Command Injection/Shell Injection

Posted on Posted in Hacker News, Tutorial's

Challenge: Malicious Arbitrary command execution using system shell as an argument passed via the
web application. Obtaining shell level access features and backdooring he system via the application for
maintaining access.

Target: Locally hosted web application over Apache Web Server.
Topic: Create Web Application and Inject commands as an argument via the application.

Hack: The primary objective of this topic and the challenges is to create a sample web application in PHP
to show how command injections are possible with insecure input validation practices. The priorities are
to understand the attack scenarios for direct command injection and indirect command injection, to
analyze what are the causes which leads to command injection, how seriously command injection
affects the integrity of the application, testing command injection vulnerabilities and how to mitigate
applications from command injections in order to securely deploy the application. Before we start with
the native code and deducing application security vulnerabilities on it, it’s needed for you to know that
command injection are also known as shell injection since shells are used as a part and take active role
in executing these commands which are passed as an argument by the malicious web attacker.
Objectives of the document:

 Command Injection General Definition and explanation
 Different abbreviations of command injection
 Examples of command injection in sample programs
 The use of the sample programs by the applications for output
 Command Injection leading to arbitrary command execution
 Concept of priority of the program which executes the arbitrary command
 Obtaining shell on the system and therefore maintaining access via backdoor.

Consider a web application which has a big job role wherein it needs various functionalities and among
those functionalities of the application, one of them needs interaction with the system shell in order to
perform a task. This task could be from listing directories, showing date and time to functions which
involve interacting with the system shell. To perform the tasks, developers generally have to write a
routine procedure and extra lines of code to accomplish the extra tasks which could be clearly resolved
by system shell performing the desired tasks and hence save time and the effort to write extra code. But
this often goes in an insecure wrong direction leading to shell injection or command injection. Before we
begin, one must understand what a shell is. A shell is a user interface to access the services provided by
an operating system. The services which were provided by the operating system were used by the web
application in order to complete certain tasks and this way the users are required to pass arguments to
the application, which is then transferred to the system shell and the system shell takes these
arguments as ‘commands’ and execute them and retrieve functional value output to the user.

Quelle: exploit-db