Lab 1: Basic Command Injection

Difficulty: Low

Lab Overview

This lab demonstrates a basic Remote Code Execution vulnerability through command injection. The application directly executes user-supplied commands without any validation or sanitization.

Objective: Execute arbitrary system commands to gain control of the server.

Vulnerable PHP Code

// Handle command execution request
if (isset($_GET['cmd']) && !empty($_GET['cmd'])) {
    $command = $_GET['cmd'];
    
    // Vulnerable: Direct command execution without validation
    try {
        $output = shell_exec($command . ' 2>&1');
        $command_output = $output ?: 'No output';
        // Display output
    } catch (Exception $e) {
        // Error handling
    }
}

// Example vulnerable usage:
// ?cmd=whoami
// ?cmd=ls -la
// ?cmd=cat /etc/passwd
// ?cmd=id && uname -a

Command Execution Demo

Command executed successfully!

Quick Test Commands:

Command Output: ps aux

USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
kzlabsst 3906197  0.0  0.0 150872 40936 ?        S    09:38   0:00 lsphp
kzlabsst 3972287  0.0  0.0 158124 26888 ?        Ss   09:43   0:00 lsphp:ome/kzlabsst/practice.kzlabs.store/rce/1.php
kzlabsst 3972288  0.0  0.0   4396  3072 ?        S    09:43   0:00 sh -c ps aux 2>&1
kzlabsst 3972289  0.0  0.0   7236  3072 ?        R    09:43   0:00 ps aux

Vulnerability Details

Type: Remote Code Execution (RCE)
Severity: Critical
Parameter: cmd
Method: GET
Issue: Direct command execution without validation

Test Commands

Try these commands in the cmd parameter:

whoami - Current user
ls -la - List files
cat /etc/passwd - System users
id && uname -a - User ID and system info
ps aux - Running processes
netstat -tulpn - Network connections

Example URLs:

1.php?cmd=whoami
1.php?cmd=cat /etc/passwd

Quick Test URLs

Click these links to test the vulnerability:

Real-World Attack Scenarios

Complete server compromise and control
Database access and data exfiltration
File system access and manipulation
Network access and lateral movement
Bypassing all security controls
Privilege escalation and persistence
Cryptocurrency mining and botnet participation

Mitigation Strategies

Never use user input in command execution functions
Use parameterized queries and prepared statements
Implement proper input validation and sanitization
Use whitelist-based validation for allowed commands
Implement proper error handling
Use least privilege principles
Implement proper logging and monitoring