CRITICAL SEVERITYCWE-78OWASP A03:2021

Command Injection

OS Command Injection allows attackers to execute arbitrary operating system commands on the server. This occurs when applications pass unsafe user data to system shells, potentially leading to complete server compromise.

9.8

CVSS Score

30+

Payloads

RCE

Impact

Critical

Risk Level

Payload Database

Simple command injection payloads for initial testing

; ls -la

Semicolon separator

| cat /etc/passwd

Pipe output

& whoami

Background execution

`id`

Backtick substitution

$(whoami)

Command substitution

|| ls

OR operator

&& id

AND operator

; sleep 10

Time-based detection

Vulnerable Code Example

VULNERABLE CODE - DO NOT USE

// PHP - Vulnerable to Command Injection
$ip = $_GET['ip'];
$output = shell_exec("ping -c 4 " . $ip);
echo $output;

// Python - Vulnerable
import os
ip = request.args.get('ip')
output = os.popen(f"ping -c 4 {ip}").read()

// Node.js - Vulnerable
const { exec } = require('child_process');
const ip = req.query.ip;
exec(`ping -c 4 ${ip}`, (err, stdout) => {
    res.send(stdout);
});

Secure Code Example

SECURE CODE - USE PARAMETERIZED COMMANDS

// PHP - Safe with escapeshellarg()
$ip = $_GET['ip'];
// Validate IP format first
if (filter_var($ip, FILTER_VALIDATE_IP)) {
    $output = shell_exec("ping -c 4 " . escapeshellarg($ip));
    echo $output;
}

// Python - Use subprocess with list arguments
import subprocess
ip = request.args.get('ip')
if is_valid_ip(ip):  # Custom validation
    result = subprocess.run(['ping', '-c', '4', ip], capture_output=True)
    output = result.stdout.decode()

// Node.js - Use execFile with array arguments
const { execFile } = require('child_process');
const ip = req.query.ip;
if (isValidIP(ip)) {
    execFile('ping', ['-c', '4', ip], (err, stdout) => {
        res.send(stdout);
    });
}

Prevention Checklist

Avoid system commands when possible - use libraries

Validate and sanitize all user input

Use allowlists for acceptable characters

Escape shell metacharacters properly

Use parameterized commands (subprocess arrays)

Run applications with minimal privileges

Implement proper input length restrictions

Use containerization and sandboxing

Related Resources

OWASP Command Injection PortSwigger Academy HackTricks OS Commands

Vulnerable Code Example

VULNERABLE CODE - DO NOT USE

// PHP - Vulnerable to Command Injection
$ip = $_GET['ip'];
$output = shell_exec("ping -c 4 " . $ip);
echo $output;

// Python - Vulnerable
import os
ip = request.args.get('ip')
output = os.popen(f"ping -c 4 {ip}").read()

// Node.js - Vulnerable
const { exec } = require('child_process');
const ip = req.query.ip;
exec(`ping -c 4 ${ip}`, (err, stdout) => {
    res.send(stdout);
});

Secure Code Example

SECURE CODE - USE PARAMETERIZED COMMANDS

// PHP - Safe with escapeshellarg()
$ip = $_GET['ip'];
// Validate IP format first
if (filter_var($ip, FILTER_VALIDATE_IP)) {
    $output = shell_exec("ping -c 4 " . escapeshellarg($ip));
    echo $output;
}

// Python - Use subprocess with list arguments
import subprocess
ip = request.args.get('ip')
if is_valid_ip(ip):  # Custom validation
    result = subprocess.run(['ping', '-c', '4', ip], capture_output=True)
    output = result.stdout.decode()

// Node.js - Use execFile with array arguments
const { execFile } = require('child_process');
const ip = req.query.ip;
if (isValidIP(ip)) {
    execFile('ping', ['-c', '4', ip], (err, stdout) => {
        res.send(stdout);
    });
}