Web Hacking: Attacks and Defense

Table C-1. Remote Command Execution Cheat Sheet

Web Application Environment

Source Code

Additional Information

Java Servlet

class Example

extends HTTPServlet

{

.

.

.

void function()

{

Runtime r = Runtime.getRuntime();

Process p = r.exec("<command>",

<arguments>);

}

.

.

.

}

http://java.sun.com/j2se/1.4/docs/api/java/lang/Runtime.html

Java Server Pages (JSP)

<%

Runtime r =

Runtime.getRuntime();

Process p =

r.exec("<command>",

<arguments>);

%>

http://java.sun.com/j2se/1.4/docs/api/java/lang/Runtime.html

Active Server Pages (ASP)

If Windows Scripting Host

is installed on the target

system:

<%

Set wsh =

Server.CreateObject("Wscript.shell")

wsh.run("<command>");

%>

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script56/html/wsMthRun.asp

PERL

In PERL, commands are executed by wrapping them with the backtick symbol (`)

$result = `<command>`;

or

system("<command>");

or

open(IN, "<command> |");

http://www.perldoc.com/perl5.6/pod/perlfunc.html

PHP

<? system("<command>") ?>

or

<? shell_exec("<command>") ?>

http://www.php.net/manual/en/function.shell-exec.php

MS SQL

EXEC master..xp_cmdshell" <command>"