Command injection involves an attacker attempting to invoke a system command, normally performed at a terminal session, within an HTTP request instead. Many web applications allow system commands through the UI for troubleshooting purposes. A web-penetration tester must test whether the web page allows further commands on the system that should normally be restricted.
For this recipe, you will need the SecLists Payload for Unix commands:
- SecLists-master | Fuzzing | FUZZDB_UnixAttacks.txt
- Download from GitHub: https://github.com/danielmiessler/SecLists
Using the OWASP Mutillidae II DNS Lookup page, let's determine whether the application is vulnerable to command injection...