An overview of what OS Command Injection is, how to detect, exploit and help prevent the web vulnerability.
OS Command Injection occurs when input is passed from an application to the backend operating system (OS), the supplied input is then executed by the operating system as a OS command. The vulnerability is caused by the application lacking the correct controls, such as input validation or sanitisation to prevent dangerous input being accepted and rendered by the web application as an operating system command.
If successfully exploited OS Command Injection could allow an attacker or malicious user command execution on the target with the same permissions as the exploited web server. Depending on the configuration of the target, and level of security hardening that has been conducted (or lack there of) successful exploitation of this vulnerability could, potentially result in the attacker gaining complete control of the vulnerable system, exfiltrating sensitive data or performing privilege escalation / lateral movement.
A vulnerable input parameter is the typical entry point for command injection, however other entry points such as HTTP headers, have also been found to be vulnerable.
A typical command injection example:
If vulnerable, and the application permitted the error to be returned in the response, a “command not found error” would be reflected.
Similar to SQL Injection there are different types or command injection vulnerabilties:
The injected command induces an error message which is returned in the response by the web application (reflected).
The target application is vulnerable to command injection, however no error is rendered by the application in this case the attacker would perform a proof of concept using either time based, out-of-band or by redirecting output to a file location they could read such a web root. A typical example of this would be
echo test123 > /var/www/html/test.txt
the attacker would then browse to the web root to verify the command output within the test.txt time.
The injected command uses a timed based payload, such as
ping -c 10 127.0.0.1
the response from the web server is then timed to see if it roughly matches the injected payload delay time.
The injected OS command uses an Out-of-Band method of communication to perform a proof of concept, verifying that the injected OS command has been executed by the target operation system, as a command. For example a DNS lookup or a HTTP request to an attacker controlled server using nslookup
No, code injection is the insertion of application code which is then executed by the web server as if it were application code, resulting in remote code execution. OS command injection is the insertion of user supplied input, which is then rendered by the target web servers operation system an OS command.
Yes, the OWASP Top 10 includes command injection under injection attacks.
Yes the vulnerability is also know as:
Learn about more web application security vulnerabilities in our Cyber Security Academy.