Hello, in this article I’m gonna show you command injection vulnerability. I’ll be using PentesterLab for this. You can download it here. Let’s get started.

So what is the command injection? According to Owasp : Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application.

In shortly it’s a vulnerability which you can execute a command.

Example1

In the video that I took, we got an application which we can ping. But we know that the application is using console behind it. Here, we can’t escape from the code. Eventually it’ll ping but we can add second command by adding ‘;‘ at the end of first command. In this case after ping. This method allows you to execute another command.

For this example our payload is ip=<IP>;<new command>

New command is up to your dream world.

Example2

In this example we’ve just a little diffrence. Here, the coder added a regex control for IP address. But he or she didn’t add any control for new line. If you add new line which is encoded at the end of ip address, it’ll be executed.

ip=<ip>%0Aid

• 

Example3

• 

In example2, the code had die method but here if the ip doesn’t match automatically it pings to 127.0.0.1. There isn’t any control for second command. So we can execute a code but we won’t see anything. If you’d like to see something you can use a tool like burp suite as below.

• 

• 

I hope it’s been understandable. See u!!