What is Command Injection?
7 minute(s) read
Published on: Oct 30, 2021
Updated on: Mar 04, 2022
You probably know the definition of each word individually, but you may not know the meaning of this expression in the web field. In this article, you will know the exact meaning of command injection and some examples of it. In addition, you will see what causes it would have made for you and what you should do to protect your system against this injection. It is a bit understandable from the word injection. It could not be something harmless. If you are curious about this injection, follow this article.
The nature of Injection batch vulnerabilities can be considered as deviating from the ordinary course of operations. The story of this vulnerability attack begins with sending command-line commands such as whoami and cp from the hunter to the victim server. This is usually done through a website where the server is running and vulnerable. This attack is based on a defect in validating various system inputs, including user input forms. An attacker can access the victim server's command line by injecting commands through system inputs in this attack. This allows it to collect information from the sufferer and execute remote code or RCE on the sufferer.
What is the difference between this attack and code injection?
This Vulnerability and Code Injection Vulnerability are both subsets of the Injection vulnerabilities. In Code Injection vulnerabilities, the hunter can inject code into the victim server on top of the principle of a regular running program. But in a Command Injection attack, the hunter can inject a command in addition to the standard commands of a running or non-running program. This Vulnerability provides the hunter with better and more access to the victim server; In Code Injection vulnerability, the hunter has a direct relationship with the source code or services and programs running or not running, but due to the power and less impact of changing the code, it can not execute a wide range of different commands on the server. In this Vulnerability, the hunter does not directly relate to the source code or services and programs running. Still, because of the greater power, the hunter can send a command and execute a wide range of different commands on the server.
What is the value and position of this attack among other vulnerabilities?
Command Injection Vulnerability takes place in the category of dangerous vulnerabilities because it allows the hunter to execute commands on the command line of the sufferer. Of course, in recent years, with the advent of new structures such as RESTFul, it has become more difficult for hackers to detect this Vulnerability. This is because user-side processes are considered separately in most new architectures and structures, and communication between the user side and the server side is done by exchanging HTTP requests. Application coding has also shifted to predominantly open-source libraries, and it is less common for programmers to execute user input directly on the server as a command. But still, many systems, by being easy to control information, allow the hunter to enter the role of user and gain high-level access from the sufferer with the various commands they enter in the input.
How can these attack vulnerabilities be investigated?
As mentioned earlier, This Injection vulnerability is based on the hunter's intrusion into the victim server and the execution of the command on the sufferer command line. Therefore, as a hunter, we need to put all our effort into executing the command line. Logic Operators and Separators are usually handy in these cases, as they allow us to execute other commands following the previous command. Or we can use them to inject a command over other commands. Based on this, the following characters can help us a lot:
As you can see, using the first case is one of the easiest ways to detect vulnerabilities that can be tested as follows: & ping –c 10 127.0.0.1 &
If you pay attention, a & separator is placed at the beginning and one at the end. This is to separate this injected from the previous and subsequent commands so that there is no problem executing the before and after commands. In this command, we will test that by sending a ping to the sufferer itself, do we get a response? Or not?
If we do not receive a response, this input is not vulnerable. But if we receive an answer that is similar to the example below, it notifies us of a vulnerability on the sufferer's side:
Is the reaction of the victim system to the injection of the command by the hunter always visible?
In some cases, injecting a command and executing it on the server side does not necessarily return a response. But this does not mean that attack is not vulnerable. To exploit this Vulnerability in these situations, we can use the general method known as blind. In this method, we try to see the answer to the commands in another way, such as writing the response to the command in an accessible file from outside or creating a DNS lookup.
For example, since we know that the response to the commands we inject will not be returned to us, we inject the whoami control, which displays the user name, as follows:
In fact, in this command, we save the command answer in a file called whoami. How can we access this file now?
To answer this question, we must first know that in various web servers, there is a folder for static files such as images. Suppose there is a file in this folder. In that case, it can be accessed as an example below: https://vulnerable-website.com/whoami.txt. So the reason why the /var/www/ static address is located on the victim server is the same as the folder address of the static web files of the active server on the sufferer.
What are the ways to remove this Injection vulnerability?
As the name implies, This Vulnerability allows the hunter to execute various commands. One of how these commands can be executed on the victim server is through system form inputs. If user inputs (what the user enters in the input form fields) are not controlled, the hunter can seize the opportunity and send their command to the server in the form of a simple command.
Now the question that arises is, if the inputs are not controlled, the occurrence of Command Injection vulnerability will be definite?
No, it will only increase the likelihood of this Vulnerability along with other vulnerabilities arising from lack of input control; Although non-validation of inputs opens the way for the detection and exploitation of Command Injection vulnerabilities, it can only be compromised if the values of the inputs that reach the victim server are executed incompletely or with minimal modification as a command on the victim server. In this case, the hunter can easily inject their commands over the main commands.
Therefore, methods of eliminating vulnerabilities of this injection are:
- Control and validation of user inputs
- Do not directly execute user input values as commands on the server-side
In general, the nature of injection vulnerabilities can be considered deviating from a system's ordinary course of operations. The cause of this deviation is the same things that should be injected into the system and routine. Command Injection Vulnerability can be the gateway to secondary vulnerabilities such as remote code execution and so on. Therefore, this Vulnerability is essential because it can provide a high level of access to the victim's server for the hunter. Discovery and exploitation methods to detect Command Injection Vulnerability can be done manually. In the process of detection and exploitation, the tools introduced along with tips and examples can help the hunter.Click to analyze your wesbite SEO