Skip to content

Module: Command‐Injection

Jump to bottom
Moiz Bootwala edited this page Jan 19, 2026 · 1 revision

Overview

Module Name: command_injection
Requires Sink: Command

Command Injection (also known as OS Command Injection or Shell Injection) is a vulnerability that allows attackers to execute arbitrary operating system commands on the server. This occurs when an application passes unsafe user input to a system shell.

This module executes real OS commands on the host system. FlawFactory detects the operating system and uses the appropriate shell:

OS Shell Shell Argument
Linux/macOS /bin/sh -c
Windows cmd.exe /C

Supported Placements

Placement Description Example Request
query_param URL query string GET /ping?host=8.8.8.8
path_param URL path segment GET /lookup/google.com
form_field POST form data POST /exec with cmd=ls
json_field JSON body field POST /api/run with {"command": "ping"}
header HTTP header User-Agent: test

Configuration Options

base_command (string)

The command template with {input} placeholder. User input replaces this placeholder.

base_command: "ping -c 1 {input}"      # Ping utility
base_command: "nslookup {input}"        # DNS lookup
base_command: "echo Hello, {input}"     # Echo message
base_command: "grep {input} /var/log/*" # Log search

Default: "" (direct command execution if empty)

filter (string)

Intentionally weak input filtering. These represent flawed protection mechanisms.

Value Description What It Removes Bypass Method
none No filtering Nothing N/A
basic_semicolon Removes ; Semicolons &&, |, newlines
basic_pipe Removes | Pipes ;, &&, newlines
basic_both Removes ; and | Both &&, ||, newlines
url_decode decodes input ; | & $ → then decodes %26 (double-encode for query/path)

Default: none

Configuration Examples

Windows Based Command Injection

app:
  name: "Command Injection Lab (Windows)"
  port: 8080

endpoints:
  # Basic Ping Utility
  - path: /ping
    method: GET
    vulnerabilities:
      - type: command_injection
        placement: query_param
        param: host
        config:
          base_command: "ping -n 1 {input}"
          filter: none

  # DNS Lookup
  - path: /nslookup
    method: GET
    vulnerabilities:
      - type: command_injection
        placement: query_param
        param: domain
        config:
          base_command: "nslookup {input}"
          filter: none

  # User Greeting
  - path: /greet
    method: GET
    vulnerabilities:
      - type: command_injection
        placement: query_param
        param: name
        config:
          base_command: "echo Welcome, {input}!"
          filter: none

  # JSON Body Input
  - path: /api/system/ping
    method: POST
    vulnerabilities:
      - type: command_injection
        placement: json_field
        param: target
        config:
          base_command: "ping -n 1 {input}"
          filter: none

  # Form Field Input
  - path: /tools/lookup
    method: POST
    vulnerabilities:
      - type: command_injection
        placement: form_field
        param: hostname
        config:
          base_command: "nslookup {input}"
          filter: none

  # With Basic Filter (Bypassable)
  - path: /secure/ping
    method: GET
    vulnerabilities:
      - type: command_injection
        placement: query_param
        param: host
        config:
          base_command: "ping -n 1 {input}"
          filter: basic_ampersand

  # Direct Command Execution (Most Dangerous)
  - path: /exec
    method: POST
    vulnerabilities:
      - type: command_injection
        placement: form_field
        param: cmd
        config:
          base_command: "{input}"
          filter: none

Linux Based Command Injection

app:
  name: "Command Injection Lab (Linux)"
  port: 8080

endpoints:
  # Basic Ping Utility
  - path: /ping
    method: GET
    vulnerabilities:
      - type: command_injection
        placement: query_param
        param: host
        config:
          base_command: "ping -c 1 {input}"
          filter: none

  # DNS Lookup
  - path: /nslookup
    method: GET
    vulnerabilities:
      - type: command_injection
        placement: query_param
        param: domain
        config:
          base_command: "nslookup {input}"
          filter: none

  # Log Viewer
  - path: /logs
    method: GET
    vulnerabilities:
      - type: command_injection
        placement: query_param
        param: search
        config:
          base_command: "grep '{input}' /var/log/app.log"
          filter: none

  # User Greeting
  - path: /greet
    method: GET
    vulnerabilities:
      - type: command_injection
        placement: query_param
        param: name
        config:
          base_command: "echo Welcome, {input}!"
          filter: none

  # JSON Body Input
  - path: /api/system/ping
    method: POST
    vulnerabilities:
      - type: command_injection
        placement: json_field
        param: target
        config:
          base_command: "ping -c 1 {input}"
          filter: none

  # Form Field Input
  - path: /tools/lookup
    method: POST
    vulnerabilities:
      - type: command_injection
        placement: form_field
        param: hostname
        config:
          base_command: "host {input}"
          filter: none

  # With Basic Filter (Bypassable)
  - path: /secure/ping
    method: GET
    vulnerabilities:
      - type: command_injection
        placement: query_param
        param: host
        config:
          base_command: "ping -c 1 {input}"
          filter: basic_semicolon

  # Direct Command Execution (Most Dangerous)
  - path: /exec
    method: POST
    vulnerabilities:
      - type: command_injection
        placement: form_field
        param: cmd
        config:
          base_command: "{input}"
          filter: none

Clone this wiki locally