Command Injection
We can often determine whether or not Command Injection is possible by the Behavior's of an Application. Applications that use User Input to populate System Commands with data can often be combined in unintended behavior.
- The Shell Operators will combine two or more System Commands and execute them Both.
;
&
&&
Detecting Blind Command Injection
Time Delay:
This Commands are significant Payloads to test with. Usingping
the Application will hang for X (Seconds).
ping
sleep
Force Output:
This can be done by using Redirection Operators such as>
. Example: We can tell the Web Application to Execute Commands such as whoami and redirect that to a file. We can then use a command such as cat to read this newly created file’s contents.
>
- Detecting Verbose Command Injection:
- If the Output of this Commands is directly displayed on the Web Application.
ping
whoami