OS Command Injection is a vulnerability that allows an attacker to execute OS command on a vulnerable server.
This vulnerability occurs when Web application passes user input directly to the OS Shell. Almost all programming languages like C, Cpp, Java, Python, PHP, Perl allows calling OS Command. Users can execute any command with privileges give to webroot users.
Sometimes, the attacker cannot see the output in the webpage response, but the command is executed. To detect such Blind Command Injection attacker uses various techniques.
ping -c 10 127.0.0.1 &If this command gets executed, the webpage will load after 10 seconds so that attacker can confirm the command injection.
- An attacker can redirect the output of a command to the text file in the webroot directory. After the execution of the command, an attacker can read output from the website.
cat /etc/passwd > /var/www/default/html/temp.txt
- then attacker can read output at,
Sending output to Attacker Controlled Server
- This command will send an HTTP request to attacker.com with getting parameter
op=output of the command.
- If attackers don't have a website, he can use introspectable tunnels to localhost like ngrok, which will give temporary server
http://something.ngrok.io/which redirects to localhost.
Let's consider a simple web application that takes
domain name as input and display Whois record of it.
<?php $domain = $_GET['domain']; $output = shell_exec("whois $domain"); echo "<pre>$output</pre>"; ?>
let's give domain as
iitgoa.ac.in, So at backend server, it will execute command as
which gives output as,
... Domain Name: iitgoa.ac.in Registry Domain ID: D414400000001284698-IN Registrar WHOIS Server: Registrar URL: http://www.ernet.in Updated Date: 2017-07-18T11:53:18Z Creation Date: 2016-07-05T10:51:55Z Registry Expiry Date: 2026-07-05T10:51:55Z Registrar: ERNET India Tech Email: Please contact the Registrar listed above Name Server: dns1.iitgoa.ac.in Name Server: dns2.iitgoa.ac.in ...
Now attacker can inject another command as,
%26 is URL encoding of
So at backend server, it will execute the command as
whois iitgoa.ac.in & cat /etc/passwd
And this will print whois information as well as passwd file.
- There are few command separators used to inject commands like,
- These are OS Specific.
- Generally, these separators are blacklisted, attacker has to bypass filters.
- The full System will get compromised.
- An attacker can access all the server data, which may contain sensitive data of business and customers.
- An attacker can use your server to make DDoS attacks on different servers.
- An attacker can create a backdoor so that he can connect to the server even after this vulnerability is patched.
- Never trust user input, Avoid user input supplying to OS Shell.
- Filter user input based on a whitelist.
- Take only alphanumeric user input and Ignore if it contains any symbol or whitespace.
- Commix: Automated All-in-One OS Command Injection and Exploitation Tool.