution

While command execution vulnerabilities occur when the vulnerable application allows the end user to extend the application’s default functionality and execute system commands, it is also possible to execute commands through the application’s code. This is commonly known as code execution. Even when there is a code execution vulnerability, the end goal is to execute arbitrary system commands through it. Considering that, let’s discuss some of the vulnerabilities that can lead to command execution through command injection or code execution.

The following are some of the vulnerabilities that can eventually lead to command injection attacks.

Arbitrary command injection

As we discussed in our previous example, it is possible for applications to have applications that receive arbitrary system commands from the user directly and execute them on the underlying host. This is a class example of command injection vulnerability. 

Arbitrary file uploads

When applications allow users to upload files with arbitrary file extensions, it can lead to command injection when these uploaded files are placed within the webroot. This is yet another common way web applications can become vulnerable to command injection.

Insecure serialization

Aside from the standard command injection vulnerabilities, arbitrary command execution can also be possible using other vulnerabilities such as insecure deserialization. This takes advantage of the fact that the server-side code deserializes the serialized content passed by the user, without properly validating it. Even though this is commonly known as insecure serialization class of vulnerabilities, it eventually leads to command injection if the target application meets certain requirements such as appropriate gadgets being available in the class path.

Server-side template injection

When web applications use server-side templating technologies such as Jinja2 or Twig to generate dynamic HTML responses, it is possible to have server-side template injection. SSTI vulnerabilities occur when user input is embedded in a template in an unsafe manner and it results in remote code execution on the server.

XML external entity injection

XML external entity vulnerability is another type of vulnerability, which occurs against applications that parse user-controlled XML input using a weakly configured XML parser. XXE vulnerabilities usually lead to reading arbitrary files from the server and causing Denial-of-Service attacks. 

However, they can also lead to command execution on the server when certain conditions are met. For example, if PHP expect:// wrapper is enabled on the target vulnerable server, it is possible to execute arbitrary commands on the server.

Please note that this is not an exhaustive list of vulnerabilities that can lead to command injection and there are several other vulnerabilities that can lead to command injection when they meet certain conditions.

Conclusion

It is apparent that there are several different vulnerabilities that can lead to command execution on the server. Developers must be aware of these command injection vulnerabilities due to the fact that these vulnerabilities are of high impact, as they can give full control on the underlying infrastructure. 

In the next few articles of this series, we will cover some more command injection-related concepts such as identifying and exploiting blind command injection.

 

Sources

  1. Command Injection, OWASP
  2. XML External Entity (XXE) Processing, OWASP
  3. WSTG – Stable, OWASP
  4. A8:2017-Insecure Deserialization, OWASP

Be Safe

Section Guide

Srinivas

View more articles from Srinivas

Section Guide

Srinivas

View more articles from Srinivas