Command Injection via Argument Injection
NOTE: This post is for educational purposes only. Please use the information responsibly and legally.
Summary
A command injection vulnerability was identified on example.com, where user-controlled input was passed directly into an operating system command.
Although common command separators were filtered, it was still possible to read sensitive server files using argument injection.
Affected Endpoint
https://example.com/search.php?needle=INPUT
Vulnerable Code (Assumed Backend Logic)
passthru("grep -i $key dictionary.txt");
User input from the needle parameter was directly embedded into a system command without proper sanitization.
Proof of Concept (PoC)
Payload Used
a cat /etc/app_secrets/credentials.txt whoami
Resulting Server Command
grep -i a cat /etc/app_secrets/credentials.txt whoami dictionary.txt
Impact Explanation
In Linux, spaces split input into arguments
grepsyntax:grep PATTERN FILE1 FILE2 ...abecame the search pattern/etc/app_secrets/credentials.txtwas treated as a fileSince the file existed and contained the letter
a, its contents were printed in the response
Note:
catandwhoamiwere not executedThey were treated as file names
Only the real file path was read successfully
Root Cause
User input passed directly to
passthru()No input validation or argument escaping
Incomplete filtering (only
; | &blocked)
Vulnerability Type
OS Command Injection
Argument Injection
Security Impact
Unauthorized file disclosure
Potential exposure of sensitive credentials
Further escalation possible depending on server configuration
Recommendation
Avoid using shell execution functions with user input
Use safe alternatives (e.g., PHP functions instead of OS commands)
If shell execution is required, strictly validate and escape all user input
