Shell injection, also known as OS command injection, is a vulnerability that occurs when an application constructs operating system commands using unsanitized user input and executes them through a system shell. By injecting shell metacharacters and additional commands, an attacker can execute arbitrary commands on the server with the same privileges as the application process.
How It Works
Applications sometimes invoke system commands to perform tasks like file processing, network operations, or interfacing with legacy systems. When user input is concatenated directly into a command string, shell metacharacters like ;, |, &&, ||, and backticks allow the attacker to terminate the intended command and append their own. For example, an application that runs ping [userInput] can be exploited with input like 127.0.0.1; cat /etc/passwd, causing the shell to execute both the ping command and the attacker's command.
Different operating systems use different shell interpreters and metacharacters. Unix-based systems process commands through bash or sh, where semicolons separate commands and backticks or $() enable command substitution. Windows systems use cmd.exe with & and | as command separators, and PowerShell has its own syntax. Attackers adapt their injection syntax to the target operating system, and thorough testing covers metacharacters for all potential environments.
Blind shell injection occurs when the application executes the command but does not return the output to the attacker. In these cases, attackers confirm execution through out-of-band techniques: triggering a DNS lookup to an attacker-controlled domain, causing a time delay with a sleep command, or writing output to a file that can be retrieved through another application feature. The vulnerability is equally dangerous in blind scenarios because the attacker still achieves command execution.
Why It Matters
Shell injection provides direct operating system access, making it one of the most severe vulnerability classes. An attacker can read sensitive files, modify configurations, install backdoors, pivot to other systems, and exfiltrate data. The proper remediation is avoiding system shell calls entirely by using language-native libraries for the required functionality. When shell calls are unavoidable, parameterized command execution that does not invoke a shell interpreter eliminates the injection vector.
Need your application tested? Get in touch.