Command Injection | Finding And Exploiting Flaws
In our last post we had our look on some basics about command injection flaws. So here we will discus how to find and exploit command injection flaws. In last post I told you that to exploit command injection flaws you must be able to interact with system command shell. Suppose anyhow you suspect that the web application interacts with operating system, its time to check it how you can exploit it. Before you exploit I must make clear that there is practically no guarantee that the command shell web application is interacting is its own shell, remote shell or custom built shell also there's no guarantee that output of executed command will be displayed to you on your web browser. Note that an application can issue operating system commands using input provided by user, URL and even stored and processed cookies.