Hello and welcome to the secure coding course. My name Miss anywhere. And this is tthe e awas. Top 10 for 2013. A one injection demo for command injection.
This is the command injection demo.
We're using Mattila Day to actually illustrate this particular vulnerability.
Now, in this page, we just have a host name, Look up or an I P address. Look up. It doesn't in us. Look up on the back end
Based on whatever's typed in the textbooks. The problem is that there is absolutely no validation being done
for the value that's placed within this tax box. And so because there's no input validation or any type of white listing to restrict what is put in here, we are at liberty to put anything we like.
run this as it should be run, I would put in here and I pee or host name.
And then you would see the results of the Ennis look up.
So it gives me the I P address.
But being nefarious, we want to actually try
commands that we can then run on this particular operating system. So if this were a Windows operating system. We could probably give it a directory command of D. I. R.
And sure enough, it comes back and gives me a directory listing off all the files on the Web server.
Now we could continue this and
type command to actually
look at the index file,
and as a result, you can see that we can now see the source code of the PHP file
and this can go on. And so, because of the lack of input, validation or white listing for the value received within this text box,
this is the reason for the command injection vulnerability.