OS Injection

Operating system command injection is similar to the other injection attacks we’ve covered in this chapter, but instead of, say, database queries, you’ll inject a command separator and operating system commands. When you’re performing operating system injection, it helps a great deal to know which operating system is running on the target server. Make sure you get the most out of your Nmap scans during reconnaissance in an attempt to glean this information.

As with all other injection attacks, you’ll begin by finding a potential injection point. Operating system command injection typically requires being able to leverage system commands that the application has access to or escaping the application altogether. Some key places to target include URL query strings, request parameters, and headers, as well as any request that has thrown unique or verbose errors (especially those containing any operating system information) during fuzzing attempts.

Characters such as the following all act as command separators, which enable a program to pair multiple commands together on a single line. If a web application is vulnerable, it would allow an attacker to add command separators to existing command and then follow it with additional operating system commands:

• |

• ||

• &

• &&

• '

• "

• ;

• '"

If you don’t know a target’s underlying operating system, put your API fuzzing skills to work by using two payload positions: one for the command separator followed by a second for the operating system command. The table below is a small list of potential operating system commands to use.

Common Operating System Commands to Use in Injection Attacks

Operating System	Command
Windows	ipconfig shows the network configuration. dir prints the contents of a directory. ver prints the operating system and version.
*nix (Linux and Unix)	whoami prints the current user. ifconfig shows the network configuration. ls prints the contents of a directory. pwd prints the current working directory. whoami prints the current user.