What is a Command Injection?
Introduction
Command injection is a common hacking technique used to execute commands directly on a web server’s operating system. This technique allows an attacker to take full control of the operating system and use it for malicious purposes.
The attack occurs when attackers manage to insert malicious commands into form fields or other user inputs in the web application. If developers have not properly filtered and validated these inputs, the attacker can exploit this vulnerability to execute commands on the server’s operating system.
What is Command Injection?
Example of Command Injection
Suppose a website has a form that allows users to check if a website is online or offline by entering the URL address in a form field. The server-side code uses the exec() function to execute a system command that checks if the website is online by sending an HTTP request to the submitted URL address. Here is an example of code:
<?php
if(isset($_POST['submit'])){
$url = $_POST['url'];
$command = "curl -I " . $url;
exec($command, $output, $result);
if ($result == 0 && strpos($output[0], '200 OK') !== false) {
echo "The website is online.";
} else {
echo "The website is offline.";
}
}
?>
- In this case, if an attacker submits a malicious command in the URL field, they can execute system commands on the server.
- For example, if the attacker enters the following URL in the form field:
example.com; rm -rf /
The server will execute the command curl -I example.com; rm -rf /, which sends an HTTP request to example.com and deletes all files on the server. This can cause significant damage.
How to Prevent Command Injection
To prevent command injection, developers must follow certain recommended security practices, including:
-
Validate and filter all user inputs, including form fields, cookies, and HTTP headers. Developers can use functions such as
mysqli_real_escape_stringto escape special characters and prepared statements to validate user inputs. -
Use secure coding techniques, such as whitelist-based validation to ensure that user inputs contain only allowed characters. It is also important to limit access to sensitive files on the server and not use obsolete or insecure functions.
-
Regularly perform software updates and security patches to ensure that all known vulnerabilities are fixed.
-
Regularly monitor server activity to detect any suspicious activity or intrusion attempts.
It is important to implement these security practices from the beginning of web application development and maintain them throughout the application’s lifetime.
How to Avoid Command Injection in the Website Check Example
In the website check example presented earlier, the server-side code uses the exec() function to execute the system command that checks if the website is online. However, this function can be used to execute any system command, including malicious commands.
To avoid command injection in this case, developers must validate and filter all user inputs correctly and use secure operating system functions to execute system commands.
To validate and filter user inputs, developers can use functions such as preg_match() to ensure that the submitted URL contains only alphanumeric characters and allowed characters. Developers can also limit the allowed characters for the submitted URL, only allowing valid characters for web addresses.
Furthermore, rather than using the exec() function to execute system commands, developers should use secure operating system functions, such as shell_exec() or proc_open(). These functions allow explicitly specifying the command to execute and properly escaping special characters to avoid command injection.
Finally, it is important to remain vigilant and regularly monitor server activity to detect any suspicious activity or intrusion attempts. If command injection is suspected, it is important to take immediate measures to protect the system and sensitive data.
Patched Code Example
Here is a patched version of the code presented earlier to avoid command injection:
<?php
if(isset($_POST['submit'])){
$url = $_POST['url'];
/* Check if the URL is valid using a regular expression (RegEx) */
if(preg_match('/^[a-zA-Z0-9.\/:]+$/',$url)){
/* Escape special characters */
$url = escapeshellarg($url);
/* Execute the system command "securely" (you never know) */
$command = "curl -I " . $url;
$result = shell_exec($command);
/* Check the remote server response */
if (strpos($result, '200 OK') !== false) {
echo "The website is online.";
} else {
echo "The website is offline.";
}
} else {
echo "Invalid URL.";
}
}
?>
In this patched version, we added URL validation using a regular expression to ensure that the submitted URL contains only alphanumeric characters and allowed characters. We also used the escapeshellarg() function to properly escape special characters and avoid any command injection. Finally, we used the shell_exec() function to execute the system command in a “secure” manner.
By applying these changes, we can avoid command injection in this specific example and ensure the security of users and data on the web server.