A threat actor may inject arbitrary operating system (OS) commands on target
Example #1
- Threat actor crafts a malicious request to a vulnerable target
- The target process the malicious request and returns the result
Code
Target-Logic
$result = exec("ping -c4 ".$_GET["ip"]);
echo($result)
Target-In
x 2>/dev/null || whoami
Target-Out
root
Impact
High
Names
- Command Injection
Risk
- Read & write data
- Command execution
Redemption
- Input validation
ID
154d5db5-9614-42f9-9898-3355a7b7848f