What is Command Injection Attack?

It’s an attack in which the bad guys’ objective on this activity will be trying to obtain the execution of arbitrary commands on a vulnerable application. Normally, the vulnerability exposes when the application has sent unsafe user-supplied data to a system shell.

Normally, people will think that Code Injection and Command Injection but sadly it’s totally different where the Code Injection will allow the bad guys to usually add malicious code into the application and execute it remotely. However, the Command Injection will execute the command on the application with its functionality without they inject the code into the application itself.

How to the attack works?

Firstly, we can try to detect that the application that is vulnerable to the Command Injection would be looking at the URL Address. The possibility that the application is vulnerable would look something such as below:


If the application has an upload function, we can try to upload a file that contains the following code


Then, we can execute the command by typing the URL such as http://example.com/index.php?cmd=”any command”

Demonstration of the Injection attack

The demonstration is taken here

Another example that uses in the application

We also can use burpsuite to inspect the packet which you will have the output shown above.

We need to modify the payload by adding the { } symbol while the rest remain the same.

Let’s change the with the “id” command which you will obtain the output that we not expecting at all.

Leave a Reply

Your email address will not be published. Required fields are marked *