A really basic but very dangerous vulnerability in Injection Security Flaws
In order to get the best experience learning this Vulnerability, you should have basic knowledge in
OS Command in Linux and Linux Operating System, along with the Command Line interface of Linux
For more information: TLDP Linux Documentation
If you have learned this vulnerability before, why not going to solve my challenges here?
I will again tell you this example: As you known, Injection is to input something into an object.
In the Covid-19 pandemic, we all have to injected vaccine in order to prevent / mitigate the
consequence of the Corona Virus. That is injection, a way to provide some instruction for an object to do
something. For the above example, the instruction is the vaccine, that is to tell the body how to deal with the
Corona Virus.
Back to our module, let's me introduce you how to basically call a OS Command in PHP:
<?php system("id"); ?>
This is just a very basic OS command, the system() function in php would run a OS command, which will then execute the "id" command and return the group, user group, etc. of the our current user, right?
Let's get to something more complicated, in order to check a domain to see if it is alive or not, we often use ping command with the host domain, here is an example:
<?php system("ping google.com"); ?>
Now, let's move back to our PHP programming language: how a beginner-level PHP programmer would code this OS command function?
<?php system("ping $user_input"); ?>
Here, some explanation for the syntax:
OS Command Injection is one of the most easiest hacking to learn, but have the highest dangerous security level
As I said before, Injection is to input something into an object.
In this case, the object is OS Command, so if an attacker try to input some instruction into the command which is being executed?
Let's get back to the above example, in this case, the $user_input would be the Untrusted Data which is being controlled by users
Let's take a look again at the ping function:
<?php system("ping -c3 $user_input"); ?>
Now, if the attacker input the value: google.com; id
The command now becomes:
<?php system("ping -c3 google.com; id"); ?>
The PHP / OS which execute the command have no clue to distinguish between attacker's input and OS command syntax / instruction.
In the view of PHP / OS, it will try to first execute the command "ping google.com", next, the semi-colon, which is a really important instruction in OS Command, which tells the object executing the command
that: "The command ends here, the part behind the semi-colon would be the new command". And then execute the next command "id"
By this way, the attacker could execute any arbitrary OS commands on the server, and typically fully compromise the application and all its data.
Another example, now this time, if the attacker input into the $user_input: ; shutdown
The command will now become:
<?php system("ping -c3 ; shutdown"); ?>
Obviously that the first command before the semi-colon is not executed, because the attacker doesn't add any host, so the ping would not know the place to send ICMP packet.
But, as you can see, the so bad attacker injected a shutdown command behind the semi-colon, which will tell the server to shutdown and stop every actions / operations.
By this way, this attacker could bring down the whole server of a company / business.