.png)
8 months ago
64 BOOK THIS SPACE FOR AD
ARTICLE AD
Hello Guys, today we have a detailed explanation of all types of command injection
Basic Command InjectionBlind Command InjectionFile-Based Technique (semi-blind)Time-Based Technique (Blind)explain from the bottom
what is command ?
command refers to an instruction given to a computer program or operating system to perform a specific task or function.
what is Injection ?
injection refers to a type of attack where malicious code or data is inserted into a system with the intent of altering its behavior or gaining unauthorized access to sensitive information.
what is command injection ?
Command Injection is an attack where arbitrary commands are executed on the host operating system through the vulnerable application
technical
now we know what is command, injection and command injection lets get techy
Basic command injection
The output of the executed command would be visible in the responseAn attacker can view the results of the command executed was success or notas you can see here, the attacker executed the command whoami in the vulnerable application, and the output is visible, because its basic command injection OWS result-based command injection.
Blind Command Injection
The output of the executed command is not visible in the responseAn attacker cannot view the results of the command executedThere are two types of blind command injection.
The time-based technique (Blind)File-based technique (Semi Blind)Time-based Technique (Blind)
It is based on time delaysIt can be determined by the length of the output, time is taken for delayOnce confirmed we can export char by char the output of the injected command using a chain of OS commands, such as cut, head etc.Here the attacker used ping command for time delay, as it lets you specify the number of ICMP packets to send, and the time taken for the command, This command will cause the application to ping its loopback network adapter for 10 seconds.
File-Based Technique (semi-blind)
This technique is used when we are not able to view the results of the command injection, but we can write it to a file accessible by us.
the attacker used > to store the output of the command in accessible file location, and the attacker will include it to see the output.
sorry for the quality, but the attacker used filename= parameter to include the file that he wrote the output of the command in, which is in this case output.txt
resources
thanks for reading, reach me at:
Bengali (Bangladesh) · 
English (United States) ·