OS Command Injection

What is OS command injection?

An OS command injection is a web security vulnerability that enables the execution of unauthorized operating system commands. An OS command injection vulnerability arises when a web application sends unsanitized, unfiltered system commands to be executed. Due to the insufficient input validation an attacker could inject their own commands to be operated on the shell level. The attacker introduces operating system commands via user- supplied data such as cookies, forms or HTTP headers.

This is a dangerous vulnerability as the attacker-supplied OS commands are usually executed with the privileges of the vulnerable application. Therefore, an attacker could gain complete control of the host operating system compromising the application and all its data.

Unlike code injection vulnerabilities which exist when an attacker can submit executable input to a program and tricks the software into running that input. A command injection vulnerability exploits the weaknesses of an unprotected system which enables the execution of arbitrary commands without having to inject code. Both vulnerabilities arise from alack of proper input/output data validation.

Useful Commands

Below are some useful commands that can give you further information on the operating system you are attacking

Ways of injecting OS commands

In order to test your application for a command injection vulnerability try using metacharacters that enablecommands to be chained together. If you are able to run your own command then the web application is vulnerable. The following command separators work on both Windows and Unix-based systems:

• &
• &&
• |
• ||

Other command injection payloads include the ping command below which will trigger a time delay, allowing you to confirm that the command was executed based on the time that the application takes to respond. The below command will take 10 seconds to return a response.

& ping -c 10 127.0.0.1 &

Attackers can also confirm an OS command vulnerability by utilizing the nslookup command to a domain they control. If the look up occurs they know their command injection was successful.

Various other commands to test your application :

php -v Gives you PHP version running on web applications server.

&&cat /etc/passwd displays all the users on the backend Linux Server

/etc/shadow displays all hashed passwords but only if you are running with root privileges.

How to prevent OS command injection attacks

1. Defense Option 1: Avoid calling OS commands directly -avoid calling OS commands directly. Built-in library functions are a very good alternative to OS Commands.
2. Defense option 2: Escape values added to OS commands specific to each OS – For exampleescapeshellcmd() in PHP.
3. Defense option 3: Parameterization in conjunction with Input Validation – Ifuser-supplied cannot be avoidedParameterizationandInput validationshould be in use.

References

• https://owasp.org/www-community/attacks/Command_Injection
• https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html
• Service Delivery Tech Talk: Directory Traversal Attack & Defense – Part 1
• Service Delivery Tech Talk: Path Traversal Attack Solutions – Part 2

.