Injection

OS Command Injection

Command Injection occurs when server-side code (like PHP) in a web application makes a system call on the hosting machine.

The worst thing they could do would be to spawn a reverse shell to become the user that the web server is running as. A simple ;nc -e /bin/bash is all that's needed and they own your server; some variants of netcat don't support the -e option. You can use a list of these reverse shells as an alternative.

Blind command injection occurs when the system command made to the server does not return the response to the user in the HTML document.

Active command injection will return the response to the user. It can be made visible through several HTML elements.

PreviousPickle Rick (Tryhackme)NextBroken Authentication

Last updated 3 years ago