Command Injection and its preventation
Linkedin

Command Injection and its preventation

Bhubaneswar : India | Apr 06, 2012 at 3:08 AM PDT
XX XX
Views: Pending
 
Puzzle 1 Pieces

A successful command injection attack gives the attacker complete control of the remote system. When user input is used as part of a system command, an attack may be able to inject system commands into the user input. This can happen in any programming language; however, it is very common in Perl, PHP, and shell based CGI. It is less common in Java, Phython, and C#. Consider the following PHP code snippet:The user sends his or her e-mail address in the email parameter, and that user input is placed directly into a system command. Like SQL injection, the goal of the attacker is to inject a shell command into the email parameter while ensuring that the code before and after the email parameter is syntactically correct. Consider the system() call as a puzzle. The outer puzzle pieces are in place, and the attacker must find a puzzle piece in the middle to finish it off:The puzzle piece needs to ensure that the mail command runs and exits properly. For example, mail –help will run and exit properly. Then the attacker could add additional shell commands by separating the commands with semicolons (;). Dealing with the puzzle piece on the other side is as simple as commenting it out with the shell comment symbol (#). Thus, a useful puzzle piece for the email parameter might be this:Adding this puzzle piece to the puzzle creates the following shell command:This is equivalent to this:This runs mail –help and then downloads attack_program from evil.org and executes it, allowing the attacker to perform arbitrary commands on the vulnerable web site.Preventing Command InjectionPreventing command injection is similar to preventing SQL injection. The developer must escape the user input appropriately before running a command with that input. It may seem like escaping semicolon (;) to backslash-semicolon (\;) would fix the problem. However, the attacker could use double-ampersand (&&) or possibly double-bar (||) instead of the semicolon. The escaping routine is heavily dependent on the shell executing the command. So developers should use an escape routine for the shell command rather than creating their own routine.

1 of 18
Next
Puzzle Pieces
Puzzle Pieces
From: Johnath
Protogenist is based in Bhubaneswar, Orissa, India, and is a Reporter for Allvoices.
Report Credibility
 
  • Clear
  • Share:
  • Share
  • Clear
  • Clear
  • Clear
  • Clear
 
 
 
Advertisement
 

News Stories

 
  • Check your Mac for Flashback Trojan

    How to find out if your Mac has the Flashback Trojan Even if you don't find Flashback Trojan on your Mac, make sure you install the latest Apple security update for Java. ( Mashable ) -- According to a report Thursday, more than 600,000 Macs could be...
  • How to know if your Mac has the Flashback Trojan

    How to find out if your Mac has the Flashback Trojan Even if you don't find Flashback Trojan on your Mac, make sure you install the latest Apple security update for Java. ( Mashable ) -- According to a report Thursday, more than 600,000 Macs could be...
  • Flashback trojan shows Macs do get viruses

      Washington Post
    Gallery Gallery Mike Geise, a senior security researcher at ZScaler , said that while he can't confirm Dr. Web's numbers, the conditions sound right for a malware problem of that scale. The virus should be a wake-up call to those who still think that...

Images

 >
 

More From Allvoices

Report Your News Got a similar story?
Add it to the network!

Or add related content to this report



Use of this site is governed by our Terms of Use Agreement and Privacy Policy.

© Allvoices, Inc. 2008-2014. All rights reserved. Powered by PulsePoint.