OS Command Injection
What is OS Command Injection?
Applications that dynamically execute system commands, such as running shell scripts or performing administrative tasks, are particularly vulnerable. If they fail to validate and sanitize user input, attackers can inject additional commands, leading to full system compromise.
How risky is OS Command Injection?
The consequences include Remote Code Execution (RCE), where an attacker can execute arbitrary commands, Sensitive Information Disclosure, allowing access to files like /etc/passwd and environment variables, and Denial of Service (DoS) by running resource-intensive commands. Applications that use insecure system calls, such as PHP's exec(), Python's os.popen(), and Node.js's child_process.exec(), are especially vulnerable when user input is not properly validated.
What should you do to prevent OS Command Injection?
If executing system commands is unavoidable, a safe execution approach must be enforced. This includes parameterized command execution, strict input validation, and privilege minimization.
A positive validation approach (whitelist validation) should be used to explicitly allow only predefined inputs. For example, if an application needs to allow only specific IP addresses or domain names, input should be checked against an allowlist.
Proper escaping of input based on the operating system is also essential. Different operating systems use different shell metacharacters (;, &, |), so input must be sanitized accordingly.
Additionally, applications should run with the least privileges necessary to limit the impact of a successful attack. A compromised web application running with root privileges can result in a full system takeover, whereas a low-privilege process significantly reduces risk.
How to detect OS Command Injection in your web application?
A vulnerable web application may execute system commands using functions like exec(), system(), popen(), or child_process.exec(), taking user input as part of the command. If input is not properly sanitized, attackers can inject additional commands using shell metacharacters like ;, &&, |, and $().
To identify this vulnerability, we will create a Python-based scanner that sends payloads containing OS command injection patterns to an application's URL. If the response includes unexpected system output, it indicates a potential vulnerability.
import requests
import sys
import re
INJECTION_PAYLOADS = ["test; id", "test && whoami", "test | uname -a", "test $(whoami)", "test & echo vulnerable", "test || dir"]
DETECTION_PATTERNS = [r"uid=\d+\(.*?\)", r"Linux.*?GNU", r"root|admin|user", r"Volume Serial Number", r"C:\\Users\\|C:\\Windows"]
def detect_os_command_injection(url, param):
for payload in INJECTION_PAYLOADS:
target_url = f"{url}?{param}={payload}"
print(f"Testing: {target_url}")
try:
response = requests.get(target_url, timeout=5)
if response.status_code == 200:
for pattern in DETECTION_PATTERNS:
if re.search(pattern, response.text, re.IGNORECASE):
print(f"[!] Potential OS Command Injection Detected on: {target_url}")
print(f" Response: {response.text[:200]}...\n")
return True
except requests.RequestException as e:
print(f"[!] Error testing {target_url}: {e}")
print("[+] No OS Command Injection detected.")
return False
if __name__ == "__main__":
if len(sys.argv) != 3:
print("Usage: python detect_os_command_injection.py ")
print("Example: python detect_os_command_injection.py http://example.com/ping host")
sys.exit(1)
target_url = sys.argv[1]
parameter = sys.argv[2]
detect_os_command_injection(target_url, parameter) This script performs remote testing by sending multiple payloads to the specified URL parameter. It then analyzes the HTTP response to determine if OS command injection occurred. The detection logic works as follows:
1. Injects OS command payloads into the specified HTTP parameter.
2. Sends HTTP requests and waits for the server’s response.
3. Checks for system-related output using regex patterns.
4. Identifies vulnerabilities if any system output (like user IDs, kernel versions, or Windows paths) is returned in the response.
Note: These scripts are for educational purposes only. Always ensure you have permission before scanning or testing websites you don't own or operate.
Vulnissimo scored the severity risk of this vulnerability to 99 out of 100. This means that it requires emergency attention.
Vulnissimo tests for OS Command Injection and many more. Sharpen your security posture with our advanced web vulnerability scanner.