Hi! My name is Hashar Mujahid. And today we are going to learn what OS command injections are and how we can exploit them.
An OS command injection is a vulnerability that allows an attacker to execute arbitrary commands directly on the server. If you haven’t already realized, if an attacker is able to execute malicious code on the server, he could easily get a reverse shell or a backdoor into the server.
So finding Os command injection during bug-bounty and penetration is marked as a critical vulnerability.
Like in this simple lab, instead of only whitelisted commands server allows the user to execute all commands.
An attacker can run some commands to get related information to the user and the target’s operating system.
Name of the current user
whoami
Operating system
uname -a
Network configuration
ifconfig
Network connections
netstat -an
Running processes
ps -ef
We can see in this lab that the post request is made when we enter the value.
We can determine that because in the GET request the parameter is listed in the URL and in the POST request the parameter is not listed in the URL.
GET
http://124.221.152.247:5001/CMD-1/index.php?
POST
http://124.221.152.247:5001/CMD-1/index.php?cmd=ls
Now the question is
There is no specific answer to this question. try to understand the logic of the application if there is suspected suspicion that some functionality is using vulnerable functions like
eval()
system()
passthru()
You can try to inject commands and test those parameters.
Sometimes, if the code execution is very important in the exposed functionality, applications set a pre-made path of the command and get the query from the user.
Whois
Google Whois
Now to get command execution, we need to use some bypassing techniques so we can execute code.
We can use ;
symbol to end the execution of one command and add ours.
We can see our code executed.
Many cases of OS command injection are blind vulnerabilities. This indicates that the application does not include the command’s output in its HTTP response. Blind vulnerabilities can still be exploited, but it takes a different approach.
Now you should be asking yourself how can we detect the blind OS command injection vulnerabilities.
The simple answer is to inject the commands that can cause some delays.
You can try injecting the sleep command like this
vulnerableweb.com/command?cmd=;sleep(5)
This will cause the server to respond after 5 seconds.
Or you can try to inject a ping command to interact with the public IP to see if you got the connection back from the web app.
vulnerableweb.com/command?cmd=;& ping -c 10 IP
We can see our 10 pings caused approx 10 sec of delay on the server.
email=test@mail.com||ping+-c+10+127.0.0.1||
Sometimes applications block the “;” symbol to prevent attackers from injecting commands.
We can try to inject.
&
&&
|
||
Try not to call out OS commands, but if it is inevitable developers can try some techniques.
I will be back with new techniques to exploit web vulnerabilities.
Till then, Happy Hacking ❤.