OS Command Injection
In short, these flaws occur as a result from user passed input being interpreted as code by the back end system. The most common types of injection attacks consist of SQL and command injection.
SQL injection involves manipulating the queries for a desired and non conventional outcome such as passing a string at login to evaluate as true, or returning sensitive date from a database that we are not authorized to access.
Command injection involves user input that takes advantages of illegal characters often forcing the system to execute the remaining string and characters as code. This allows for remote code execution and can allow for remote take over.
The main mitigation strategy to deal with injection attacks is sanitizing and controlling of user input and striping any illegal characters.
Example
Command injection can occur during server side parsing from the web application passing a system call provided by the user on the backend host. If you had a PHP web application that takes unsanatized input for a search box, and executes it as code instead. This could allow for a reverse shell to be executed, providing persistence.
Lets look at blind command injection which occurs when commands passed to the server under "system" do not return the response to the user. Active command injection actually provides a response to the user. Lets take a look at the example webshell code below to identify the vulnerability relating to command injection. We can see that the $command_string is being passed and executed with no checks for illegal or malicious input.
<?php if(isset($_GET["commandString"])) { $command_string = $_GE["commandString"]; try { passthrough($command_string); } catch (Error $error) { echp "<p class=mt-4><b>$error</b></p>"; }}The code confirms the commandString is active
If this is true, the variable $command_string is taken and passed into the input area
The program then attempts to execute passthru($command_string)
If the command does not success, an error is echoed to the user
Example 2
Here we will look at a URL to show how command injection can work. Imagine we are dealing with an online store.
https://mystore.com/stockStatus?productID=451&storeID=69In order to provide information on store stock, the web application must query various systems. In this case it would run a script we can call stockcheck.p1 451 69.
This script passes the status of stock inventory to the user and should there be no security in place, we can pass commands in the URL. The default output here would be & echo 451 69. But if we passed a system command such as productID=451&storeID=whoami we could see 451 & nt/system.
Example 3
You will notice in the below code that the variable domain is defined by user input and placed within the $lookup variable which is echo'd back to the user. We can exploit this as no input validation is in place, and a command such as "ls -a" would echo back to us, all files/folder in current directory.
<?phpif (isset($_GET['domain'])) {
echo '<pre>';
$domain = $_GET['domain'];
$lookup = system("nslookup {$domain}");
echo($lookup);
echo '</pre>';
}
?>Illegal Characters
&
&&
|
||
;
0x0a
\n
'command here'
$(command here)
Mitigation strategies
The first and foremost strategy for mitigation is to not make OS command calls in the first place. You could use an api instead that bypasses the need to pass directly through to the OS. Otherwise if that cannot be implemented then input validation is necessary.