Command and code execution vulnerabilities occur when developers fail to implement strict security controls, allowing attackers to submit malicious commands or code through interfaces or parameters. These vulnerabilities are categorized into SQL injection, common framework/component flaws (e.g., Struts2, Weblogic, Fastjson, Apache components), and business function modules. Testing methods involve using special characters like &, &&, |, and ||. Dangerous functions in PHP include system(), exec(), eval(), and in Java, Runtime.getRuntime().exec() and ProcessBuilder. Vulnerabilities can appear in any parameterized location, especially in network devices and management backends. Successful exploitation can lead to full server control, data theft, and lateral movement. A notable example is the Struts2 S2-045 vulnerability, which allowed remote code execution via the Content-Type header. Defenses include strict input filtering, disabling dangerous functions, timely patching, and using escapeshellcmd/escapeshellarg.
1. Command Execution Overview
1.1 Principles of Command and Code Execution
1.1.1 Command Execution
Principle: When developers fail to implement strict security controls in their code, attackers can submit "unexpected commands" through interfaces or related parameters, causing the backend to execute them and ultimately gain control over the entire backend server.
1.1.2 Code Execution
Principle: Failure to rigorously validate input submitted through interfaces allows carefully crafted malicious code from attackers to be executed illegally.
Cause: Users submit execution commands through the browser. Because the server does not apply filters to execution functions, commands may run without an absolute path, potentially allowing attackers to execute maliciously crafted code by manipulating $PATH or other aspects of the program's execution environment.
1.2 Vulnerability Categories
SQL Injection-Based Command Execution: Exploits database built-in features (e.g., xp_cmdshell) and other stored procedures to execute system commands.
Common Framework/Component Vulnerabilities: Currently the most prevalent attack surface
Struts2 Command Execution
WebLogic Command Execution
Fastjson Deserialization Leading to Command Execution
Apache Components: High-risk RCE (Remote Code Execution) vulnerabilities disclosed in Shiro, Log4j2, Solr, and others.
Business Function Modules: Vulnerabilities arising from developers directly concatenating user-supplied parameters when implementing functionality such as ping tests, file exports, or system diagnostics.
1.3 Vulnerability Testing and Exploitation Techniques
Using Special Character Concatenation
&: Background execution (command1 & command2)
&&: Logical AND — the second command runs only if the first succeeds
|: Pipe — passes the output of the first command as input to the second
||: Logical OR — the second command runs only if the first fails
1.4 Dangerous Functions in Code Auditing
How to Investigate:
Dangerous Functions in PHP:
System Command Execution: system(), exec(), shell_exec(), passthru(), popen(), proc_open(), and the backtick operator.
Encoding/Decoding Bypass: base64_decode(), gzinflate(), gzuncompress(), gzdecode(), str_rot13(). Attackers commonly use these encoding functions to bypass defenses and conceal malicious code.
Special Functions: mail(), mb_sendmail(), as well as the configuration directives auto_prepend_file and auto_append_file.
Execution Methods in Java:
Runtime: Runtime.getRuntime().exec() — Runtime is a singleton used to interact with the runtime environment.
ProcessBuilder: Used to create operating system processes. It is highly capable and can also be leveraged for command execution.
1.5 Common Locations and Impact of Vulnerabilities
1.5.1 Common Locations
Command execution vulnerabilities can appearanywhere that accepts parameters. They are especially common inrouters, firewalls, intrusion detection systems (IDS), automated operations platforms and other network devices or management consoles.
1.5.2 Impact
Once successfully exploited, the attacker can take full control of the backend server, enabling activities such as data theft, backdoor implantation, and lateral movement within the internal network.
1.6 Classic Case Study: The Struts2 Command Execution Vulnerability
Due to Struts2's lenient filtering of OGNL expression parsing, attackers can inject malicious OGNL expressions to execute arbitrary Java code and system commands.
S2-005 / S2-009 / S2-013 / S2-016 / S2-019:
Vulnerabilities at this stage primarily occurred in parameter interceptors and tag parsing. Attackers could trigger OGNL expression execution by crafting malicious HTTP parameters.
S2-032 / S2-033 / S2-037
As Struts2 integrated the REST plugin, the attack surface shifted to RESTful API processing logic. Attackers exploited the REST plugin's request parsing characteristics to bypass defenses and execute OGNL.
S2-045 / S2-046 / S2-052 / S2-057
Epic-level vulnerabilities: This era produced themost destructive vulnerabilities in Struts2's history. S2-045, in particular, led directly to the compromise of a vast number of services worldwide.
S2-045 (CVE-2017-5638): "Content-Type". By simply inserting a malicious OGNL expression into the HTTP request'sContent-Type header, an attacker could take down a server instantly with zero prerequisites. Affected versions: Struts 2.3.5 through 2.3.31, and 2.5.x through 2.5.10.1.
1.7 Defense Recommendations
Strictly Filter Input: Validate user input against a whitelist, allowing only legitimate characters.
Disable Dangerous Functions: Disable functions such as exec and system in php.ini or the server configuration.
Apply Patches Promptly: Keep web frameworks up to date to guard against known vulnerabilities.
Use escapeshellcmd/escapeshellarg: Escape command arguments to prevent them from being interpreted as commands.
1. Command Execution Overview
1.1 Principles of Command and Code Execution
1.1.1 Command Execution
Principle: When developers fail to implement strict security controls in their code, attackers can submit "unexpected commands" through interfaces or related parameters, causing the backend to execute them and ultimately gain control over the entire backend server.
1.1.2 Code Execution
Principle: Failure to rigorously validate input submitted through interfaces allows carefully crafted malicious code from attackers to be executed illegally.
Cause: Users submit execution commands through the browser. Because the server does not apply filters to execution functions, commands may run without an absolute path, potentially allowing attackers to execute maliciously crafted code by manipulating $PATH or other aspects of the program's execution environment.
1.2 Vulnerability Categories
1.3 Vulnerability Testing and Exploitation Techniques
1.4 Dangerous Functions in Code Auditing
How to Investigate:
1.5 Common Locations and Impact of Vulnerabilities
1.5.1 Common Locations
Command execution vulnerabilities can appearanywhere that accepts parameters. They are especially common inrouters, firewalls, intrusion detection systems (IDS), automated operations platforms and other network devices or management consoles.
1.5.2 Impact
Once successfully exploited, the attacker can take full control of the backend server, enabling activities such as data theft, backdoor implantation, and lateral movement within the internal network.
1.6 Classic Case Study: The Struts2 Command Execution Vulnerability
Due to Struts2's lenient filtering of OGNL expression parsing, attackers can inject malicious OGNL expressions to execute arbitrary Java code and system commands.
1.7 Defense Recommendations
S2-059: Test Payload