Editor’s observe: That is an up to date model of Serge’s wildly widespread article written initially in 2011, proving but once more that whereas the know-how might change, safety ideas endure.

What are Command Injection vulnerabilities?
Command Injection is a kind of vulnerability that enables attackers to inject arbitrary instructions right into a weak software program software or service after which have the malicious instructions get executed with the weak software program’s privileges.

The upper the software program’s privileges, the larger the entry it has to sources within the atmosphere. In some circumstances, there could also be limits on the scope of obtainable instructions because of peculiarities of the appliance’s or the system’s internal workings. Nonetheless, more often than not an attacker beneficial properties command-line entry to the system working the weak software. This permits the attacker to take management of the software program and all its information and in addition management of different sources on the system that the software program has entry to.
Exploiting Command Injection additionally creates the potential for leveraging extra Privilege Escalation exploits to take full management of the goal system. If the weak software program is working with elevated privileges, then exploiting Command Injection by itself is usually enough to take full management of the goal system. 
Command Injection is without doubt one of the most harmful and customary vulnerability sorts. It’s straightforward to search out and exploit; its severity can’t be overstated. Command Injection is assigned CWE-78 within the Frequent Weak spot Enumeration and is included within the A1: Injection class as the highest risk in each model of the Open Internet Utility Safety Challenge (OWASP) Prime 10 challenge.
The place are Command Injection vulnerabilities discovered?
Command Injection vulnerabilities could also be current in any software program that invokes exterior instructions. The time period “exterior command” is used on this article to explain any command that isn’t part of the appliance being examined and is due to this fact exterior to the appliance.
Any of the next situations may cause command Injection vulnerabilities:

The software program invokes a system shell to execute an exterior command and passes untrusted information as an argument to the exterior command.
The software program makes use of untrusted information to find out which exterior command to execute.
The software program passes untrusted information to an exterior command, and the exterior command will invoke extra instructions primarily based on untrusted information.

Robust information validation would possibly trigger a Command Injection vulnerability to be unexploitable in follow, even when any of those situations are current. Nonetheless, to totally mitigate the risk, code that comprises any of the situations that trigger Command Injection have to be (re)written utilizing secure programming patterns.
Tips on how to take a look at for Command Injection vulnerabilities
Prepping your take a look at atmosphere
Earlier than you start testing for Command Injection vulnerabilities, it’s best to know that whereas the overall testing course of is at all times the identical, the precise testing course of differs barely relying on how a lot entry you must the software program, its supply code, and the atmosphere through which it operates.
With extra entry, it’s simpler to establish probably weak sources of enter, craft assault strings, and observe modifications to system habits in response to your assault strings. For instance, suppose you will have entry to the atmosphere through which the appliance being examined is working. In that case, you may observe whether or not your assault strings pressure the appliance to create a file in a brief listing or not. Which may will let you decide that Command Injection is current even when the appliance doesn’t in any other case produce any indication that an error situation has taken place.
Entry to the supply code would possibly assist establish code that passes enter to exterior instructions, making it simpler to establish which inputs to focus testing on and which take a look at strings to make use of.
So, when testing in real-world situations, attempt to get as a lot entry and as a lot info earlier than you start testing.
The Testing Course of
The next diagram illustrates the overall testing course of. We’ll use the identical course of for uncovering Command Injection vulnerabilities. 

