Home Web App Security How Command Execution/Injection Attacks Work

How Command Execution/Injection Attacks Work

Web App Security By · April 23, 2025 · 0 Comment

Introduction

Command execution or injection attacks are a type of vulnerability that can compromise the security of web applications. These attacks allow malicious users to execute arbitrary commands on the server, often leading to unauthorized access to sensitive data or system control. In this article, we will demonstrate how command execution and injection work using the DVWA (Damn Vulnerable Web Application) hosted on a Metasploitable2 virtual machine. We will focus on how attackers can exploit these vulnerabilities in a low-security environment to execute system commands, bypass security controls, and gain access to sensitive files.

What is Command Execution/Injection?

Command execution or injection occurs when an attacker is able to insert or inject commands into a vulnerable web application form or input field. These commands are then executed by the server, allowing the attacker to execute arbitrary system-level operations. This is a significant security risk, as it can lead to the disclosure of sensitive information, system manipulation, or even full server control.

In the context of DVWA, a vulnerable web application intentionally designed for security testing, attackers can experiment with command injection techniques to understand and exploit such weaknesses. By manipulating inputs in forms, attackers can run arbitrary commands on the server and interact with the operating system as if they were the system administrator.

Setting Up the DVWA Environment

For this demonstration, we are using Metasploitable2, a vulnerable virtual machine containing several intentionally insecure applications for penetration testing practice. We access the DVWA application hosted on this machine through a web browser. Once logged into the DVWA interface, we set the security level to “Low” to ensure that no significant validation or filtering mechanisms are in place.

The target application in this scenario is a simple form that allows users to input an IP address and submit it to ping the provided IP. At the low-security level, there is little to no input validation or sanitization, which opens up the possibility for command execution and injection attacks.

Executing Commands with a Vulnerable Form

In this particular DVWA lab, the form is designed to perform a ping on a specified IP address. The attacker can input the IP address “127.0.0.1” (the local loopback address) into the form’s text box and click on the submit button. By default, this will send a ping request to the specified IP address.

How-Command-Execution-Injection-Attacks-Work-1

However, due to the lack of input validation in the form, the attacker can inject arbitrary commands. In this case, we can take advantage of the semicolon (;) operator to separate the ping command from additional commands that we want to execute.

For example, when we input the following payload in the text box:

127.0.0.1; whoami

How-Command-Execution-Injection-Attacks-Work-2

The server will execute the ping command followed by the whoami command. The whoami command reveals the identity of the currently logged-in user. By exploiting this, the attacker can gain insight into the user privileges on the server.

Using Different Command Separators

While the semicolon (;) is a commonly used command separator, it is often filtered or blocked by application owners who implement basic security controls. In such cases, attackers can try using alternative command separators, such as && or | (pipe), to execute multiple commands in one go.

Let’s look at some variations of command injection payloads:

  • Using && (AND Operator)
    The && operator ensures that only if the first command (ping) is successful, the next command will execute. This is useful when trying to chain multiple commands. For example:
127.0.0.1&&pwd

How-Command-Execution-Injection-Attacks-Work-3

Here, after the ping command, the pwd (print working directory) command will be executed. This provides information about the current directory of the server, potentially exposing the file structure.

  • Using | (Pipe Operator)
    Another option is using the pipe operator |, which allows the output of one command to be sent as input to another. For example:
127.0.0.1|whoami

How-Command-Execution-Injection-Attacks-Work-4

This command executes the whoami command after the ping, giving the attacker information about the server’s user privileges. Similarly, running:

127.0.0.1|pwd

How-Command-Execution-Injection-Attacks-Work-5

would display the working directory path of the system.

Exploring Sensitive Files with Command Injection

One of the more critical risks of command injection is the potential exposure of sensitive files. If the attacker successfully executes the injection payload, they can use commands like cat /etc/passwd to reveal user account information stored in the system’s password file.

For example:

127.0.0.1;cat /etc/passwd

How-Command-Execution-Injection-Attacks-Work-6

This command would execute the cat /etc/passwd command, revealing the contents of the /etc/passwd file, which contains sensitive information about users, including usernames and hashed passwords.

Bypassing Basic Security Filters

In a more secure environment, input validation measures may block characters like ;, &&, and |, which are typically used in command injection attacks. However, attackers often find ways to bypass such filters by using alternative characters or encoding techniques.

