Command Execution
Exit
Imagine you run a simple site that performs DNS lookups. Your site shells out to the nslookup command, then prints the result.
Have a look at the code. Since the domain parameter is not sanitized, you are vulnerable to command injection.
Slim is a no-good basement-dweller who wants to hack your website. He has already noticed you are running PHP, and wonders how he can take advantage of that.
While running a simple domain lookup, he notices that the domain is passed in the query string under the domain parameter.
He guesses that the IP lookup is performed via an operating system function, and attempts to tag on an extra command on the end.
Success! Slim can see the output of his echo command on the web page. This demonstrates that your site is vulnerable to command execution.
Now he has a mechanism to execute code on the server. This is very bad news.
You try it! Add the command cat /etc/passwd on the end of the search term to read a sensitive file on the server.
Server:		192.168.1.1
Address:	192.168.1.1#53

Non-authoritative answer:
Name:    google.com
Address: 216.58.192.14
Server:		192.168.1.1
Address:	192.168.1.1#53

Non-authoritative answer:
Name:    google.com
Address: 216.58.192.14

HAXXED
Server:		192.168.1.1
Address:	192.168.1.1#53

Non-authoritative answer:
Name:    google.com
Address: 216.58.192.14

HAXXED


        
<?php
  if (isset($_GET['domain'])) {
    echo '<pre>';
    $domain = $_GET['domain'];
    $lookup = system("nslookup {$domain}");
    echo($lookup);
    echo '</pre>';
  }
?>
Notice how the 'domain' parameter is taken in from the GET request, and immediately interpolated into a command string.
I'm fixin' to cause some trouble.
Hmm, there's a storm a-brewin'...
Well ain't that a hair in the butter.
Time to saddle up buckeroo!
Thank you kindly pardner.