You really can’t get away from websites this day in age. They’re effectively the first impressions that people get when it comes to companies, businesses, and products. We’ve come a long way from the basic HTML websites of the past when internet for the masses was in its infancy. Everyone has some kind of exposure to websites, regardless of their respective career field, and developers are making more and more complex sites with custom website frameworks and code.

Because of the increasing complexity, websites tend to be prime targets of attackers due to unsecure coding practices by developers. Due to the workload that most developers are under, however, I can understand that security can fall on the list of priorities when you have to get a product out the door by a certain date. What makes this even more challenging is that developers are often unaware of secure coding practices, as a lot of colleges and code camps don’t exactly get into secure coding practice.

One of my favorite vulnerabilities due to lack of secure coding practice is command injection. It’s a very straightforward vulnerability in the sense that it allows you to run commands on the operating system on which the website runs. It’s normally introduced in websites when developers take input from a user and feed it to a part of the website that utilizes the underlying operating system to perform some action. An example of this would be taking a domain name provided by a user and doing a DNS lookup on it using the nslookup utility provided by the operating system. It’s my favorite kind of vulnerability due to how simple it is and how powerful it can be for attackers.

We’re going to use the DVWA app to demonstrate this. DVWA stands for “Damn Vulnerable Web App”, and it’s used to demonstrate various website vulnerabilities that can be exploited. Let’s take a look at the command injection page provided by DVWA:

The website allows you to type an IP address, and the website will attempt to ping it for you and tell you whether it’s reachable. I submitted the IP address 127.0.0.1, and I got the following response from the server. This seems simple enough. However, assuming you have basic Linux knowledge, you can see from the output that it appears to be feeding the IP that you gave it to the ping utility given by the underlying operating system of the website. Therefore, because we have some kind of access to the underlying operating system of the website, we can potentially make the website execute commands that it was never intended to execute.

Now let’s see if the website will take the input and feed it to the underlying operating system as well. The above screenshot shows that I’m trying to see the contents of the password file, which contains usernames of the operating system. Because I know the website is running a Linux operating system, I’m using the ‘&&’ operator which tells the Linux command line “when you’re done successfully running the first command, run this next one as well”.

In addition to getting the output of the ping command, we also can see the contents of the /etc/passwd file. We have determined that we have command injection on the website. With this, we can establish command and control of the website and potentially laterally move to other parts of the network.

The fix for this would be making sure that any unwanted input is filtered by the web server (like the ‘&&’ operator), or even finding a web library that can do the ping utility for you. If you can avoid running commands on the operating system, definitely do that.

You can practice this (and other hacking techniques) using the SmithSec Cyber Range! Feel free to sign up at https://www.smithsec.net/store/cyberrange-subscription .