Skip to content

AppSecExplained/ctf-commandinjection

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits
views
views
 
 
Jenkinsfile
Jenkinsfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
burp_config.yml
burp_config.yml
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
server.js
server.js
 
 

Repository files navigation

ctf-commandinjection

This app is obviously not secure and not suitable for production environments, etc. It demonstrates basic command injection and some weak defenses that can by bypassed.

Feel free to use this for:

  • understanding basic command injection attacks
  • testing payloads
  • code review practice
  • for CTFs (the endpoints are easy to copy & reuse)

Execute 1

Executes the command

Execute 2

Checks the input for allowed commands and blocks if one is not found.

Execute 3

Checks the input for special characters and blocks based on that.

Setup

git clone https://github.com/AppSecExplained/ctf-commandinjection.git
cd ctf-commandinjection
npm install
node server.js

Browse to http://localhost:3000

image

About

A small demo showing a command injection vulnerability and weak defenses.

Resources

Readme

License

MIT license
Activity

Stars

5 stars

Watchers

1 watching

Forks

0 forks
Report repository

Languages