[go: up one dir, main page]
Scribd
Upload
41 views4 pages

Mand Injection

Uploaded by

nikhitha.k1818
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
41 views4 pages

Mand Injection

Uploaded by

nikhitha.k1818
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Advanced Cyber Security

5. Command Injection
Objective: To learn how command injection attack works
Tools: DVWA, Burp Suit, custom vulnerable web application

Command injection is a critical security vulnerability that occurs when an attacker can execute arbitrary
commands on a host operating system via a vulnerable application. This type of attack typically targets
applications that pass user-supplied data to system commands without adequate input validation or
sanitation. Command injection can lead to unauthorized system access, data exfiltration, privilege
escalation, and sometimes even full system compromise.

How Command Injection Works

Command injection vulnerabilities occur in applications that use user input within system-level commands
without properly validating or escaping that input. Attackers can manipulate the input to execute
unintended commands, leveraging characters like ;, &&, |, or & to chain commands.

Types of Command Injection

1. Shell Injection: Directly injects commands into shell scripts.


2. OS Command Injection: Targets applications that execute system commands on the operating
system.
3. Arbitrary Code Execution: Allows attackers to run code in various languages within the
application, often leading to severe consequences.

Mitigation Techniques

1. Input Validation and Sanitization: Validate and sanitize all user input, ensuring it only contains
expected values.
2. Parameterized Commands: Use parameterized functions instead of concatenating user input
directly into command strings.
3. Use APIs Over Direct System Calls: Instead of using system commands, opt for language-specific
libraries or APIs to perform operations.
4. Least Privilege Principle: Limit the permissions of applications that run system commands to
prevent privilege escalation.
5. Escaping Special Characters: Escape any potentially harmful characters in the input to prevent
chaining commands.

Dept.of CSE-CY, RNSIT Page 1


Advanced Cyber Security

1. You may login with user name admin and password password.

2. Access the Command Injection page using the menu on the left. It will let you specify a IP
adddress (e.g. 127.0.0.1) such that the DVWA server executes the ping command internally to that
IP, and then reports the output of the ping command.

3. Exploit vulnerabilities by supplying malicious input that leads to ("injects") the


execution of command

Dept.of CSE-CY, RNSIT Page 2


Advanced Cyber Security
Scroll down the page and click on View Source to observe the code that is is
executed on the server side. Analyze the code to understand the input validation
mechanism (if any). You can also click on View Help for an explanation of the
input validation mechanisms and vulnerability exploitation hints.

4. Change the DVWA Security Level, initially set to Low, and repeat step 4 for
the Medium, High and finally the Impossible security levels.

Dept.of CSE-CY, RNSIT Page 3


Advanced Cyber Security

Link: https://www.dcc.fc.up.pt/~edrdo/aulas/qses/lectures/lab1/

Dept.of CSE-CY, RNSIT Page 4

You might also like