OS Command Injection
Introduction
Injection vulnerabilities are considered the number 3 risk in OWASP's Top 10 Web App Risks, given their high impact and how common they are.
Injection occurs when user-controlled input is misinterpreted as part of the web query or code being executed, which may lead to subverting the intended outcome of the query to a different outcome that is useful to the attacker.
When it comes to OS Command Injections, the user input we control must directly or indirectly go into (or somehow affect) a web query that executes system commands.
OS Command Injection Tools
Auto tool - https://github.com/commixproject/commix
Injection Operators
| Injection Operator | Injection Character | URL-Encoded Character | Executed Command |
|---|---|---|---|
Semicolon | ; | %3b | Both |
New Line | %0a | Both | |
Background | & | %26 | Both (second output generally shown first) |
Pipe | | | %7c | Both (only second output is shown) |
AND | && | %26%26 | Both (only if first succeeds) |
OR | || | %7c%7c | Second (only if first fails) |
Sub-Shell | `` | %60%60 | Both (Linux-only) |
Sub-Shell | $() | %24%28%29 | Both (Linux-only) |
Linux Filtered Character Bypass
| Filtered Character | Bypass Method | Description |
|---|---|---|
printenv command |
| Can be used to view all environment variables |
Space Character | %09 | Using tabs instead of spaces |
Space Character | ${IFS} | Will be replaced with a space and a tab. Cannot be used in sub-shells (i.e. $()) |
Space Character | {ls,-la} | Commas will be replaced with spaces |
| ${PATH:0:1} | Will be replaced with / |
| ${LS_COLORS:10:1} | Will be replaced with ; |
Any Character | $(tr '!-}' '"-~'<<<[) | Shift character by one ([ -> ) |
Windows Filtered Character Bypass
| Filtered Character | Bypass Method | Description |
|---|---|---|
Env command | Get-ChildItem Env | Can be used to view all environment variables - (PowerShell) |
Space Character | %09 | Using tabs instead of spaces |
Space Character | %PROGRAMFILES:~10,-5% | Will be replaced with a space - (CMD) |
Space Character | $env:PROGRAMFILES[10] | Will be replaced with a space - (PowerShell) |
| %HOMEPATH:~0,-17% | Will be replaced with |
| $env:HOMEPATH[0] | Will be replaced with |
Linux Blacklisted Command Bypass
| Blacklist Bypass | Payload | Description |
|---|---|---|
Case Manipulation |
| Execute command regardless of cases |
Case Manipulation |
| Another variation of the technique |
Reversing a Command |
| Reverse a string |
Reversing a Command |
| Execute reversed command |
Base64 Encoding Commands |
| Encode a string with base64 |
Base64 Encoding Commands |
| Execute b64 encoded string |
Windows Blacklisted Command Bypass
| Blacklist Bypass | Payload |
|---|---|
Case Manipulation |
|
Reversing a Commands |
|
Reversing a Commands |
|
Base64 Encoding Commands |
|
Base64 Encoding Commands |
|
Miscellaneous & Tricks
This section contains tricks for specific languages and web frameworks
PHP backtick character
The backtick character (`) in PHP can be used to gain OS command injection, as it is a character used for shell commands execution, similarly to shell_exec()function.
When you enclose a string in backticks, PHP will execute it as a shell command and return the output.
Consider the following example scenario:
You are dealing with a web application written in PHP where a
ping.phppage is hosted.Navigating to
http://example.com/ping.php?ip=10.10.10.10allows users to ping the ip address specified (10.10.10.10)If any standard way to perform OS command execution does not work, you could use the backticks to your advantage. For example, you could navigate to:
http://example.com/ping.php?ip=10.10.10.10;`ls`to effectively run thelscommand after the ping
Last updated