Difference between revisions of "Code Injection"

From OWASP
Jump to: navigation, search
(Examples)
(Examples)
Line 15: Line 15:
 
Such as :
 
Such as :
  
<!--#exec cmd="ls"-->
+
< !--#exec cmd="ls" -- >
  
 
will show all the files in current directory is the server is on a UNIX/LINUX machine.
 
will show all the files in current directory is the server is on a UNIX/LINUX machine.
Line 21: Line 21:
  
  
for Windows platform :           <!--#exec cmd="dir"-->
+
for Windows platform :         < !--#exec cmd="dir"-- >
  
  
 
This can be used for destructive purpose also , as the commands are executed in root/admin previlage.
 
This can be used for destructive purpose also , as the commands are executed in root/admin previlage.
  
Such as  <!--#exec cmd="format c:"-->
+
Such as  < !--#exec cmd="format c:"-- >
  
 
==Related Threats==
 
==Related Threats==

Revision as of 03:41, 24 July 2006

This is an Attack. To view all attacks, please see the Attack Category page.


This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.


Description

This article should cover attacks based on injecting code into a running application.

Examples

If server side scripting is enabled in some address (such as guestbook , where user can insert data) then the SSI attack can be done.


Such as :

< !--#exec cmd="ls" -- >

will show all the files in current directory is the server is on a UNIX/LINUX machine.


for Windows platform : < !--#exec cmd="dir"-- >


This can be used for destructive purpose also , as the commands are executed in root/admin previlage.

Such as < !--#exec cmd="format c:"-- >

Related Threats

Related Attacks

Related Vulnerabilities

Related Countermeasures