# NodeJS - Command Injection 4 (CMD-4) ## Running the app on Docker ``` $ sudo docker pull blabla1337/owasp-skf-lab:js-cmd4 ``` ``` $ sudo docker run -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:js-cmd4 ``` {% hint style="success" %} Now that the app is running let's go hacking! {% endhint %} ## Reconnaissance The command injecion is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In the first step, the attacker needs to inspect the functioning of the web app in order to find possible injection points. When we start the application we can see that there is a box where we can write an IP address in order to execute a ping against it. ![](https://raw.githubusercontent.com/blabla1337/skf-labs/master/.gitbook/assets/python/CMD-4/1.png) First, we are going to try the functionality and execute the ping against the loopback address. We can also see the resulted output: ![](https://raw.githubusercontent.com/blabla1337/skf-labs/master/.gitbook/assets/python/CMD-4/2.png) ## Exploitation For this lab we are going to try to make the website show us the result of a malicious command executed by the system unintentionally. We start by trying methods like: ![](https://raw.githubusercontent.com/blabla1337/skf-labs/master/.gitbook/assets/python/CMD-4/3.png) ![](https://raw.githubusercontent.com/blabla1337/skf-labs/master/.gitbook/assets/python/CMD-4/4.png) It seems that it may not be possible to execute OS commands taking advantage of the ping functionality. However, we suspect that maybe the website is filtering some of these special characters usually used for command execution so we try some new: ![](https://raw.githubusercontent.com/blabla1337/skf-labs/master/.gitbook/assets/python/CMD-4/5.png) We finally could execute a command (whoami)!! Now we try with another simple example: ![](https://raw.githubusercontent.com/blabla1337/skf-labs/master/.gitbook/assets/python/CMD-4/6.png) Goal achieved and filter bypassed! ## Additional sources --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://skf.gitbook.io/asvs-write-ups/command-injection-4-cmd-4/cmd4.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.