Command Injection Lab

Test Remote Code Execution vulnerabilities with direct command execution

Critical RCE Vulnerability

Lab Overview

This lab contains a critical Remote Code Execution (RCE) vulnerability through direct command execution. The application passes user input directly to the shell_exec() function without any filtering or validation.

Critical Security Warning: This lab allows arbitrary command execution on the server. Use with extreme caution in controlled environments only.
Vulnerable Code: Direct command execution using shell_exec($_GET['cmd']) with no input validation.
Security Level: Critical Vulnerability

Objective: Understand how command injection vulnerabilities work and practice safe exploitation techniques in a controlled environment.

Backend Source Code 
<?php
    if (isset($_GET['cmd'])) {
        $cmd = $_GET['cmd'];
        $output = shell_exec($cmd);
    }
?>
Command Examples
Basic System Information:
whoami
pwd
ls -la
uname -a
File Operations:
cat /etc/passwd
ls /home/
find / -name "*.php" 2>/dev/null | head -10
Network Information:
ifconfig
netstat -tulpn
ps aux
Command Execution
Usage: Enter any system command to execute it on the server. The output will be displayed below.
This input is directly passed to shell_exec() - extreme caution advised
Dangerous Commands (Use with Caution):
rm -rf dd if=/dev/zero mkfs :(){ :|:& };: shutdown
These commands can cause system damage or data loss.
Security Implications

This vulnerability demonstrates:

  • Arbitrary command execution on the server
  • Complete system compromise potential
  • Data theft and manipulation risks
  • Persistence and backdoor installation
  • Network reconnaissance capabilities
  • Privilege escalation possibilities
Prevention Measures

To prevent command injection:

  • Use allowlists for command parameters
  • Implement proper input validation
  • Use parameterized commands when possible
  • Run services with minimal privileges
  • Use application-level firewalls
  • Regular security testing and code reviews
Advanced Techniques
Command Chaining:
  • command1 ; command2 - Run sequentially
  • command1 && command2 - Run if first succeeds
  • command1 || command2 - Run if first fails
  • command1 | command2 - Pipe output
  • command1 & - Run in background
Useful Payloads:
  • cat /etc/passwd - View user accounts
  • ls -la /home/ - List home directories
  • uname -a - System information
  • id - Current user privileges
  • ps aux - Running processes
  • netstat -tulpn - Network connections
Testing Methodology
Reconnaissance:
  • Identify operating system
  • Discover current user privileges
  • Map directory structure
  • Find configuration files
  • Identify network services
Exploitation:
  • Test command injection vectors
  • Attempt privilege escalation
  • Establish persistence mechanisms
  • Exfiltrate sensitive data
  • Maintain access