Command injection is basically injection of operating system commands to be executed through a web-app. The purpose of the command injection attack is to inject and execute commands specified by the attacker in the vulnerable application. In situation like this, the application, which executes unwanted system commands, is like a pseudo system shell, and the attacker may use it as any authorized system user. However, commands are executed with the same privileges and environment as the web application has. Command injection attacks are possible due to lack of correct input data validation, which can be manipulated by the attacker (forms, cookies, HTTP headers etc.).
There is a variant of the Code Injection attack. In code injection, the attacker adds his own code to the existing code. Injected code is executed with the same privileges and environment as the application has.
An OS command injection attack occurs when an attacker attempts to execute system level commands through a vulnerable application. Applications are considered vulnerable to the OS command injection attack if they utilize user input in a system level command.
Used normally, the output is simply the contents of the file requested:
$ ./a.out exploit.txt my name is akash
However, if we add a semicolon and another command to the end of this line, the command is executed by catWrapper with no complaint:
$ ./a.out "exploit.txt; ls" my name is akash exploit.txt doubFree.c nullpointer.c unstosig.c www* a.out* format.c strlen.c useFree* catWrapper* misnull.c strlength.c useFree.c commandinjection.c nodefault.c trunc.c writeWhatWhere.c
The following PHP code snippet is vulnerable to a command injection attack(web app):
The following request and response is an example of a successful attack:
Response Please specify the name of the file to delete uid=33(www-data) gid=33(www-data) groups=33(www-data)
- Ideally, a developer should use existing API for their language. For example (Java): Rather than use Runtime.exec() to issue a ‘mail’ command, use the available Java API located at javax.mail.*
- If no such available API exists, the developer should scrub all input for malicious characters. Implementing a positive security model would be most efficient. Typically, it is much easier to define the legal characters than the illegal characters.
This article is contributed by Akash Sharan. If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to firstname.lastname@example.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.
Please write comments if you find anything incorrect, or you want to share more information about the topic discussed above.
Attention reader! Don’t stop learning now. Get hold of all the important DSA concepts with the DSA Self Paced Course at a student-friendly price and become industry ready.
- Basic SQL Injection and Mitigation with Example
- Code Injection and Mitigation with Example
- Mitigation of SQL Injection Attack using Prepared Statements (Parameterized Queries)
- How to use SQLMAP to test a website for SQL Injection vulnerability
- Format String Vulnerability and Prevention with Example
- Vulnerability in input() function – Python 2.x
- Meltdown Security Vulnerability
- Spectre Security Vulnerability
- Log Injection
- CRLF Injection Attack
- Command line arguments in C/C++
- Command line arguments example in C
- getopt() function in C to parse command line arguments
- Pointers in C and C++ | Set 1 (Introduction, Arithmetic and Array)
- What are the differences between bitwise and logical AND operators in C/C++?
- Difference and Similarities between PHP and C
- INT_MAX and INT_MIN in C/C++ and Applications
- fesetround() and fegetround() in C++ and their application
- Lex program to take input from file and remove multiple spaces, lines and tabs
- Queries to insert, delete one occurrence of a number and print the least and most frequent element