Basic Testing Course of
Choose Entry Level
An entry level into an software is solely a channel by way of which a software program accepts exterior information. Every entry level will often have a number of sources of enter that offer information to that entry level. On this step, you will need to decide an entry level into the appliance after which iterate by enter sources.
Determine appropriate sources of enter
Our focus must be on sources of enter that offer text-based information to the software program. Enter information that can’t be interpreted as plain textual content, corresponding to clicking on UI components, aren’t related to our testing. 
For instance, for an online software, the enter sources will usually be the varied HTTP request parameters despatched from the consumer to your internet software. When figuring out HTTP request parameters, don’t overlook the requests which can be despatched by JavaScript.
Prioritize the sources of enter
Precedence must be given to inputs which can be identified to be processed in contexts which can be inclined to command injection, corresponding to getting used as arguments when executing exterior functions. When trying to find out the context through which the enter goes to be processed, it helps look at the output that outcomes from processing the enter information.
In some circumstances, there could be apparent indications of system instructions being invoked by the software program. For instance, suppose an software takes the title of a listing as enter after which produces a listing of filesystem objects inside that listing that appears equivalent to the output produced by executing the ls -l command. In that case, there’s a robust risk the appliance is passing the title of the listing to the ls -l command.
Some frequent performance carried out by invoking exterior instructions consists of changing media codecs, file archiving, making backups, particularly database backups, sending e-mail, and utilizing different non-web community protocols.
When you ought to prioritize enter sources which can be seemingly for use for passing arguments to system instructions, it’s best to actually take a look at all sources of enter to the appliance that you may management, except it’s identified for a proven fact that some particular inputs is not going to be used when invoking exterior instructions or it’s not mandatory to check the appliance totally.
Craft Payload
To start testing, you’ll craft payloads that will likely be despatched to the chosen entry level. For uncovering Command Injection weaknesses, our payloads will likely be within the type of assault sample strings. Assault sample strings are nothing however specifically crafted textual content information that comprise particular characters or statements which can be more likely to trigger a deviation from the code creator’s supposed motion. This deviation may both trigger the focused code to fail throughout execution or trigger the focused code to invoke arbitrary exterior instructions. Most assault sample strings used to check for Command Injection vulnerabilities comprise shell metacharacters (corresponding to semicolons) and names of instructions.
There are various collections of take a look at strings that can be utilized to detect Code Injection, out there on the Web. One widespread public assortment of take a look at strings is positioned at https://github.com/fuzzdb-project/fuzzdb/tree/grasp/assault/os-cmd-execution. There are a number of information in that repository, however you’re primarily supposed to make use of command-injection-template.txt and substitute your individual instructions rather than {cmd}. Among the different information are solutions of instructions that can be utilized rather than {cmd}, however mainly, any command that you may invoke in a command line terminal that you just want to execute with the privileges of the possibly weak software can be utilized.
Relying on the appliance and platform, the take a look at strings may need to account for some limitations like being unable to incorporate white-spaces or another characters inside take a look at strings. General, some tailoring is required, however merely inserting legitimate instructions which can be more likely to produce observable modifications in a weak software’s habits rather than {cmd} in command-injection-template.txt gives you a very good starter set.
Execute Check
Along with collections of payloads, additionally, you will want instruments for sending the take a look at strings to the appliance. The instruments rely on the appliance being examined; for instance, to check an online software you should utilize an online proxy, an online browser, or write your individual scripts. Every sort of device has its personal benefits and drawbacks, and you aren’t restricted to just one sort of device. No matter instruments you employ, the purpose is to ship payload as enter to the appliance.
Observe System
Most probably at first your assault sample strings received’t really produce legitimate instructions after they set off weak code and can end in software errors when processed. Relying on how the appliance handles errors, you could or might not obtain helpful error messages or different helpful suggestions. If the appliance shows an error message apart from enter validation error when processing any of your take a look at strings, then most certainly Command Injection is current. You must proceed testing by modifying the assault sample string that triggered the error message.
Equally, suppose there are different apparent modifications in software habits that point out that the appliance will not be functioning appropriately in response to any of your take a look at strings. In that case, Command Injection is most certainly current, and it’s best to hold testing by modifying the take a look at string that triggered the change in habits.
In some circumstances, the appliance will seem to operate appropriately, despite the fact that a vulnerability is current. You may nonetheless uncover vulnerabilities that don’t trigger apparent modifications in software habits by passing take a look at strings that carry out actions to detect if a vulnerability is current. For instance, you would possibly attempt to cross a take a look at string that creates a brand new file on the filesystem utilized by the appliance, and if the file seems after you ship your take a look at string to the appliance, you understand {that a} vulnerability is current.
If you happen to can’t detect any deviation in system habits, it’s best to repeat the take a look at with the remainder of your assortment’s assault sample strings. If no assault strings produce any indication of Command Injection, it’s best to choose an alternate entry level for testing and repeat the take a look at. As illustrated within the diagram, that is a part of the overall testing course of. After you will have exhausted all potential mixtures of payloads and enter entry factors, the take a look at may be thought of full. Observe that even you probably have not discovered any Command Injection, that doesn’t imply that Command Injection will not be current in absolute phrases, however merely that none has been discovered. The methodology described right here is employed each by human testers and by automated scanning instruments when testing for Command Injection. Nonetheless, the precise assurance supplied by a real-world take a look at relies on components such because the tester’s talent and the standard of the preparation work, corresponding to growing the payloads, the power to observe the habits of the system being examined, and precisely figuring out all of the sources of enter to the software program being examined.
Create PoC
If you happen to uncover sources of enter to the appliance that end in error circumstances or incorrect habits when assault sample strings are handed, then it’s best to tailor such take a look at strings into Proof-of-Idea (PoC) exploits to confirm {that a} vulnerability is current. Inflicting error circumstances or incorrect habits in weak code is called “triggering the vulnerability”.
If you’ll be able to write a functioning exploit, then the exploit is proof-positive that you’ve got found Command Injection. Even should you can’t write a useful exploit, it’s best to take into account your discovering to be a possible, although unverified, Command Injection vulnerability.
Let’s have a look at an instance. We’re going to use PHP code that really comprises a Command Injection vulnerability. The weak PHP script is part of a hypothetical internet software, and all this script is meant to do is use the system ping utility to find out whether or not the host on which the net software is working has community entry to a user-specified community tackle.
The filename of the script is ping.php, and it’s positioned at servername/ping.php. The contents of the script are as follows:

Step 1.Both by inspecting the working internet software or by analyzing the supply code, now we have decided that one of many inputs to the appliance is the HTTP request parameter known as tackle. This will likely be our entry level.
By commentary or viewing the supply code, we are able to additionally verify that the script ping.php invokes a system command. Due to this there’s a very robust risk {that a} Command Injection vulnerability is current on this script, and we’ll prioritize testing it and take a look at it instantly.
Step 2.Let’s ship some take a look at strings to the script. Since we are able to manipulate the request parameter tackle utilizing an everyday internet browser, we don’t want to make use of any particular instruments. We’re going to use a take a look at string within the type of:
To ship this take a look at string to the appliance, we entry the next URL in our internet browser:
http://servername/ping.php?tackle=;echo COMMAND INJECTION IS PRESENT;
The rationale for that first semicolon is to trigger no matter follows the semicolon to be interpreted as a command if Command Injection is current. The echo command is the command that we are trying to execute, and it’s helpful as a result of it’d return our message to us, indicating that we executed our command efficiently.
The rationale for that final semicolon within the take a look at string is that it helps be sure that your chosen command will execute within the occasion that the weak script appends one thing to the string you’re injecting earlier than the info is used to execute system instructions. The net browser and the appliance server will conveniently maintain dealing with the white areas within the HTTP request parameter for us.
Step 3. After accessing the crafted URL that points a request containing our take a look at string to the goal software, we observe the appliance habits within the type of the output produced by the appliance and displayed in our internet browser. 
The output when a legitimate tackle, corresponding to localhost, is handed to the script appears to be like like this:
PING localhost ( 56(84) bytes of knowledge.64 bytes from localhost ( icmp_seq=1 ttl=64 time=0.031 ms— localhost ping statistics —1 packets transmitted, 1 obtained, 0% packet loss, time 0msrtt min/avg/max/mdev = 0.031/0.031/0.031/0.000 ms
The output when the take a look at string ;echo COMMAND INJECTION IS PRESENT; is handed to the script appears to be like like this:
Now we have clearly manipulated the appliance habits in a means that signifies that Command Injection is current.
Step 4. To verify that now we have found Command Injection, let’s try to execute arbitrary instructions comparable, however not equivalent, to those issued by real-world attackers since we don’t wish to trigger any precise hurt. As an alternative, we merely wish to show that we are able to manipulate the appliance in a probably harmful means. We additionally don’t actually need that final semicolon that’s current in our take a look at string since nothing is being added to the tip of our exploit by the appliance, so let’s do away with it. 
Let’s attempt studying the contents of a system file utilizing the cat /and so forth/passwd command.
Our exploit will then seem like this:
http://servername/ping.php?tackle=;cat /and so forth/passwd
The appliance responds:
root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologinbin:x:2:2:bin:/bin:/usr/sbin/nologinsys:x:3:3:sys:/dev:/usr/sbin/nologinsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:video games:/usr/video games:/usr/sbin/nologinman:x:6:12:man:/var/cache/man:/usr/sbin/nologinwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin…
Let’s execute the whoami command to find out our system privileges. The exploit will seem like this:
The appliance dutifully responds as follows, displaying the person as whom the command injection is being executed:
This reveals that we are able to manipulate the weak software confirming {that a} Command Injection vulnerability is current. If our take a look at’s function was penetration testing, we are able to report our discovery and probably try to realize extra leverage. If we’re taking part in a contest, we are able to try to craft an exploit that can seize the flag. If we’re liable for the safety of the appliance, we must always repair the weak code. Regardless of the intent of the take a look at, the subsequent step is to meet it.