Generic Command Injection Vulnerability Scanner
A command injection vulnerability occurs when an attacker is able to pass malicious input to a program and have that input executed as an OS command. This can allow attackers to run operation system-level command execution. Command injection is often possible due to insecure coding practices that do not properly validate or sanitize user input.
Short Info
Level
Critical
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
3 days
Scan only one
URL, Request
Toolbox
-
One common way to exploit a command injection vulnerability is through the use of shell commands. Attackers can pass in malicious input that will be executed as a shell command by the app. This can allow attackers to execute arbitrary commands on the system or gain access to sensitive information.
Command injection vulnerabilities are different from code injection vulnerabilities. Code injection vulnerabilities allow attackers to execute arbitrary application code on the app.
Operation System Command Execution in the Applications
In order to operate, some web applications must execute operating system commands (OS commands) from time to time. An application, for example, might need to run a shell script and get its output. When an application issues an OS command, it transmits the string to the operating system so that it may be executed.
Typically, user input must be parsed before it can be used as an argument in an OS command. This parsing usually consists of removing any special characters that could be used to change the meaning of the command or its arguments. For example, the shell uses certain characters, such as & (ampersand) and | (pipe), for special purposes. If these characters are not stripped out before being used as part of an OS command, they could be used by an attacker to change the meaning of the command.
Sample Code For OS Command Injection Vulnerabilities
In the following pseudo-code, user input is not properly sanitized before being used to form an OS command. This could allow an attacker to inject arbitrary commands into the application.
/* take user input and turn it into a shell command to DNS Query*/ command = user_input; /* use user input with a DNS query command*/ command = "dig "+ command /* issue the shell command to the operating system */ output =system(command); print(output)
As you can see, an attacker could exploit this vulnerability by entering a specially crafted string as user input. By doing so, they could execute arbitrary commands on the system. For example, by entering 'google.com' the program will execute
`dig google.com`
end print output. But if an attacker gives input like `google.com && another command the program will execute:
`dig google.com && another command`
which can run the attacker's command.
How to Detect OS Command Injection Vulnerability
To find out whether a given piece of software is vulnerable to command injection, you can simply supply it with various strings containing shell metacharacters (&, |, ;, `, \", \', (, ), <, >, *, ?, space) and other characters that have special meaning to the operating system. If the software executes these strings as commands without properly sanitizing them first, then it is likely vulnerable to command injection.
The online S4E OS command injection scanner checks the given application parameters for vulnerability. You can also use some other tools like;
Payloads For OS Command Injection Vulnerabilities
There are a number of different payloads that can be used to exploit OS command injection vulnerabilities. In many cases, the payload will simply allow the attacker to execute arbitrary commands on the system.
General payloads
Payload for Windows
- dir
- | dir
- ; dir
- $(`dir`)
- & dir
- &&dir
- && ipconfig /all
- | net user hacker Password1 /ADD
Payloads for Linux
- ;id
- ;netstat -a;
- ;system('cat%20/etc/passwd')
- & ping -i 30 127.0.0.1 &
- cat /etc/hosts
- $(`cat /etc/passwd`)
- " || whoami