For example, by using URL encoding or Unicode encoding, an attacker may be able to disguise the malicious input and execute commands without being detected. Furthermore, some filters may only block specific patterns, leaving room for other separators or techniques to work.

Conclusion

Command execution and injection vulnerabilities pose a significant security risk to web applications. In our demonstration with DVWA, we observed how an attacker could manipulate input fields to execute arbitrary system commands on the server. This could lead to the exposure of sensitive information or even full control of the system.

To prevent such attacks, developers should implement rigorous input validation and sanitization, ensuring that only valid data is processed by the server. Using prepared statements, parameterized queries, and limiting the execution of system commands within the web application are critical practices for mitigating command injection risks.

By understanding the techniques behind command injection, organizations can better secure their applications and safeguard sensitive data from malicious actors.

Related Posts

Understanding XSS Attacks: Types, Demos & Prevention

Web App Security By · April 11, 2025 · 0 Comment
Cross-Site Scripting (XSS) is one of the most common vulnerabilities that web applications face today. XSS attacks occur when an attacker injects malicious scripts into web pages viewed by others, which can lead to significant security risks such as data... Read more

Understanding Local File Inclusion (LFI) in Web Apps

Web App Security By · March 28, 2025 · 0 Comment
Local File Inclusion (LFI) vulnerabilities are a significant security risk in web applications that fail to properly validate user-supplied input, allowing attackers to include files from the local system. These vulnerabilities can lead to severe security breaches, such as unauthorized... Read more

Understanding File Upload Vulnerabilities in Web Applications

Web App Security By · March 26, 2025 · 0 Comment
Understanding-File-Upload-Vulnerabilities-in-Web-Applications-h
File upload functionality in web applications is a critical feature but can pose significant security risks if not properly implemented. One common vulnerability found in web applications is the file upload vulnerability, which attackers can exploit to gain unauthorized access,... Read more

How to Configure Burp Proxy and Browser for Security Testing

Web App Security By · March 19, 2025 · 0 Comment
Burp Suite is an essential tool for security professionals and ethical hackers, allowing them to intercept and analyze web traffic between a browser and a web server. One of its key features is the Burp Proxy, which intercepts HTTP(S) traffic... Read more

Burp Suite: Web Application Security Testing Tool

Web App Security By · March 12, 2025 · 1 Comment
Burp-Suite-Web-Application-Security-Testing-Tool
In today’s digital era, ensuring the security of web applications is more critical than ever. Cybersecurity threats like SQL Injection, Cross-Site Scripting (XSS), and other vulnerabilities pose significant risks to businesses and their users. One of the most effective tools... Read more

Common Sensitive Files Exposed in Web Apps

Web App Security By · March 10, 2025 · 2 Comments
Common-Sensitive-Files-Exposed-in-Web-Apps
In the world of web development and security, it is crucial to ensure that sensitive files are properly secured. Exposing sensitive files can significantly increase the vulnerability of your web application and provide attackers with valuable insights into the infrastructure,... Read more

Best Practices for Secure File Uploads in Web Apps

Web App Security By · March 10, 2025 · 0 Comment
Best-Practices-for-Secure-File-Uploads-in-Web-Apps-home
In modern web applications, file uploads are a fundamental feature, enabling users to share data such as images, documents, and videos. However, allowing file uploads also introduces significant security risks, as attackers can exploit vulnerabilities to execute malicious code, access... Read more

Uniscan : Web Vulnerability Scanner on Kali Linux

Web App Security By · March 4, 2025 · 0 Comment
uniscan
Uniscan is a powerful tool that helps users discover potential vulnerabilities in their websites, providing them with actionable insights to strengthen their security.In this article, we will take a detailed look at Uniscan, how it works, and how you can... Read more

Understanding HTTP Status Codes: A Comprehensive Guide

Web App Security By · February 3, 2025 · 0 Comment
Understanding-HTTP-Status-Codes-A-Comprehensive-Guide
In the world of web development, one of the most crucial components of a seamless user experience is the communication between servers and clients. This communication is facilitated by HTTP (Hypertext Transfer Protocol) status codes, which are numerical responses sent... Read more

Wapiti: Web Application Vulnerability Scanner for Kali Linux

Web App Security By · January 27, 2025 · 0 Comment
Wapit-Web-Application-Vulnerability-Scanner
In today’s digital world, security is paramount, especially when it comes to web applications. With the growing number of cyber threats, it’s essential to have reliable tools that help detect vulnerabilities and ensure your web application is secure. One such... Read more