What is a command injection?
A command injection is a vulnerability that can be on found on any application that has access to the system. In a web application, a command injection occurs when the server uses an user’s input to execute a command on the system without sanitization. The system will use this command in a shell and send the result to the server, which sends it back to the user.
ImpactHaving access to the server’s operating system, the command injection can have very serious consequences.
- Exfiltration of files: A hacker can send files back to their browser, which can allow them to see the site’s source code and find other vulnerabilities, or display database.
- Modification of files: In addition to exfiltration, the hacker can edit and delete files.
- System overload: By launching specific commands, it is easy to crash a system.
- Installing a backdoor: The hacker can create files in the server and insert a code to reconnect when they want to enter commands much more easily.
1. A php ping form’s basic useIn order to show how to exploit a command injection, I will use a form on a web page to enter a domain name and retrieve information such as the date of creation, the mail and the phone number of the owner, etc.
2. Vunerability detection
3. Exploitation of the injection
- whoami: It lets you know the user who executed this command.
- pwd: It returns the folder in which the user is located.
- ls -la [folder]: It shows the different files in a folder. the option -la allows you to add hidden files to the result and display properties (owner, execution right, date of creation, etc.).
To prevent command injections, The OWASP gives following advices:
- Avoid using system command: There is a function, which often works as a system command, and it’s more secure to use this.
- Escaping malicious pattern: With functions like escapeshellarg() with PHP which sanitizes user’s input.
- Use a whitelist for allowed values: This will restrict user’s input and avoid all command injections if it is well configured.
R&S®Cloud Protector versus command injection
To counter the injections of commands, R&S®Cloud Protector offers several solutions:
- Detection of escaping characters and commands:
R&S®Cloud Protector will browse the input commands and block those that contain the different operators to add arbitrary commands, as seen in the practical case. At the same time, R&S®Cloud Protector will also check if one of the query’s words is executable (Windows – Linux) and block it if necessary.