This post will explain to you, why it is that in Java most of the command line injection vulnerabilities in most common cases could not be exploited with:
- && dir
- ; ls
There are two options for running a command:
- Send the whole command to the OS shell (CMD or /bin/sh) and let Java parse & run it.
- Split the words of the command into an array, execute the first word, and pass the rest as parameters.
The difference is when, for example, the command is:
Notepad.exe a.txt && dir
The first method will run both commands (open Notepad with the file a.txt and, if it will succeed, run the command dir). The second method will pass the ‘&&’ and ‘dir’ as parameters to the notepad.exe program. Therefore, ‘&&’ and ‘dir’ will not run.
This is also the difference between the ‘system’ function in C language which works as the first method, and ‘Runtime.exec’ function in Java which works with the second method.