Why is this java program vulnerable to command injection

Question

The java program is:

import java.util.*;
import java.io.*;

public class test{
    public static void main(String[] args){
        try{
            Process proc = (new ProcessBuilder("cmd.exe", "/c", "dir", args[0])).start();
            proc.waitFor();
            BufferedReader r = new BufferedReader(new InputStreamReader(proc.getInputStream()));

            String line;
            while ((line = r.readLine()) != null)
                System.out.println(line);
            r.close();
        } catch(Exception e){
        }
    }
}

This program is vulnerable to command injection. As I run the following command:

java test ".&ipconfig"

this program will execute both dir . and ipconfig.

How do ProcessBuilder() parse these arguments and execute them?

I noticed that the command line cmd.exe /c dir ".&ipconfig" outputs different results in CMD (fail) and powershell (success).

Well, there is no file with name `.&ipconfig` in the current directory which the *Windows Command Processor* `cmd.exe` can find on execution of its internal command __DIR__. The character `&` is __not__ interpreted as [unconditional command operator](https://stackoverflow.com/a/25344009/3074564) as it is inside a double quoted argument string for __DIR__. The correct command line would be `cmd /c dir . & ipconfig` or `cmd /s /c "dir . & ipconfig"`. Run in the command prompt window `cmd /` and read the output usage help explaining how the argument(s) after option `/C` or `/K` are interpreted. — Mofi, Sep 01 '23 at 04:56
PowerShell is also a script interpreter which first interprets the command line. `"` is interpreted different by PowerShell in comparison to the *Windows Command Processor*. PowerShell is running for that reason finally `"C:\Windows\System32\cmd.exe" /c dir .&ipconfig`. Both `"` are removed by PowerShell before running `cmd.exe` using its fully qualified file name enclosed in `"` and the other arguments appended as specified on the PowerShell command line. — Mofi, Sep 01 '23 at 05:03
The usage of `cmd /c dir '".&ipconfig"'` in PowerShell console would result in running `"C:\Windows\System32\cmd.exe" /c dir ".&ipconfig"` which would result in same error message output by __DIR__ of `cmd.exe` as output on running wrong `cmd.exe /c dir ".&ipconfig"` in a command prompt window. The syntax of *PowerShell* has nothing in common with the syntax of the *Windows Command Processor*. If a command line for `cmd` is run from within a PowerShell console, the command line must be of correct syntax for both interpreters. — Mofi, Sep 01 '23 at 05:08
BTW: The correct PowerShell command line for listing the current directory and running `%SystemRoot%\System32\ipconfig.exe` if not by chance something other program or script is found using the __local__ environment variables `PATH` and `PATHEXT` in memory of PowerShell on a program/script with name `ipconfig` is found at all is: `dir .; ipconfig`. `;` is in PowerShell syntax the unconditional command operator for two commands on one command line and not `&` as it is for the *Windows Command Processor*. — Mofi, Sep 01 '23 at 05:14
PS: This __question__ not containing any question at all is off-topic in my opinion for Stack Overflow according to the reasons described by the help topics [What types of questions should I avoid asking?](https://stackoverflow.com/help/dont-ask) and [What topics can I ask about here?](https://stackoverflow.com/help/on-topic) You just wrote the command line for `cmd` in wrong syntax and wondered why the same command line interpreted first by PowerShell changing the arguments for `cmd` to correct syntax results in a different output. The question should be deleted in my opinion as not useful. — Mofi, Sep 01 '23 at 05:18
PPS: I recommend [A-Z index of Windows CMD commands](https://ss64.com/nt/) and [Windows CMD Shell How-to guides and examples](https://ss64.com/nt/syntax.html) explaining the __CMD__ syntax and [An A-Z Index of Windows PowerShell commands](https://ss64.com/ps/) and [Windows PowerShell How-to guides and examples](https://ss64.com/ps/syntax.html) explaining the PowerShell syntax. — Mofi, Sep 01 '23 at 05:21
Powershell is way more potent than cmd so why would it behave the same in all circumstances? Also your title says same command but in your question body we can see that the command is in fact not 100% identical between Powershell and cmd. So yeah I don't get it — David Trevor, Sep 01 '23 at 05:21

Why is this java program vulnerable to command injection

0 Answers0