Command Injection or OS Command Injection is Remote Code execution vulnerabilities, where an attacker is able to exploit an unsanitized user input further to run default OS commands in the server.
Code Injection: allows the attacker to add their own code that is then executed by the application.
Command Injection: the attacker extends the default functionality of the application, which executes system commands, without injecting code.
Command injection is an attack in which the goal is the execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.
<?php
print("Specify the file to delete");
print("<p>");
$file=$_GET['filename'];
system("rm $file");
?>
In the above code snippet, the application asks for a filename
value from the user, which is directly supplied to the system
command for further execution, without sanitization or escaping the values in the filename
parameter.
So, here an attacker can modify the request to run system commands likeid
as in the below request:
Request
http://127.0.0.1/delete.php?filename=bob.txt;id
Therefore, an attacker can extract the private values of id
via his modified request as shown in the below response:
Response
Please specify the name of the file to deleteuid=33(www-data) gid=33(www-data) groups=33(www-data)
2. Similarly, In Perl based applications: Vulnerable Codeuse CGI qw(:standard);
$name = param(‘name’);
$nslookup = “/path/to/nslookup”;
print header;
if (open($fh, “$nslookup $name|”)) {
while (<$fh>) {
print escapeHTML($_);
print “<br>\n”;
}
close($fh);
}
Suppose an attacker provides a domain name like this:
Attack code- cwe.mitre.org%20%3B%20/bin/ls%20-l
The “%3B” sequence decodes to the “;” character, and the %20 decodes to a space. The open()
statement would then process a string like this:/path/to/nslookup cwe.mitre.org ; /bin/ls -l
As a result, the attacker executes the “/bin/ls -l
” command and gets a list of all the files in the program’s working directory — CWE.
3. And, In Java based applications: Vulnerable Code
The below code reads the name of a shell script to execute from the system properties. It is subject to the second variant of OS command injection.String script = System.getProperty(“SCRIPTNAME”);
if (script != null)
System.exec(script);
An attacker can upload malicious programs or files, obtain passwords, gain backdoor access, escalate privileges, execute unintended commands, compromise any sensitive files placed on the server, or escalate attack to the network interface.
ping
command to trigger a time delay by causing the server to ping its loopback interface for a specific period.
|| ping -i 30 127.0.0.1 ; x || ping -n 30 127.0.0.1
3. Monitor the time taken for the application to respond, for each of the induced time delays:
| ping –i 30 127.0.0.1 |
| ping –n 30 127.0.0.1 |
& ping –i 30 127.0.0.1 &
& ping –n 30 127.0.0.1 &
; ping 127.0.0.1 ;
%0a ping –i 30 127.0.0.1 %0a
` ping 127.0.0.1 `
4. If a time delay occurs, the application may be vulnerable to command injection.
5. Repeat the test case several times to confirm that the delay was not the result of “network latency or other anomalies”.
6. Try changing the value of the -n
or -i
parameters and confirming that the delay experienced varies systematically with the value supplied.
ls
or dir
. Check whether you can retrieve the results of the command to your browser.telnet
or netcat
to create a reverse shell back to your computer, and using the mail command to send command output via SMTP.For example: dir > c:\inetpub\wwwroot\foo.txt
4. When you have found a means of injecting commands and retrieving the results, determine your privilege level; use — whoami
or attempt to write a harmless file to a protected directory.
5. You may then seek to escalate privileges, gain backdoor access to sensitive application data, or attack other hosts reachable from the compromised server.
In a web application where the filename is shown in the URL.
Perl — append the Pipe symbol |
onto the end of the filename.
URL before alteration:http://sensitive/cgi-bin/userData.pl?doc=profile.txt
URL modified:http://sensitive/cgi-bin/userData.pl?doc=/bin/ls|
This will execute the command /bin/ls
.
PHP — appending a semicolon ;
to the end of a URL followed by an OS command. ; is %3B in URL encoding.
URL modified:http://sensitive/something.php?dir=%3Bcat%20/etc/passwd
Combining Special characters with the user input, lets you modify or diverge the application to perform unintended actions. As in Command Injection, a request to perform a command 2 which is ordered dynamically by the attacker. The following special character can be used for command injection such as |
;
&
$
>
<
'
!
cmd1|cmd2
: Use of|
will make command 2 to be executed independent of the fact whether command 1 is executed or not.
cmd1;cmd2
: Use of;
will make command 2 to be executed independent of the fact whether command 1 is executed or not.
cmd1||cmd2
: Command 2 will only be executed if command 1 fails to execute.
cmd1&&cmd2
: Command 2 will only be executed if command 1 succeeds in execution.
$(cmd)
: For example,echo $(whoami)
or$(touch test.sh; echo ‘ls’ > test.sh)
cmd : It’s used to execute specific command. For example, whoami>(cmd): >(ls)
<(cmd): <(ls)
Try using some characters as shown below to bypass the checks or escaping done by the application.
For command injection try characters or combination of characters as below to test the defense implemented by the application:|
;
&
$
>
<
'
\
!
>>
#
Escape or filter special characters for Windows, (
)
<
>
&
*
‘
|
=
?
;
[
]
^
~
!
.
”
%
@
/
\
:
+
,
`
Escape or filter special characters for Linux, {
}
(
)
>
<
&
*
‘
|
=
?
;
[
]
$
–
#
~
!
.
”
%
/
\
:
+
,
`
Have a keen eye for below system commands that are more likely to be vulnerable for Command Injection. Check if you can run these commands directly.
Java - Runtime.exec()
C/C++ -system
exec
ShellExecute
Python -exec
eval
os.system
os.popen
subprocess.popen
subprocess.call
PHP -system
shell_exec
exec
proc_open
eval
Ciao!