In some scenarios, applications need to interact with the system to fetch something and there’s no proper sanitization on the input, if the control goes into the hands of a user, depending on their intentions they can abuse this by executing arbitrary commands which are known as command injection
Acunetix
What is OS Command Injection?
Command injection is a cyber attack in which an attacker takes control of the host operating system by injecting code into a vulnerable application through a command. This code is executed regardless of any security mechanism and can be used to steal data, crash systems, damage databases, and even install malware that can be used later.
Attackers can access a target system through command injection by using various methods and techniques. The attacker runs arbitrary commands in the system shell of the web server that can compromise all relevant data.
Command Examples
Command Injection Code Example
The following PHP code snippet is vulnerable to a command injection attack:
<?php
print("Please specify the name of the file to delete");
print("<p>");
$file=$_GET['filename'];
system("rm $file");
?>
The following request and response is an example of a successful attack:
*Request *http://example.com/delete.php?filename=bob.txt;id
Response
`Please specify the name of the file to delete
uid=33(www-data) gid=33(www-data) groups=33(www-data)
`
Sanitizing Input
Replace or Ban arguments with “;”
Other shell escapes available
Example:
– &&
– |
– ...
Bug Bounty
This vulnerability is considered the most critical and finding this in a bug bounty program can lead to a 4 figure bounty award, in bug bounty reports, you’ll see this vulnerability as Remote Code Execution (RCE). PlayStation was impacted by this bug disclosed in a report with the reward of $15000 but the finding is very rare as the organizations know the impact of this vulnerability is very much critical, so they’re always looking for it and patching it, but not all of them! 😉
Practical Labs
This lab contains an OS command injection vulnerability in the product stock checker.
The application executes a shell command containing user-supplied product and store IDs, and returns the raw output from the command in its response.
To solve the lab, execute the whoamicommand to determine the name of the current user.
After “Accessing the Lab” click on any of the products, and you’ll be redirected to its page at the bottom you’ll see a button “stock check” click on it, now when you’ll do that, you’ll see a POST request being made, open “Browser Tools” to see it:
Now click on the request and click on “Edit and Resent”, modify the storeID parameter, giving it the value 1|whoami
Send the modified request to solve the lab. and the response you can see the hostname of that system!
Conclusion
So, we’ve covered the basic theoretical and practical knowledge to understand What command injection vulnerability is and how to exploit it hands-on, we also covered how we can capture the request, modify it, and resend again using browser tools. If you’re interested in finding information available check out my blog, we covered only the basic practical labs and the remaining of them are for you to practice and get more familiar with it and learn your own way through it, you will find video solutions of the labs under the “community solutions” section, and you can also find the writeups for them, but if you’re having any problem with anything feel free to contact me I’ll reply asap. So today’s topic is done here hope you guys liked it and learn something new from it, I will appreciate the support from you guys. Thanks for reading, and see you on the next topic.
References:
https://www.stackhawk.com/blog/what-is-command-injection/
https://owasp.org/www-community/attacks/Command_Injection
https://www.whitehatsec.com/glossary/content/os-command-injection
Top comments (0)