Command Execution
Imagine you run a simple site that performs DNS lookups. Your site shells out to the nslookup command, then prints the result.
Have a look at the code. Since the domain parameter is not sanitized, you are vulnerable to command injection.
Mal is a no-good basement-dweller who wants to hack your website. He has already noticed you are running PHP, and wonders how he can take advantage of that.
While running a simple domain lookup, he notices that the domain is passed in the query string under the domain parameter.
He guesses that the IP lookup is performed via an operating system function, and attempts to tag on an extra command on the end.
Success! Mal can see the output of his echo command on the web page. This demonstrates that your site is vulnerable to command execution.
Now he has a mechanism to execute code on the server. This is very bad news.
You try it! Add the command cat /etc/passwd on the end of the search term to read a sensitive file on the server.
Which df4a442c313b6b5d86447f030cd529fa8bfba41296de3468085dddff2cedd78d Robot static 6b6773cfdf5e8892fe9cf910e53118dc77ee94ef83e8e0ae66428cc467e33702 Robot animated 7654b851021297324900f80c3c3779a9e11f2228ce199234383f30fccf3a452d
Server:		192.168.1.1
Address:	192.168.1.1#53

Non-authoritative answer:
Name:    google.com
Address: 216.58.192.14
Server:		192.168.1.1
Address:	192.168.1.1#53

Non-authoritative answer:
Name:    google.com
Address: 216.58.192.14

HAXXED
Which df4a442c313b6b5d86447f030cd529fa8bfba41296de3468085dddff2cedd78d Robot static 6b6773cfdf5e8892fe9cf910e53118dc77ee94ef83e8e0ae66428cc467e33702 Robot animated 7654b851021297324900f80c3c3779a9e11f2228ce199234383f30fccf3a452d
Server:		192.168.1.1
Address:	192.168.1.1#53

Non-authoritative answer:
Name:    google.com
Address: 216.58.192.14

HAXXED
Which df4a442c313b6b5d86447f030cd529fa8bfba41296de3468085dddff2cedd78d Robot static 6b6773cfdf5e8892fe9cf910e53118dc77ee94ef83e8e0ae66428cc467e33702 Robot animated 7654b851021297324900f80c3c3779a9e11f2228ce199234383f30fccf3a452d


        
<?php
  if (isset($_GET['domain'])) {
    echo '<pre>';
    $domain = _GET['domain'];
    $lookup = system("nslookup {$domain}");
    echo($lookup);
    echo '</pre>';
  }
?>Warning 0964b449434620f5638a264a80352073a3ce6c57ab003c5db4559fdd6178f5d0
Notice how the 'domain' parameter is taken in from the GET request, and immediately interpolated into a command string.
Mal cdb38ecff0dc0585f07a80c2b779bf872ccc7f66ad857f8e9bdd92a1bb433ce8
Committing malicious acts on the internet is emotionally validating.
I wonder if I could make use of that...
That's it! I send all the commands now.
Your server is toast!
Thank you kindly.
Is your website vulnerable to command execution attacks?
Netsparker n 834848961a0bf6ec5556448ff47f421d0b1204a572877a59717064b1088e8c43
Check today. Scan your website for Command Execution and other vulnerabilities with