Command Injection Flaws
Command injection flaws are another dangerous type of web application vulnerabilities. Their presence in web application is really very much dangerous since attacker will not be required to use any username or password to execute commands using command injection. SQL injection attacks are also form of command injection attacks. Command injection vulnerability is also termed as OS Command injection vulnerability. In this section we will not really discus about how to perform a command injection attack but have our look on what is it, why web applications became vulnerable to them and threat level because of them.
With time web applications has evolved not only to meet requirements put forward by end user but also by web developers. Requirements of a web developer has been met with help of different API. API stands for Application Programming Interface most likely made popular by Java. Most web developers develop and use API's to simplify their further coding and development tasks, many of them are created to practically interact with operating system on which they are running. To lessen down work and coding overload many developers try to use system level shell commands while developing API's, though sometimes it may become a little heavy to run but who cares when you have high end server system. An attacker can modify the way he/she inputs data to exploit this vulnerability. Have a look on some of following examples,
A C Script,
/* Some lines of code */
system(“dir string”);
A Perl Script,
/* Some lines of code */
my $command= “ --some code-- ”;
/* Some lines of code */
$command=$command.param(“dir”);
/* Some lines of code */
An ASP,
/* Some lines of code */
Set oScript = Server.CreateObject(“WSCRIPT.SHELL”)
/* Some lines of code */
Call oScript,Run(“cmd.exe /c dir”);
Above are some examples of faulty coding while developing web API. Each of the above example just shows how to interact with system shell to execute dir command. Now if you are an experienced web developer you might argue on some of the depicted programming practice about completeness. For them I want to clear above are just examples and I am not actually an experienced web developer so please consider above as explanatory examples and not as complete stuff. I just showed few methods of calling shell commands from web applications and there is surely many other methods too.
As you can see above examples, the development tools and software used for web application development are meant to provide dynamic nature to web contents, so you can easily conclude that nearly all web development tools used for web application development which provide dynamic nature to contents may be vulnerable to command injection due to faulty programming practice. But the truth is command injection flaws exists only in web applications which are custom built which means its 100% developer's fault if web application is vulnerable.
Now threat level possessed by command injections are very high because web servers and web applications running on system are most likely are ran with administrative privileges thus an attacker can get complete access to system just by inputting some commands via web application. Due to command injection flaws an attacker can compromise system without going through any phase of remote hacking, attack will be 100% untraceable even if attacker uses a simple proxy server and most devastating part will be he/she will have administrative privileges without knowing any username and password.
Command injection attacks are easy to carry out and still there are several web applications which are directly or indirectly vulnerable to command injection attacks. But in spite of how simple it is to carry out an attacker needs a good knowledge of shell commands of related operating system and operating system itself. So no matter how simple it is, it is tough to understand and so even many skilled and experienced hackers can't perform command injections successfully that's the reason you hardly find description about command injection on most of the websites, forums and books related to hacking.
I hope that's set for now, so next time we meet up we'll discus some real deal about command injections. Thanks for reading, have a nice time and keep visiting.
