What is the shell injection or command injection attack?
Sometimes, a web application takes input from a user, executes corresponding commands on the server, and displays the output. A shell injection attack or command injection attack is an attack in which an attacker takes advantage of vulnerabilities of a web application and executes an arbitrary command on the server for malicious purposes.
How does the shell injection or command injection attack work?
Suppose a web application takes the name of a file from a user as input and displays its content. And the web application has implemented that functionality with the following piece of PHP code :
<?php print(Please specify the name of the file ) ; $file = $_GET['filename'] ; system(“cat $file”) ; ?>
So, if a user gives an input ‘profile.txt’, the corresponding file will be displayed.
But, suppose an attacker gives an input ‘profile.txt; ls;’. It will list all files in the directory where profile.txt is kept. Or even worse, the attacker can give input ‘profile.txt; rm -rf /;” and this will delete all files in the root directory.
The following are the most common operators used to exploit this vulnerability :
- <command 1> ; <command 2> – to execute sequential command
- <command 1> | <command 2> – to set the output of command 1 to some malicious command command 2
- command 1 `command 2` – to set the output of command 1 as arguments of command 2
- command 1 $(command 2) – to set the output of command 1 as arguments of command 2
- command 1 && command 2 – to execute command 2 if and only if command 1 is successful
- command 1 || command 2 – to execute command 2 in case command 1 is not successful
- command 1 > filename – to overwrite filename with the output of command 1
- filename 1 < filename 2 – to replace contents of filename 1 with that of filename 2
0 Comments