Coding a page intentionally vulnerable to command injection

Question

I am trying to code a page that is intentionally vulnerable to command injection. This is for a training environment. This is the code I have so far:

public ActionResult CommandInjection()
    {
        string domain = Request.QueryString["domain"];
        ViewBag.Domain = domain;

        ProcessStartInfo psi = new ProcessStartInfo("nslookup.exe", domain)
        {
            UseShellExecute = false,
            CreateNoWindow = true,
            RedirectStandardOutput = true
        };

        var proc = Process.Start(psi);
        string result = proc.StandardOutput.ReadToEnd();

        ViewBag.Msg = "This page is vulnerable to Command Injection";
        ViewBag.Result = result;

        return View();
    }

It seems to work well when it sees a normal request for domain lookup.

However, when it sees a request like so:

http://localhost:50159/Home/CommandInjection?domain=www.google.com+%26+dir it returns a blank.

What I was expecting was that it would return the result from the domain lookup followed by the output from the dir command.

Answer 1

It's not that easy to shoot yourself in the foot in this case, but you can, like this:

ProcessStartInfo psi = new ProcessStartInfo("cmd.exe", "/c \"nslookup.exe " + domain + "\"")
{
    UseShellExecute = false,
    CreateNoWindow = true,
    RedirectStandardOutput = true
};