Command injection is the abuse of an application's behaviour to execute commands on the operating system. The webserver will process this code and execute it under the privileges and access controls of the user who is running that application (the app is running on a webserver by user).
Command injection is also often known as Remote Code Execution because of the ability to remotely execute code within an application. These vulnerabilities are often the most lucrative to an attacker because it means that the attacker can directly interact with the system, read files, data, etc.
The content of songtitle.txt would typically be kept in the DB.
Applications that use user input to populate system commands with data can often be combined in unintended behaviour, eg. with the shell operators ;, & and && we can combine system commands and execute all of them.
Command Injection can be detected in mostly one of two ways:
Blind command injection
no direct output from the application when testing payloads
we need to investigate the app behaviour to determine if the payload was successful
Verbose command injection
we have a direct feedback from the app once we tested a payload, e.g. with testing for whoami cmd
Blind command injection is when command injection occurs; however, there is no output visible, so it is not immediately noticeable.
For this type of command injection, we may need to use payloads that will cause some time delay. For example, the ping and sleep commands are significant payloads to test with. Using ping as an example, the application will hang for x seconds in relation to how many pings you have specified.
Another method of detecting blind command injection is by forcing some output. This can be done by using redirection operators such as >, e.g., we can tell the web application to execute commands such as whoami and redirect that to a file. We can then use a command such as cat to read this newly created file’s contents.
The curl command is a great way to test for Command Injection, because we are able to use it to deliver data to and from an application in the payload:
Verbose command injection is when the application gives you feedback or output as to what is happening or being executed, e.g., the output of commands such as ping or whoami is directly displayed on the web application.
ls - we may be able to find files such as configuration files, environment files (tokens and application keys), and many more valuable things.
ping - it will invoke the application to hang
sleep - it will invoke the application to hang, useful if the machine does not have ping installed.
nc - netcat can be used to spawn a reverse shell onto the vulnerable application. You can use this foothold to navigate around the target machine for other services, files, or potential means of escalating privileges