A safe, local Vulnerability Lab designed to demonstrate OS Command Injection. This project provides a holistic view of a vulnerability lifecycle: Deployment (Dev), Exploitation (Red Team), and Remediation (Blue Team).
This application is vulnerable by design.
Do not deploy this application to a public web server or expose it to the internet. It is intended solely for educational purposes, Capture The Flag (CTF) practice, and local security testing.
This lab is designed to teach three distinct cybersecurity disciplines:
- Development: Understanding how insecure coding practices (like direct string concatenation) lead to vulnerabilities.
- Offensive Security: Learning how to identify and exploit Command Injection flaws using automated scripts.
- Defensive Security: Implementing input validation and secure API calls to neutralize the threat.
CmdInject-Lab/
│
├── vulnerable_app/ # The intentionally vulnerable Flask application
│ ├── app.py # Main application logic
│ └── requirements.txt # Python dependencies
│
├── exploit_scripts/ # Automated Red Team tools
│ └── auto_exploit.py # Script to weaponize the vulnerability
│
├── defense_artifacts/ # Blue Team remediation code
│ └── secure_code_example.py # Patched and secure logic
│
└── README.md # You are here
- Python 3.x installed
pip(Python package installer)
Clone the repository to your local machine:
git clone https://github.com/YOUR_USERNAME/CmdInject-Lab.git
cd CmdInject-LabInstall the required dependencies for the web application:
cd vulnerable_app
pip install -r requirements.txtStart the Flask server:
python app.pyThe application will be running locally at: http://127.0.0.1:5000
With the server running, we can simulate an attack. The application takes an IP address to "ping," but fails to sanitize the input.
- Open the web interface at
http://127.0.0.1:5000. - In the input box, enter:
127.0.0.1; whoami - Submit the form.
- Result: The server executes
ping 127.0.0.1followed bywhoami. You will see the server's username in the output (e.g.,rootor your user profile).
A script is provided to automate this process.
- Open a new terminal window.
- Install the requests library if needed:
pip install requests - Run the exploit script from the project root:
cd exploit_scripts
python auto_exploit.py idExpected Output:
The script will inject the payload and return the output of the id command (or whoami on Windows), proving Remote Code Execution (RCE).
The vulnerability exists in vulnerable_app/app.py at this line:
# VULNERABLE CODE
command = f"ping -c 1 {ip}"
output = os.popen(command).read()To fix this, we must:
- Validate Input: Ensure the input is a valid IP address and contains no special characters.
- Use Secure Libraries: Avoid
os.popenorshell=True.
See defense_artifacts/secure_code_example.py for the corrected implementation:
import subprocess
import re
def secure_ping(ip_address):
# 1. Input Validation: Strict regex for IPv4
# Only allows numbers and dots. Rejects ';', '&', '|', etc.
if not re.match(r"^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$", ip_address):
return "Error: Invalid IP address format."
# 2. Secure Execution: Use subprocess without shell=True
# Arguments are passed as a list, preventing command chaining
try:
result = subprocess.run(
['ping', '-c', '1', ip_address],
capture_output=True,
text=True
)
return result.stdout
except Exception as e:
return f"Execution Error: {e}"| Category | Tools |
|---|---|
| Backend | Python, Flask |
| Networking | HTTP, Sockets |
| Security Concepts | OS Command Injection, Input Sanitization, Subprocess Security |
This project is licensed under the MIT License. See the LICENSE file for details.