Command Injection

Command Injection is a critical security vulnerability that allows attackers to execute arbitrary operating system commands on the server. By manipulating user inputs, attackers can gain full control of the system, steal data, or deploy malware.

CRITICALOWASP Top 10 #3CWE-784 Contexts

🧪 Interactive Command Injection Lab

Select a command injection context and practice with real-world payloads in a safe environment

Select Context

Choose an injection context to begin testing

💻

Basic Command Injection

Simple command injection using command separators

BEGINNER1 attacks

🕵️

Blind Command Injection

Execute commands without direct output visibility

INTERMEDIATE2 attacks

🛡️

Filter Bypass

Bypass command injection filters and WAF rules

ADVANCED1 attacks

🔥

Remote Code Execution

Achieve full remote code execution

EXPERT1 attacks

📖

Quick Reference

Always available while you work

🔥OWASP Top 10

Position:#3

Command Injection is part of Injection category at #3 in OWASP Top 10 2021.

📊Critical Statistics

RCE Success Rate:89%

Successful remote code execution rate

Average CVSS Score:9.2

Most command injections score HIGH or CRITICAL

System Compromise:76%

Full system takeover potential

🛡️Quick Prevention

✓Avoid executing system commands
✓Use built-in language functions
✓Validate input with strict allowlists
✓Use proper escape functions
✓Apply principle of least privilege
✓Use WAF and monitoring

📚Resources

VulnSign Command Injection Guide

📚 Learn & Master Command Injection

Comprehensive guide covering theory, bypass techniques, real-world examples, and prevention strategies

FUNDAMENTALS

💻

What is Command Injection?

Command Injection is a security vulnerability that allows attackers to execute arbitrary operating system commands on the server hosting an application. It occurs when an application passes unsafe user input to a system shell, enabling attackers to run malicious commands, access sensitive files, or completely compromise the system.

MECHANISM

How Command Injection Works

Attackers exploit command injection by injecting shell metacharacters (;, &&, ||, |, `) into user input that gets passed to system commands. These metacharacters allow chaining multiple commands or redirecting output.

❌ Vulnerable Code Example

php

1// PHP - Unsafe command execution
2$ip = $_GET['ip'];
3$output = shell_exec("ping -c 4 " . $ip);
4echo $output;
5
6// Attacker input: 127.0.0.1; cat /etc/passwd
7// Executes: ping -c 4 127.0.0.1; cat /etc/passwd

✅ Secure Code

php

1// PHP - Input validation & escapeshellarg()
2$ip = $_GET['ip'];
3if (filter_var($ip, FILTER_VALIDATE_IP)) {
4  $output = shell_exec("ping -c 4 " . escapeshellarg($ip));
5  echo $output;
6} else {
7  die("Invalid IP");
8}

TYPES

Types of Command Injection

💻Basic Injection

Simple command chaining using separators like ; && || |

🕵️Blind Injection

No direct output; use time delays or out-of-band channels

🛡️Filter Bypass

Evade WAF/filters using encoding, obfuscation, wildcards

🔥Remote Code Execution

Full RCE via reverse shells, backdoors, privilege escalation

IMPACT

What Can Happen?

💣
Remote Code Execution:
Execute arbitrary OS commands, install backdoors, create user accounts
📂
Data Exfiltration:
Read sensitive files (/etc/passwd, SSH keys), database credentials, source code
🏢
System Compromise:
Full server takeover, lateral movement, privilege escalation to root
🦠
Malware Deployment:
Deploy ransomware, cryptominers, botnet agents, persistent backdoors

BEST PRACTICES

🛡️

How to Prevent Command Injection

✓Avoid System Commands: Use language APIs instead of shell commands when possible
✓Input Validation: Whitelist allowed characters, reject special shell metacharacters
✓Escape Functions: Use escapeshellarg() / escapeshellcmd() in PHP, shlex in Python
✓Parameterized Commands: Never concatenate user input into commands
✓Principle of Least Privilege: Run processes with minimal permissions, use sandboxing
✓WAF & Monitoring: Deploy WAF rules, monitor for suspicious command patterns

REAL WORLD

🎯

Famous Attack

1// PHP - Unsafe command execution 2$ip = $_GET['ip']; 3$output = shell_exec("ping -c 4 " . $ip); 4echo $output; 5 6// Attacker input: 127.0.0.1; cat /etc/passwd 7// Executes: ping -c 4 127.0.0.1; cat /etc/passwd

1// PHP - Input validation & escapeshellarg() 2$ip = $_GET['ip']; 3if (filter_var($ip, FILTER_VALIDATE_IP)) { 4 $output = shell_exec("ping -c 4 " . escapeshellarg($ip)); 5 echo $output; 6} else { 7 die("Invalid IP"); 8}