Course

In this lab, we explore a scenario where a developer has applied some filters to prevent command injection by targeting special characters like semicolons, ampersands, and pipes. Despite these measures, the developer overlooked the fact that commands can still be executed using the backtick notation (`command`). This oversight is compounded by the improper use of PHP's `system` function, which only returns stdout, meaning the command could execute successfully without displaying the result on the page.

During the code review, we notice that the IP address input is not validated against a strict regular expression that defines what an IP address should look like. Instead, the code merely attempts to remove specific characters deemed malicious. This approach is flawed because it is easy to bypass, allowing an attacker to exploit the vulnerability and execute arbitrary commands on the server. This lab highlights the importance of proper input validation and the risks of relying solely on character filtering to secure command execution functions.