An Operating System Command Injection vulnerability is a critical security flaw that allows attacker to execute system commands on a server. It happens when an application sends user input to the system shell without proper validation
A successful attack can lead to data theft, modification, deletion, or even full server control
Web command injection happens when an attacker sends malicious commands through inputs
This occurs because the application doesn’t properly check or filter user input
This means the attacker can execute commands on the server using the same permissions as the application
Direct (In-band)
-
In this case, the output of the injected command is returned directly in the HTTP response
-
This is the easiest type to exploit because the attacker can immediately see the result of the command
Blind (Out-of-band)
-
Here, the command is executed but its output is not shown in the response
-
The attacker must use alternative techniques to confirm execution:
Time-Based
- Commands like sleep or ping are used to create a delay. If the response time increases, it indicates that the command was executed
Output Redirection
- The command output is written to a file in a writable directory (such as /var/www/images/), which can later be accessed through the browser
Out-of-Band (OOB)
- Commands like nslookup or curl are used to make the server send a request to an external system controlled by the attacker The attacker monitors this external system to confirm that the command was executed
This lab contains an OS command injection vulnerability in the product stock checker
The application executes a shell command containing user-supplied product and store IDs, and returns the raw output from the command in its response
To solve the lab, execute the whoami command to determine the name of the current user
First, I explored the website and noticed that product page use a URL parameter like productId=18
When I changed it to productId=1, the page loaded a different product, which means the app uses this input dynamically (possible IDOR)
How does it work?
The vulnerability is exploited by injecting OS command metacharacters into the user inputm these characters can terminate the intended command and allow a new, malicious command to be executed
I then tried injecting a command whoami into productId but nothing happened, so this parameter seems safe or not used for command execution
Since the lab indicates that the vulnerability is in the product stock checker, i moved to it
while intercepting the request, I noticed that a request with parameters that looked more interesting
I injected a malicouis payload by adding |whoami:
productId=18&storeId=1|whoami
Using ls command, I identied that the shell script filename used is :
stockreport.sh
how the attack works ?
Let's assume that the vulnerable PHP code is:
<?php
if ($_SERVER["REQUEST_METHOD"] == "POST")
{
$productId = $_POST['productId'];
$storeId = $_POST['storeId'];
$output = system("stockreport.sh $productId $storeId");
echo "<pre>$output</pre>";
}
?>
<form id="stockCheckForm" action="/product/stock" method="POST">
<input required="" type="hidden" name="productId" value="15">
<select name="storeId">
<option value="1">London</option>
<option value="2">Paris</option>
<option value="3">Milan</option>
</select>
<button type="submit" class="button">Check stock</button>
</form>1- the form sends normal data :
productId=15storeId=3
2- PHP code builds and executes :
system("stockreport.sh $productId $storeId");stockreport.sh 15 3
3- the attacker intercepts the request :
productId=15&storeId=3
and change it to + |cmd:
productId=15&storeId=3|whoami
4- php code now executes :
system("stockreport.sh $productId $storeId|whoami");stockreport.sh 15 3|whoamithe system() function in php passes the whole value string to shell
5- the shell sees the | operator and interprets it as:
run stockreport.sh 15 3 first, then run whoami command
6- the server returns the results of two commands: the stockcheck value and operating system user
Result :
the attacker runs commands on the server, because user input is directly used in a system command without validation
This lab contains a blind OS command injection vulnerability in the feedback function.
The application executes a shell command containing the user-supplied details. The output from the command is not returned in the response
To solve the lab, exploit the blind OS command injection vulnerability to cause a 10 second delay
First, I started by reviewing the application and found a feedback form with typical input fields such as name, email, subject, and message
Since the vulnerability is blind, I understood that the command output would not be displayed
To verify the exploitation, I relied on a time delay technique
I chose the email parameter and injected the following payload:
email=test||sleep+10|||| : is used to append another command
sleep 10 : forces the server to pause for 10 seconds
The server response was noticeably delayed by about 10 seconds, this behavior confirmed that the injected command was executed successfully
This lab contains a blind OS command injection vulnerability in the feedback function.
The application executes a shell command containing the user-supplied details. The output from the command is not returned in the response. However, you can use output redirection to capture the output from the command. There is a writable folder at: /var/www/images/
The application serves the images for the product catalog from this location. You can redirect the output from the injected command to a file in this folder, and then use the image loading URL to retrieve the contents of the file.
To solve the lab, execute the whoami command and retrieve the output.
Initially, I tried to apply the same technique used in the previous lab, which had worked successfully, however, this challenge required a different approach to properly identify and exploit the vulnerability
After multiple attempts and testing various payloads, I focused on the feedback form and intercepted the request
I observed that the data was sent via a POST request, making the email parameter a good candidate for testing
Based on the lab instructions, I learned that the server had a writable directory located at:
/var/www/images/Any files written to this directory could be accessed through the browser using:
https://<lab-id>.web-security-academy.net/images/
I decided to redirect the output of a system command into a file within this directory
I then injected the following payload into the email parameter:
After creating the file, I proceeded to retrieve its contents, I navigated to a page where an image was being loaded and intercepted the request responsible for fetching that image, then, I modified the filename parameter in the request to point to the file I had created:
/images/ANRXMR.txt
This allowed me to access the contents of the file directly through the application, confirming that the command output had been successfully written and retrieved
