Most web server platforms have developed to the point where built-in APIs exist to complete effectively any needed interaction with the server’s operating system. APIs can allow developers to access the filesystem, interface with other processes, and perform network communications in a safe way. Although, there are several conditions in which developers choose to use the more heavyweight technique of issuing operating system commands directly to the server. This option can be attractive because of its ability and simplicity and usually gives a functional solution to a particular problem.
However, if the application passes user-supplied input to OS commands, the application may be vulnerable to command injection, allowing an attacker to submit malicious input that changes the commands that the developers meant to perform.
Functions such as “exec” and “wscript.shell” are usually used to issue OS commands. If a developer wants to use an API to perform a task such as listing the contents of a directory, a hacker may be able to tamper it to write arbitrary files. Any injected commands regularly run in the security context of the web server process, which usually is powerful for an attacker to compromise the whole server.
Command injection vulnerabilities of this sort have appeared in numerous custom-built web applications. They have been especially common within applications that implement an administrative interface to an enterprise server or to devices such as firewalls, printers, and routers. These applications usually have special requirements for OS interaction that lead developers to use direct commands that incorporate user-supplied data.