This article subject os command injection on web app. With this vulnerability, the attacker can run any operating system command in areas allowed by the system. The operating system does not matter.
For example: If there is this vulnerability, when the attacker enters a command (like whoami) on the system, he/she will see the output on the website.
In general, this vulnerability is seen on the website, in the form input, in the areas where the information is kept with the get method on the url.
It is a coding-based vulnerability and is involved in server-side command execution in areas such as login forms of websites and button objects that enable data entry.
For example PHP code:
As seen in the image above, the developer wants to enter the “nslookup” command on the server with PHP.
In such an application, the attacker can execute new commands using special characters and damage the system with the privileges given for WEB in the system.
The following command separators work on both Windows and Unix-based systems:
- The following command separators work only on Unix-based systems:
- Newline (0x0a or n)
- On Unix-based systems, you can also use backticks or the dollar character to perform inline execution of an injected command within the original command:
- `injected command `
- $(injected command )
This is OWASP top 10 vuln list critical vulnerability.
Let’s Explain with a bWAPP Example (Level: Low)
What is bWAPP has been explained in our previous articles. For details click it.
We have an application, it runs a command process on the system and outputs the output to the screen.
If the attacker enters the domain address, he/she will see an output like the one on the screen above. But the entered command is changed; When entered as “www.nsa.gov; ls”, the output will be as follows.
After learning the operating system, I guess it would not be too difficult to install a backdoor on your own FTP source and infiltrate the system. 🙂
Let’s Explain with a bWAPP Example (Level: Medium)
This time, when a similar command is wanted to be entered, for example; “www.nsa.gov;ls” results as below.
The developer may have filtered out special characters from different angles. “;” character “|” instead Let’s try again using the character.
The result is as in the image above.
Different operating systems may have different characters, different software technologies may have different input formats.
For bulk payload list: Click For GitHub Payload List
Have a nice day with lots of informatics 🙂