❑ Command injection(=Shell injection) : It is code injection(Link) attack that misuses the system by inserting shell commands.
* Generally, the shell script's characteristics are injected into vulnerable functions.
❑ Related vulnerable functions : The function that can execute shell commands.
| Language | Function |
| C | system() exec*() |
| Java | system.* |
| Perl | open() sysopen() system() glob() |
| PHP | exec() system() passthru() popen() require() include() eval() preg_replace() |
❑ How to inject : Use the shell script's feature to allow commands to be executed on vulnerable functions.
| Characteristic | Input way |
| Sequential execution | cmd1;cmd2
* run cmd2 after run cmd1.
|
| Pipeline | cmd1|cmd2
* Insert cmd1's result into cmd2's input.
|
| Command substitution | cmd1 `cmd2` cmd1 $(cmd2)
* Use cmd2's result as cmd1's argument.
|
| AND list | cmd1&&cmd2
* If cmd1 runs successfully, cmd2 runs.
|
| OR list | cmd1||cmd2
* If cmd1 ends in failure, cmd2 runs.
|
| Redirection | cmd1>~/.bashrc
* Overwrite cmd1's result into ~/.bashrc.
cmd1<~/.bashrc
* Insert ~/.bashrc's contents into cmd1.
|