Tweet

Command Injection Example File Download

If the the server supports file download feature,the remote attacker he can trick the file name using the HTTP POST or HTTP GET method to get some other file which can reveal sensitive information, the below example shows how a file is getting downlaoded by altering the file name the server starts returning thoose file information

Command Injection Example with File DOwnload Click the button to Download

Changing the file Information Trying to See whats in "/etc/hosts"
curl 'http://zariga.com/DownloadServlet' --data 'filename=%2F/etc/hosts'

The above command executed successfully and user is able to see the contnet, a remote attacker can take advantage and can reveal sensitive information from the server

Mitigation of Command Execution required a proper test case coverage, so that only file 
is getting downloaded and for rest it should fails