Web Fundamentals | OS Command Injection
Hi there, I’m glad to see you here. In this article, we’ll examine together the “Command Injection” room in TryHackMe and the “OS Command Injection” room in PortSwigger. In some sections, I’ll share brief about the subject. Don’t forget! You must always research to learn more. I hope it will be helpful for you. Let’s start!
Contents:
- What is OS Command Injection?
- What is Blind Command Injection?
- Useful Commands
- Ways of Injecting OS Commands
- Practical: Command Injection / TryHackMe
- Exploiting: Command Injection / PortSwigger
- How to Prevent OS Command Injection Attacks?
What is OS Command Injection?
OS command injection (also known as shell injection) is a web security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on the server that is running an application, and typically fully compromise the application and all its data.
What is Blind Command Injection?
Many instances of OS command injection are blind vulnerabilities. This means that the application does not return the output from the command within its HTTP response.
Blind command injection is when command injection occurs; however, there is no output visible, so it is not immediately noticeable.
Useful Commands
When you have identified an OS command injection vulnerability, it is generally useful to execute some initial commands to obtain information about the system that you have compromised. Below is a summary of some commands that are useful on Linux and Windows platforms:
Ways of Injecting OS Commands
A variety of shell metacharacters can be used to perform OS command injection attacks.
A number of characters function as command separators, allowing commands to be chained together. The following command separators work on both Windows and Unix-based systems:
&&&|||
The following command separators work only on Unix-based systems:
;- Newline (
0x0aor\n)
On Unix-based systems, you can also use backticks or the dollar character to perform inline execution of an injected command within the original command:
`injected command`$(injected command)
❗️Sometimes, the input that you control appears within quotation marks in the original command. In this situation, you need to terminate the quoted context (using " or ') before using suitable shell metacharacters to inject a new command.
For more payload:
https://github.com/payloadbox/command-injection-payload-list
Practical: Command Injection / TryHackMe
Let’s test some payloads on the application hosted to test for command injection.
Answer the questions below
❓Q1: What user is this application running as?
📣A1: www-data
👉🏻First and foremost, we can detect the operating system to determine which commands we can use. For this, we can use the “ver” command running on Windows operating system and the “uname” command running on Unix-based systems. But in this challenge, we can see that the “ver” command produces no results.
→ ; uname -a
→ | uname -a
→ || uname -a
→ & uname -a
👉🏻The “whoami” command can be used to determine which user we are running as in this application.
→ ; whoami
→ | whoami
→ || whoami
→ & whoami
❓Q2: What are the contents of the flag located in /home/tryhackme/flag.txt?
📣A2: ***{**************************}
👉🏻The “dir” command is used in Windows operating systems and the “ls” command is used in Unix-based systems to view files and directories. We know that the web application is running the Linux operating system. That’s why we can see that the file named “flag.txt” exists when we use the “ls” command to list the files in the directory provided to us.
→ ; ls /home/tryhackme
→ | ls /home/tryhackme
→ || ls /home/tryhackme
→ & ls /home/tryhackme
👉🏻And then let’s look at the contents of the file using the “cat” command.
→ ; cat /home/tryhackme/flag.txt
→ | cat /home/tryhackme/flag.txt
→ || cat /home/tryhackme/flag.txt
→ & cat /home/tryhackme/flag.txt
Exploiting: Command Injection / PortSwigger
OS command injection, simple case
👉🏻When we access the lab environment, we’re greeted by a shopping site. We can view any product by clicking the “View details” button.
👉🏻And then we can click the “Check stock” button to see how much the product is available in which city.
👉🏻Let’s capture the request with Burp Suite and send it to the “Repeater” to modify the request. Who knows, maybe we can run the command we want by manipulating the command used for the stock query in the background.
👉🏻We talked about some shell metacharacters and their effects above. Now is the time to use these metacharacters!
❗️In Linux-based operating systems, pipe is a type of redirection utilized for transfer the standard output of one command to a destination or other command.
productId=3&storeId=1|whoami
👉🏻In addition to the pipe metacharacter, we can also use the semicolon metacharacter.
❗️The semicolon is used to separate two or more commands on the same line.
productId=3&storeId=1;whoami
Congratulations, you solved the lab! 👊🏼
Blind OS command injection with time delays
You can use an injected command that will trigger a time delay, allowing you to confirm that the command was executed based on the time that the application takes to respond.
👉🏻When we access the lab environment, we’re greeted by a shopping site. But this time there is a difference here. I think they’ve added a new section where we can post feedback on products.
👉🏻Let’s fill in the requested information to see how this new feature in the web application works.
👉🏻When we examine the request, we can see that it contains parameters such as csrf token, name, email, subject, message and we can test if we can run a command within one of these parameters.
👉🏻This time, let’s try using the ping command to send ICMP packets to localhost.
❗️The double pipe is a control operator that represents the logical OR operation.
👉🏻We can see that an HTTP 200 (OK) response is returned after 10 seconds because we specified that we will send 10 packets in the -c parameter.
👉🏻Alternatively, we can use the sleep command instead of the ping command.
👉🏻And we can see that an HTTP 200 (OK) response is returned after 10 seconds.
Congratulations, you solved the lab! 👊🏼
Blind OS command injection with output redirection
You can redirect the output from the injected command into a file within the web root that you can then retrieve using the browser.
👉🏻When we access the lab environment, we’re greeted by a shopping site. But this time there is a difference here. I think they’ve added a new section where we can post feedback on products.
👉🏻Let’s fill in the requested information to see how this new feature in the web application works.
👉🏻When we examine the request, we can see that it contains parameters such as csrf token, name, email, subject, message and we can test if we can run a command within one of these parameters.
👉🏻We can use the “>” metacharacter to print the output of the whoami command to any file under the “/var/www/images” directory provided to us.
❗️The greater than sign is used to redirect the output of a command to a file.
👉🏻When we look at the “Response” section, we can see that the request received an “HTTP 200 (OK)” response. This means that the command we used was executed successfully.
👉🏻Now, let’s open the image of any product.
👉🏻Let’s capture the request with Burp Suite and send it to the “Repeater” to modify the request.
👉🏻Let’s see if we can see the output of the “whoami” command when we enter the name of the file we created for the “filename” query.
Congratulations, you solved the lab! 👊🏼
How to Prevent OS Command Injection Attacks?
By far the most effective way to prevent OS command injection vulnerabilities is to never call out to OS commands from application-layer code.
If it is considered unavoidable to call out to OS commands with user-supplied input, then strong input validation must be performed. Some examples of effective validation include:
- Validating against a whitelist of permitted values.
- Validating that the input is a number.
- Validating that the input contains only alphanumeric characters, no other syntax or whitespace.
And once again, congratulations! We basically learned together how to exploit and prevent the “OS Command Injection” vulnerability, which is one of the web application vulnerabilities. 👊🏻
Thank you for your time. See you soon! Until that time.. Happy Hacking ❤
Resources:
