# Command Injection

Command Injection is a security vulnerability that occurs when an application improperly handles user-supplied input, what happens in the command injection as the name suggest  command + injection when the application takes the user input and in the back-end passes through the command and processes it. and shows the output to the user side 

Let’s consider a simple web application, for example a website called **web-health.checker**. This website asks the user for a URL or IP address and checks whether the target is reachable. If the IP is reachable and pingable, it returns that the website is alive. If not, it returns that the website is not reachable or not alive.

Command Executed Behind the scene

```
ping -c 2 <user supplied url>
ping -c 2 google.com
```

As an attacker, we can terminate the current input or append additional commands using shell operators such as `;`, `|`, `||`, or `&&` , `` ` ``  `$(command)` , `\n`  to manipulate the command being executed. By doing so, we can inject arbitrary commands such as `id` or `whoami` to execute arbitrary commands on the target server.

```
ping -c 2 google.com; id
```

<figure><img src="/files/wAPSYYVSVxUf08N9m4Qq" alt=""><figcaption></figcaption></figure>

There are also other ways we could have done this such as:

```
ping -c 2 google.com | id
ping -c 2 google.com `id`
ping -c 2 google.com $(id)
ping -c 2 google.com && id
ping -c 2 does_n_exist || id
```

Have Exploited this vulnerability in one of the ctftime ctf walkthough link : i will edit here later

<figure><img src="/files/FP1NsjFolDziqeC7DZ8K" alt=""><figcaption></figcaption></figure>

### How to prevent OS command <a href="#how-to-prevent-os-command-injection-attacks" id="how-to-prevent-os-command-injection-attacks"></a>

Never execute operating system commands using user-supplied input. If it is absolutely necessary to include user input in a system command, you must implement strong input validation and strict controls, such as:

such as:

* Validating against a whitelist of permitted values. Only allow specific known-safe values

```
allowed_hosts = ["google.com", "example.com", "cloudflare.com"]
```

* Validating that the input is a number. Input must be strictly a number.

```
if user_input.isdigit():
```

* Validating that the input contains only alphanumeric characters, no other syntax or whitespace.

<figure><img src="/files/mZVMznf7x10k7DmiIMgk" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://l1nuxkid.gitbook.io/l1nuxkid-docs/web-application-pentesting/command-injection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.