Command Injection Vulnerabilities and Protection

Command Injection Vulnerabilities and Protection

1. Vulnerability Description
Command Injection is a security vulnerability where an attacker passes malicious commands to the operating system through an application for execution. When an application does not strictly filter user input and directly concatenates the input into system commands, attackers can exploit special characters (such as ;, |, &, etc.) to inject illegal commands, thereby gaining control of the server.

2. Vulnerability Scenarios

  • Example Scenario: A network device management page provides a "ping test" function. After the user enters an IP address, the backend executes the command ping <user input>.
  • Dangerous Operation: If the user inputs 8.8.8.8; cat /etc/passwd, the concatenated command becomes: 
    ping 8.8.8.8; cat /etc/passwd
    The system will first execute ping, then execute the cat command to leak sensitive files.

3. Vulnerability Principle Analysis

  • Root Cause: User input is passed to the system shell (e.g., Bash, Cmd) as part of the command rather than as data.
  • Key Issues:
    • The application directly calls system command execution functions (e.g., PHP's system(), Python's os.system()).
    • No escaping or filtering of command separators in the input.

4. Attack Techniques Examples
Assuming the backend code is:

$ip = $_POST['ip'];
system("ping -c 4 " . $ip); // Directly concatenates input

Attackers might input:

  • 8.8.8.8 && rm -rf / (deletes files)
  • 127.0.0.1 | whoami (executes subsequent commands)
  • $(cat /etc/shadow) (command substitution)

5. Protection Measures
Principle: Never trust user input; avoid direct command concatenation.

  • Measure 1: Input Whitelist Validation

    • Only allow input in specific formats (e.g., IP addresses, domain names).
    • Example: Use regular expression ^[0-9.]{7,15}$ to ensure the input is only an IP address.

  • Measure 2: Use Secure APIs Instead of Command Concatenation

    • Example: After validating IP legality with PHP's filter_var($ip, FILTER_VALIDATE_IP), directly call a network library instead of system commands.

  • Measure 3: Escape or Filter Dangerous Characters

    • Escape characters like ;, |, & in the input (e.g., using the escapeshellarg() function).
    • Example: 
      $ip = escapeshellarg($_POST['ip']);
system("ping -c 4 " . $ip); // Input will be wrapped in single quotes and treated as a whole data unit

  • Measure 4: Principle of Least Privilege

    • The operating system account running the application should have restricted permissions (e.g., prohibit read/write access to sensitive directories).

6. Advanced Protection: Defense in Depth

  • Deploy a WAF (Web Application Firewall) to detect suspicious command patterns.
  • Harden the server and restrict the execution environment for system commands (e.g., using container isolation).

Summary
Command injection vulnerabilities are extremely harmful. The core of protection is separating user input from commands, ensuring that input is treated only as data, not executable code, through whitelisting, escaping, or using secure APIs.