The dynamic Web applications may make the most of the scripts to call up some functionality in the command line on the web server to process the input that received from the client and unsafe user input may lead to OS command injection. OS Command injection is referred as shell injection attack arise when an attacker tries to perform system level commands through a vulnerable application in order to retrieve information of web server or try to make unauthorized access into the server.
Ease of Exploitability: Medium
Risk Rating: High
In this attack the attacker will inject his unwanted system level command so that he can fetch the information of web server; for example ls, whoami, uname -a and etc.
Let’s consider a scenario where web application allows the user to PING an IP another user so that it get confirms that the host connection
Verify parameters to inject data
The following parameters should be tested for command injection flaws, as the application may be using one of these parameters to build a command back at the web server:
- GET: In this method input parameters are sent in URLs.
- POST: In this method, input parameters are sent in the HTTP body.
- HTTP header: Applications frequently use header fields to discover end users and display requested information to the user based on the value in the headers.
Some of the important header fields to check for command injection are:
Using vulnerability scanner attacker come to know that current web application is vulnerable to command injection and try injecting system level unwanted command using Meta character.
Metacharacter is symbolic operators which are used to separate actual command from unwanted command. The ampercent (&) was used as a separator that would divide the authentic input and the command that you are trying to inject.
It will more clear in following image where the attacker will inject his payload dir using metacharacter that retrieves a present directory of the web server.
As result, it will dump the following output as shown in the given image where it has validated wrong user input.
OS Command Injection Operators
The developer possibly will set filters to obstruct some metacharacter. This would block our injected data, and thus we need to try out with other metacharacters too, as shown in the following table:
|;||The semicolon is most common metacharacter used to test an injection flaw. The shell would run all the commands in sequence separated by the semicolon.|
|&||It separates multiple commands on one command line. It runs the first command then the second command.|
|&&||It runs the command following && only if the preceding command is successful|
|||(windows)||It runs the command following || only if the preceding command fails. Runs the first command then runs the second command only if the first command did not complete successfully.|
||| ( Linux)||Redirects standard outputs of the first command to standard input of the second command|
|‘||The unquoting metacharacter is used to force the shell to interpret and run the command between the backticks. Following is an example of this command: Variable= “OS version
|()||It is used to nest commands|
|#||It is used as a command line comment|
Steps to exploit – OS Command Injection
Step 1: Identify the input field
Step 2: Understand the functionality
Step 3: Try the Ping method time delay
Step 4: Use various operators to exploit OS Command Injection
Type of Command Injection
Error based injection: When an attacker injects a command through an input parameter and the output of that command is displayed on the certain web page, it proves that the application is vulnerable to the command injection. The displayed result might be in the form of an error or the actual outcomes of the command that you tried to run. An attacker then modifies and adds additional commands depending on the shell the web server and assembles information from the application.
Blind based Injection: The results of the commands that you inject will not be displayed to the attacker and no error messages are returned it similar as blind SQL injection. The attacker will use another technique to identify whether the command was really executed on the server.
Mitigation-OS Command Injection
- Strong server-side validation
- Implement a white list
- OS Hardening
- Use build-in API’s for interacting with the OS if needed. More secure!!
- Avoid applications from calling out directly the OS system commands
Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here