In this article we will see what is OS command injection and how we can detect them in different web applications.
Table of Contents
Practical implementation(Hack this Site)
OS command injection is also known as shell injection. It is a web based vulnerability which allows attacker to execute different OS Commands on the web server.Attacker can use this vulnerability to fetch useful information from the web server.
let’s consider a web application that allows user to input some data using a form.For ex. There is a form which ask you to Enter your 12th standard marks and your name. We simply fill the form and click on submit button . Now we see that the grades and name that you entered are accessed via a URL like :
And it uses a shell command to save your result somewhere in the web server suppose it is like :
save.py 75 Abc ,So here we can inject OS commands. We will see this in the next topic.
The main work of command separator is to chain multiple commands together. There are various separator based on the OS but some are common that work on both Windows and Unix OS
only for unix OS
Newline(0x0a or \n)
In this section we will perform OS command injection at different security levels. DVWA known as Damn Vulnerable Web Application is a web application that has some common vulnerability to practice them legally.
OS Command injection (Low level)
Set the Security level to Low as :
Now go to the tab “Command injection” and here we can see a very small form that allows us to ping a machine .
Let’s enter loopback address that is “127.0.0.1” and we can see the result
ping is a OS Command it clearly means that we can execute more commands like ls,whoami,ls -a and many more...
But the thing is we need to identify what command separator we can use here because web application are designed in different manners.
“;” execute every command separated by the “;”
“&” runs the first command then runs the second command
“&&” runs the second command only if the first command/preceding command was successful
“||” run second command if first command fails
“|” it is used as a pipe operator . output of first command works as the input for the second command
“()” used to nest commands
“#” used as a command line comment
So we need to try every one of these to detect the correct one!
After trying them we find that in this particular scenario “;” works perfectly fine!
So command we used is : 127.0.0.1;ls and we can see the result in the below image
It means that this is a OS command injection vulnerability and we can also get a session using netcat. Please refer to the article to know how to use netcat
OS Command injection (Medium level)
Set the security level to medium and again click on the Command injection tab.
Same form again ,ok let’s try to execute same command that is 127.0.0.1;ls
This time “;” separator doesn’t work ,but no worries let’s try other separators now.
When we try “&” separator we are successful in getting the desired output as show in the below image
Command used : 127.0.0.1&whoami
We can try more commands later.Now it’s time to move to the Security Level High!
OS Command injection (High level)
Like previous topics set the security level to High and click on the Command injection Tab. Uhhhh,Same form again ok let’s try the previous command that is 127.0.0.1&whoami , This command doesn’t work let’s try some command separators
So “|” this separator is working here so w can execute command : 127.0.0.1|whoami
Here we have tried random command separator to find the correct one. We can perform this in different way at this level particular level as :
First of all switch to the medium or low level then execute the command ls -l and here we can see a directory with name “source” change to this directory now we can see some more files and we are interested in the file "high.php" ,So by using cat command we can see the content of high.php file
Steps followed :
Change security level to low
ping 127.0.0.1;ls -l
ping 127.0.0.1;cd source;ls -l
ping 127.0.0.1;cd source;cat high.php
So this is the cotent of file high.php and we can see that command separator ‘| ‘ is blocked but a with a space so if we inject the command like this ping 127.0.0.1|whoami then there should be no problem and yes we got the desired output but we inject the command ping 127.0.0.1| whoami then there will be no output.
Practical implementation(Hack this Site)
Hack this site is a web application . It provides us different challenges to improve our ethical hacking knowledge and it is very good .So while solving this I found a level where we need command injection to solve the challenge.
So without wasting let’s test the website , Register yourself in the website then in basic challenges click on level 7. Here we can see a small description
So here we can enter any year to check it,ok as it says “Enter the year” So we entered the year 2020 and the output is
Output is the calendar of Year 2020. But this is not the output that we want ,So without wasting time we started to try different command separators to guess the correct one! So that we can find the correct password to complete this challenge
After trying many commands we figured out that command 2020&&ls is working perfectly and it give us the output
All other files looks ok but the name of the last file looks something strange so we decided to see the content by using our browser .As level 7 is in the same directory so we just need specify the file name and our browser will open it for us!
Finally we got the password so copy the password and paste it here and click on the submit button and we succeed in completing this challenge!
So this was a basic introduction about OS command injection and in the next article we will test some more web applications for OS command injection