Before going to check how to exploit the Command Execution vulnerability first we explore its definition.
What is Command Execution?
The command execution is used like operating System (OS) commands run on the web browser. It is also called OS Command Injection.
Command injection is an attack in which the goal is the execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.
Vulnerability: Command Execution
OS Command Injection is a critical vulnerability that allows attackers to gain complete control over an affected website and the underlying web server.
OS command injection vulnerabilities arise when an application incorporates user data into an operating system command that it executes. In other words, an attacker can manipulate the data to cause their own commands to run. However, this allows the attacker to carry out any action that the application itself can carry out, including reading or modifying all of its data and performing privileged actions.
Many websites use the command line to call or read the file, send an email, and perform tasks.
Example of Command Line Injection:
First we go on this site :- https://www.hacksplaining.com/
Find the parameter to fire the command .
There is some search parameter are available let’s check the parameter is vulnerable or not.
We check if the nslookup command will work on this or not.
Now we check for some normal command like echo HAXXED
It will print HAXXED on the screen.
However, this is the vulnerable code of this site.
Notice how the ‘domain’ parameter takes from the GET request. And immediately interpolated into a command string.
Now we try more command to check how many user are in this operation
Certainly, we use cat /etc/passwd command it is the linux command it contain list of the system account are present in the Linux OS.
- Restrict the Permitted Commands
Try to construct all or most of your shell commands using string literals, rather than user input. Where user input is requirin, try to whitelist permit values, or enumerate them in a conditional statement.
- Perform Thorough Code Reviews
Meanwhile, check system calls for vulnerabilities as a part of your code review process. Vulnerabilities often creep in over time – make sure your team knows what to look for.