What Is a Command Injection?
In the end, the complex computer world still serves people and is ultimately manipulated by people. If we observe the way a person manipulates a computer from an "atomic" perspective, it shows nothing but two aspects-data, and instructions for manipulating the data. When the data and instructions are pre-set and each performs their duties, the world is peaceful-people process the input data through instructions and obtain the desired results and then output them through specific channels.
- In the end, the complex computer world still serves people and is ultimately manipulated by people. If we observe the way a person manipulates a computer from an "atomic" perspective, it shows nothing but two aspects-data, and instructions for manipulating the data. When the data and instructions are pre-set and each performs their duties, the world is peaceful-people process the input data through instructions and obtain the desired results and then output them through specific channels.
- However, with the rapid development of IT technology, "computers" have various forms (large servers, PCs, smart terminals, etc., and various applications running on them). People with different roles play a role in computer systems. Different roles (developer, maintainer, power user, normal user, manager, etc.). In these scenarios, data and even instructions usually cannot be solidified in advance, and need to be dynamically entered during operation. If the two are mixed together and not well organized, they will be used by hackers and become a typical attack method-command injection.
- The common mode of command injection attack is: when only data needs to be input, but malicious code is input along with the data, and the system that loads the data does not have a well-designed filtering process, resulting in the malicious code being executed together, which ultimately leads to Information leakage or destruction of normal data. One of the most common types of attacks is SQL (Structured Query Language) injection against database systems. Common SQL statements are composed of operations such as adding, deleting, modifying, and querying data that meets certain conditions (some rows and certain columns). The condition that needs to be met is the so-called "data" (for example, the gender in the student data table is female, or is older than 10 years old, etc.). The selection and implementation of such data is an "instruction". A successful SQL injection attack consists in mixing other SQL clauses when entering data, and the final SQL statement syntax is correct (the database system has no precautions against this) and is executed.
- Command injection attacks such as SQL injection can cause serious harm, including:
- 1. Information leakage, such as the leakage of personal confidential data such as accounts and passwords stored in the database, and the data structure may be known to hackers and carry out further attacks.
- 2. Information leakage, such as the leakage of personal confidential data such as accounts and passwords stored in the database, and the data structure may be known to hackers and carry out further attacks.
- 3. Use the operating system command interface provided by the database server to control the entire system.
- From the analysis of the SQL injection attack scenario above, the prevention of SQL attacks (and other command injection mode attacks) can be addressed in two ways:
- 1. The application system isolates the instructions and data well. When data is transmitted to the system, even if malicious instructions are mixed in, the data and malicious instructions will be regarded as "data" at the same time. At most, abnormal data will not be executed correctly, and it will be avoided. A malicious attack.
- 2. Filter the input data and discard it if it is mixed with malicious execution.
- New injection methods will continue to appear, and filtering methods will need to be updated accordingly, and there may be lags. Therefore, scheme 2 can filter common command injection, but the good isolation between instructions and data is the fundamental way to solve command injection.