Command injection is a vuln that allows you to submit sys commands to a computer running a website. This happens when the app fails to encode user input that goes to a system shell. This vuln is common when the developer uses the system() command or the same in the lang of its app.
domain = user_input() #Input: hackingarise.com
os.system(‘ping” + domain)
This is would ping the hackingarise website as the user has inputted it but what happens if they put in something else to return different data? Say they put in “; ls” without quotes ofc, then the command before the semicolon(ping) would be terminated and forced to run ‘ls’
What is the use of this?
Well command injection can be a good way to use privilege escalation with web apps and apps that use system commands. Many home routers are vuln to this as they commit user input directly to a system command.
Some Command Injection Payloads
These payloads can be basically anything that helps you gain a shell, user, root, admin etc. Or any command you may want to try!
Thanks for reading my post and be sure to check out more on the site! See ya next time!