Mastering Command Injection Attacks from Basics to Advanced

Command injection

Command injection is an attack that is used to run direct command line commands on the web. This is often encountered from several websites that use the pingback function on the web, which causes vulnerability if you do not use source code validation on the website's pingback function.

Here I will provide examples of command injection on DVWA from low to high levels, in this case DVWA is recommended for beginners who want to learn the types of attacks on a website or for beginners who want to jump on a bug bounty, by understanding the types of attacks and how to attack DVWA you can easily understand why this attack can be done against the target and develop it.

1. Level low command injection

Level low command injection

Here we can see the vulnerability in the source code provided by DVWA at a low level, where there is no validation of auxiliary commands such as :

  • &&
  • ||
  • ;
  • ,
  • etc

Meanwhile, if you often or have used command line commands on Linux or Windows, there are auxiliary commands to execute two or more commands at a time, in this case (DVWA) you can use command injection such as :

<IP free> && dir (for windows)

<IP free> && ls (for linux)

Then it will display a directory like this:

command line commands on Linux or Windows

You can send a shell or even you can do netcat or reverse tcp on the command injection on the vulnerability, here you can use the reverse shell tcp command here.

2. Level medium command injection

Level medium command injection

At the medium level we get two validations such as && and ;, so from here we cannot do command injection with these commands. But we can use other commands, such as :

  • &
  • ||
  • |
  • ,
  • etc

For example, you can use the command :

<freeIP> & dir

This will result in :

validations such as && and ;,

3. Level high command injection

Level high command injection

We can see that some command auxiliary functions have been validated, but that doesn't mean we can't bypass them, here we can use adjacent commands, because in the command line this is still considered valid to run, such as :

<free IP> |dir

Then the result will appear:

command auxiliary

4. Level Impossible command injection

Level Impossible command injection

For this level we only get prevention of validating the correct source code to avoid command injection attacks.