Command Injection | DVWA Writeups

5 min readDec 13, 2023

Command injection is a security vulnerability where an attacker tricks an application into running unauthorized commands on its underlying system. Imagine an application that lets you search for files. By cleverly crafting a search query, an attacker could inject malicious commands alongside the search terms. The application, unaware of the trickery, would then execute those commands, potentially granting the attacker access to sensitive data or even control over the system. It’s like sneaking a toolset into a search box, allowing you to manipulate the system from within.

Security Level: low

127.0.0.1;id

When we enter 127.0.0.1; id command, first it ping the 127.0.0.1 and then it executes the id command. After the shell executes “127.0.0.1;” the shell will execute the id afterward, because the shell thinks it is still 127.0.0.1 shell command. ; in Unix/Linux allows for commands to be separated.

Let’s check the source code …..

we can see that the code does not check if the $target matches an IP Address. No filtering on special characters. We can input a random integer or any character instead of the IP Address, The system did not validate user input so that we can input anything(1). We can use any operator (meta-characters) to trick the shell into executing arbitrary commands(2).

Security Level: Medium

1 & cat /etc/passwd

After the shell executes “1&” the shell will execute this cat /etc/passwd afterward because the shell will think when executing “1&” there is still a shell command that needs to be executed and the next command the shell will be executed is cat /etc/passwd.

Let’s check the source code ……………

From the source code above we can still input a random integer or any character instead of the IP Address, The system did not validate user input so that we can input anything(1). There are 2 characters that the system substituted && and ; so when we input one of these characters the system will do a substitutions function and the character will be replaced as a blank in the array(2). We can use any other operator (meta-characters) to trick the shell into executing arbitrary commands(3).

Security Level: Hard

1 || cat /etc/passwd

After the shell executes “1|” the shell will execute this cat /etc/passwd afterward because the shell will think when executing “1|” there is still a shell command that needs to be executed and the next command the shell will be executed is cat /etc/passwd.

Let’s check the source code ……………

From the source code above we can still input a random integer or any character instead of the IP Address, because the system did not validate user input, so you can input anything also the admin uses a trim function so any extra space in the first array [0] and the last array[∞] will be removed (1). There are several characters that the system will substitute, so when you input one of these characters the system will do a substitutions function and the character will be replaced as a blank in the array(2). You can only use 2 operators (meta-characters) to trick the shell into executing arbitrary commands, in this case, you can use “|” without any space after that because the system will replace the “| “ if you use extra space. And also “|| “(3).

operator already filtered and why is it still working?

When you input “1|| cat/etc/passwd” the additional “| ” will be replaced as a blank in the array and the final payload will look like this “1|cat/etc/passwd”

Securing The Code

If we aim to enhance the security of this Command Injection Code, consider implementing two key measures:

Escaping Shell Arguments

In each instance of source code complexity, the utilization of the shell_exec() PHP function persists without the incorporation of the escapeshellarg() function, even in seemingly challenging scenarios.

The Impossible source code continues to employ shell_exec() without the inclusion of escapeshellarg(), posing a potential vulnerability due to the omission of escaping certain meta-characters when passing through the shell function.

Using escapeshellarg() every meta-character in a string will be escaped and the string will be added a quote around it and the string can be passed directly to the shell and will be treated as a single safe argument.

Validate user input

Examining each source code difficulty level, the primary objective of the code is to ping a designated IP Address. However, in the Low, Medium, and High Difficulty codes, there is a lack of user input validation. Consequently, users have the freedom to input arbitrary values (e.g., characters or anything other than the required IP Address format). To address this, it is imperative to implement user input validation. If a user attempts to input anything other than the specified IP Address format, the system should reject the request and provide an error message, such as “You have entered an invalid IP.” By validating user input, the system can effectively sanitize and prevent malicious inputs.