Command Injection
Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell.
For example, an old desktop application might use unix system command to display time.
Let’s imagine it is written in C code and have lines like:
strcat(command, “cat ./”);
strcat(command, argv[1]);
system(command);
so that a desktop user can type “logandprintapp tmp.txt” to log and display a file content.
Later, when web application became popular, a quick update exposed the desktop application to web interface. As a result, a web service can send a request like
http://victimesite.com/loganprintapp?file=tmp.txt
to trigger the same functionality.
However, an attacker can send a request like
http://victimesite.com/loganprintapp?file=tmp.txt;ls
to list all files under the directory. Even worse, the ; can be followed by “rm -f *”
Similarly the following PHP code suffers the same problem. Since the web server can delete a file, there is no reason it can not display sensitive information. A query like this can be dangerous http://victimesite.com/loganprintapp?file=tmp.txt;id
<!–?php
print(“Please specify the name of the file to delete”);
print(”
“);
$file=$_GET[‘filename’];
system(“rm $file”);
?>
IT Security 
Leave a comment