OS Command Injection is a security vulnerability where an attacker can execute operating system (OS) commands on a server through a vulnerable application.
This happens when a web application takes user input and directly passes it to the operating system without proper validation or filtering.
OS command injection is a vulnerability that allows the attackers to to execute operating system command on a server by injecting a malicious input into a web application.
What is OS command injunction:
Basically, we know that OS command injunction is a security vulnerability where an attacker executes the command on a server through web application. This happens when an application takes the input from the user and passes it directly to the operating system without properly checking it.
Simple Example:
Suppose a website has a feature that checks if a server is online using the command ping example.com
If the application allows user input, a normal user might enter example.com
But an attacker could enter example.com; whoami
Now the server runs ping example.com; whoami
The whoami command show that which user the server is running as.
Why it is dangerous
If attackers exploit this vulnerability, they may be able to:
- run system commands
- access sensitive files
- modify or delete data
- Install malicious program on the server.
Injecting OS commands:
In this example, a shopping application lets the user view whether an item is in stock in a particular store. This information is accessed via a URL:
https://insecure-website.com/stockStatus?productID=381&storeID=29
To provide the stock information, the application must query various legacy systems. For historical reasons, the functionality is implemented by calling out to a shell command with the product and store IDs as arguments:
stockreport.pl 381 29
This command outputs the stock status for the specified item, which is returned to the user.
The application implements no defenses against OS command injection, so an attacker can submit the following input to execute an arbitrary command
& echo aiwefwlguh &
If this input is submitted in the productID parameter, the command executed by the application is:
stockreport.pl & echo aiwefwlguh & 29
The echo command causes the supplied string to be echoed in the output. This is a useful way to test for some types of OS command injection. The & character is a shell command separator. In this example, it causes three separate commands to execute, one after another. The output returned to the user is:
Error - productID was not provided aiwefwlguh 29: command not found
The three lines of output demonstrate that:
- The original
stockreport.plcommand was executed without its expected arguments, and so returned an error message. - The injected
echocommand was executed, and the supplied string was echoed in the output. - The original argument
29was executed as a command, which caused an error.
Placing the additional command separator & after the injected command is useful because it separates the injected command from whatever follows the injection point. This reduces the chance that what follows will prevent the injected command from executing.
Useful commands:
After we identified an OS command vulnerability, it is useful to execute some initial commands. That initial commands are important and give below:
Purpose of command linux ……………………. Windows Name of current user=whoami…………………. whoami Operating System = unname -a…………………. ver Network Configuration = ifconfig……………… ipconfig /all Network connections = netstat -an…………….. netstat -an Running process = ps -ef………………………….. tasklist
Blind OS command injunction vulnerabilities:
Blind OS command injunction happens when a website runs a system command using user input, but the result of the command is not shown in the HTTP response. In other words the command runs on the server, but the attacker cannot see the output on the website which is why it is called "blind". Even though the output is hidden but still the vulnerability can exploit using the other techniques.
For example, imagine and suppose a website that allows a user to run feedback. The users enter their email address and message, and the server sends the feedback to the administrator by running a command like this:
mail -s "This site is great" -aFrom:peter@normal-user.net feedback@vulnerable-website.com
This command sends an email to the admin with the users feedback. However the output of this mail command is not shown in the website's response. Because of this, simple payloads like echo will not display anything in the browser.
In this situation, testers use other techniques (such as time delays, external requests, or file creation) to check whether the command was executed and to exploit the vulnerability.
Detecting Blind OS Command Injection Using Time Delays:
The idea is very simple: the attacker injects a command that makes the server wait for some time before responding. If the websites response becomes slow, it, means the command was executed successfully.
One common way to this by is using the ping command. The ping command can send multiple network packets, and this is time to finish, For example: & ping -c 10 127.0.0.1 &
This command tells the server to ping its own system (127.0.1) ten times. This usually take about ten seconds to complete.
So, if the website normally responds the quickly but suddenly take 10 seconds to respond, it shows that the injected command was executed.
Exploiting blind OS command injection by redirecting output
In blind OS command injunction, we know that website doesn't show the output of the command. So, another techniqueis to save the command output into the file, and then open that file in a browser.
This works by redirecting the output of the command to a file inside a websites folder (web root). If the file saved there you can later accessed it through the browser
Example payload:
& whoami > /var/www/static/whoami.txt &So, whats the scene in this case:
- whoami uns on the server to finds the current user.
- The > symbol (redirect) the command output in the file.
- The file is saved as whoami.txt inside the /var/www/static/.
After that we can open a file in the browser:
https://vulnerable website.com/whoami.txt
Conclusion For this blind OS command injunction
You can redirect the command output to a file using ">" For Example:
& whoami > /var/www/static/whoami.txt &. This saves he command result in a file that can later be opened in the browser to see the output.
Exploiting Blind OS Command Injection using Out-of-Band (OAST):
Sometimes in blind OS command injunction, The website doesnot show the output of the command in the response. Because of this, the cannot directly see if the command worked or not.
In this situation, attackers use a technique called Out-of-band cast (OAST).
What this means In this technique, the attacker sends a command that makes the target server controlled by the attacker. If the attackers server recive the request, it means the command injection worked successfully
What is OAST?
OAST is a method where the attacker makes the vulnerable server send a request to an external server that the attacker controls. If the attacker receives that request, it confirms that the command was executed successfully.
How it works
- The attacker injects the command into the vulnerable input field.
- The nslookup command forces the server to perform a DNS lookup for the attacker's domain.
- If the server executes the command, it will try to contact the attacker's domain.
- The attacker monitors their server.
- If they receive the DNS request, it confirms that OS command injection is working.
Simple Idea
Even if the website does not show the command output, the attacker can still confirm the vulnerability by checking if the target server connects to their external server.
In short version blind OS command injuction can be detected by OAST techniques. The attacker injects a command that makes the server contact an external server controlled by the attacker. If the request is received, it confirms that command is successfully executed.