M_05/ A03:2021 — Injection

OS Command Injection

A diagnostic 'ping' tool runs your input through a shell string. Any metacharacter the shell understands (; | && $() ``) opens a second command channel.

1.0 Network Tools

Target host

Presets

Vulnerable Node handler

const { exec, execFile } = require('child_process');
exec(`ping -c 4 ${host}`, cb);

What the shell receives

/bin/sh -c "ping -c 4 8.8.8.8; whoami"

Process tree

├─ ping 8.8.8.8
└─ whoami

Final execution output

PING simulated: 64 bytes from 8.8.8.8
www-data

3.0 Intelligence

What just happened

The string is handed to /bin/sh -c. The shell tokenizes ; as a command separator and runs whatever follows with the same privileges as the web process.

Logical flow

01User input is concatenated into a shell command string.
02Web process spawns /bin/sh -c '<string>'.
03Shell tokenizes the string — ; && || | ` $() are separators.
04Any commands after the separator run with the web user's UID.
05Combined with sudo or a misconfigured container → full RCE.

Risk

Critical

OWASP

A03

Metachars present

Shell re-parses input

Subshell ` ` or $( )

↳ What the developer intended

Run ping against the user-supplied host.
Return the ping output.

↳ What the runtime actually executes

Run /bin/sh -c with the input glued into the command string.
Any shell metachar opens a second command channel.

Attack flow

Attacker Input

8.8.8.8; whoami

Web Handler

exec(`…${input}`)

/bin/sh -c

tokenizes input

ping

intended cmd

Extra cmds

whoami / cat / curl