A command injection vulnerability allows an attacker to execute arbitrary system commands, which can result in a entire takeover of the webserver. Command injection attacks are possible if a web application passes untrusted user input directly to functions like
A command injection vulnerability exists when user supplied input is not validated correctly by the web application. The following snippet shows PHP code which is vulnerable to command injection.
In the case of the vulnerable code above, the attacker could escape the ping command by adding a semicolon to the command and executing arbitrary other system commands. Example input:
; cat /etc/passwd
In order to secure your web application from command injection, validate the users input and only allow commands that are needed for the task. You can also sanitise the users input by removing characters like ; and other shell escapes like &, &&, |, ||, <.