What is OS Command Injection? An overview of what OS Command Injection is, how to detect, exploit and help prevent the web vulnerability. What is OS Command Injection? OS Command Injection occurs when input is passed from an application to the backend operating system (OS), the supplied input is then executed by the operating system as a OS command. The vulnerability is caused by the application lacking the correct controls, such as input validation or sanitisation to prevent dangerous input being accepted and rendered by the web application as an operating system command. The Impact of OS Command Injection If successfully exploited OS Command Injection could allow an attacker or malicious user command execution on the target with the same permissions as the exploited web server. Depending on the configuration of the target, and level of security hardening that has been conducted (or lack there of) successful exploitation of this vulnerability could, potentially result in the attacker gaining complete control of the vulnerable system, exfiltrating sensitive data or performing privilege escalation / lateral movement. Are you concerned about OS Command Injection? Aptive can perform a web app security test to help identify this and other injection attacks. How to Identify OS Command Injection A vulnerable input parameter is the typical entry point for command injection, however other entry points such as HTTP headers, have also been found to be vulnerable. A typical command injection example: https://www.example.com/function.php=blah|test123 If vulnerable, and the application permitted the error to be returned in the response, a “command not found error” would be reflected. The Different Types of OS Command Injection Similar to SQL Injection there are different types or command injection vulnerabilties: What is Error Based Command Injection The injected command induces an error message which is returned in the response by the web application (reflected). What is Blind Command Injection The target application is vulnerable to command injection, however no error is rendered by the application in this case the attacker would perform a proof of concept using either time based, out-of-band or by redirecting output to a file location they could read such a web root. A typical example of this would be echo test123 > /var/www/html/test.txt the attacker would then browse to the web root to verify the command output within the test.txt time. What is Time Based Command Injection The injected command uses a timed based payload, such as ping -c 10 127.0.0.1 the response from the web server is then timed to see if it roughly matches the injected payload delay time. What is Out-of-Band (OOB) Command Injection The injected OS command uses an Out-of-Band method of communication to perform a proof of concept, verifying that the injected OS command has been executed by the target operation system, as a command. For example a DNS lookup or a HTTP request to an attacker controlled server using nslookup nslookup+attacker-server . Learn more: Learn more about what pentesting is and how it can help your organisation identify security issues. How to Prevent […]
