- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
An OS command injection is a web security vulnerability that enables the execution of unauthorized operating system commands. An OS command injection vulnerability arises when a web application sends unsanitized, unfiltered system commands to be executed. Due to the insufficient input validation an attacker could inject their own commands to be operated on the shell level. The attacker introduces operating system commands via user- supplied data such as cookies, forms or HTTP headers.
This is a dangerous vulnerability as the attacker-supplied OS commands are usually executed with the privileges of the vulnerable application. Therefore, an attacker could gain complete control of the host operating system compromising the application and all its data.
Unlike code injection vulnerabilities which exist when an attacker can submit executable input to a program and tricks the software into running that input. A command injection vulnerability exploits the weaknesses of an unprotected system which enables the execution of arbitrary commands without having to inject code. Both vulnerabilities arise from alack of proper input/output data validation.
Below are some useful commands that can give you further information on the operating system you are attacking
Purpose of command
Name of current user
In order to test your application for a command injection vulnerability try using metacharacters that enablecommands to be chained together. If you are able to run your own command then the web application is vulnerable. The following command separators work on both Windows and Unix-based systems:
Other command injection payloads include the ping command below which will trigger a time delay, allowing you to confirm that the command was executed based on the time that the application takes to respond. The below command will take 10 seconds to return a response.
& ping -c 10 127.0.0.1 &
Attackers can also confirm an OS command vulnerability by utilizing the nslookup command to a domain they control. If the look up occurs they know their command injection was successful.
Various other commands to test your application :
php -v Gives you PHP version running on web applications server.
&&cat /etc/passwd displays all the users on the backend Linux Server
/etc/shadow displays all hashed passwords but only if you are running with root privileges.