7. OS Command Injection vulnerability

 

What is Command Injection

Command Injection vulnerability occurs on the server side when certain URL parameters are processed by operating system utilities. If these parameters are not properly filtered, an attacker can input arbitrary commands that will also be executed.

For example, let's consider the following URL:

Structure of URL with query string

Here, we invoke a server-side script or program that reads the specified file and then passes its contents to the browser. Here's how the server command will look:

perl  /var/www/readFile.pl  manual.pdf

From the image, it's evident that the application is written in Perl, and to execute scripts, the corresponding interpreter needs to be invoked.

If there is no input data filtering on the server, then alongside legitimate data, operating system commands can be injected:

Injected OS command in URL

On the server, this command will look like this:

perl  /var/www/readFile.pl  manual.pdf;cat /etc/passwd

In this example, we used a special command separator/delimiter (; - semicolon). It allows specifying multiple commands that will be executed sequentially one after the other. As a result, we will obtain the contents of the files manual.pdf and /etc/passwd. If there is a Command Injection vulnerability on the server, it becomes possible to inject almost any command.

 

Command Chaining (Command Separators)

Both Linux and Windows systems allow for the sequential input of multiple commands. These commands can be executed by the system one after the other or based on the results of previous commands.

To separate commands, special separators (delimiters) are used, which instruct the system on how to execute the entered commands. The table below provides some command separators:

Linux

Windows

Result

command1 && command2

command1 && command2

command2 will be executed, if command1 succeeded

command1 || command2

command1 || command2

command2 will be executed, if command1 failed

command1 ; command2

command1 & command2

Both commands will be executed sequentially

command1 | command 2

command1 | command 2

On Windows both commands will be executed sequentially, on Linux – only the output of the second command will be displayed

`command`

Not supported

The command between backticks will be executed

$(command)

Not supported

The command will be executed

command1 %0A command2

command1 %0A command2

The symbol %0A represents a new line. Both commands will be executed sequentially

 These command separators provide flexibility in how commands are executed in a command-line environment.