This post will explain to you, why it is that in Java most of the command line injection vulnerabilities in most common cases could not be exploited with:

• && dir
• ; ls

There are two options for running a command:

1. Send the whole command to the OS shell (CMD or /bin/sh) and let Java parse & run it.
2. Split the words of the command into an array, execute the first word, and pass the rest as parameters.

The difference is when, for example, the command is:

Notepad.exe a.txt && dir

The first method will run both commands (open  Notepad with the file a.txt and, if it will succeed, run the command dir). The second method will pass the ‘&&’ and ‘dir’ as  parameters to the notepad.exe program. Therefore, ‘&&’ and ‘dir’ will not run.

This is also the difference between the ‘system’ function in C language which works as the first method, and ‘Runtime.exec’ function in Java which works with the second method.

Read more →