Explaining vulnerabilities : OS command injection {Bug bounties}

Injection is one of the most impactful and severe bugs that can be found on a web application, falling right under broken access control and cryptographic failures vulnerabilities on the OWASP top ten.

Because of this, we definitely need to have an understanding of injection attacks. Today, you’ll learn about OS command injections.

What is OS command injection?

• Command injection occurs when we can control a specific parameter that gets passed into a shell / command line. If the input is not handled and sanitized properly, we can insert arbitrary commands that will get executed on behalf of the web server.

Exploit strategy

• While the theory is relatively simple, to find a vulnerability like this is quite difficult.
• The reason why is because we never really know which of our processes will trigger the web server shell to execute. This means that we will need to fuzz every parameter we find .
• However, what characters/strings will we use in the fuzzing process?

Separators

-> (for both Windows and Unix-based systems ; including GNU/Linux)

• &
• &&
• |
• ||

-> (only for unix based systems and GNU/Linux)

• ;
• Newline (0x0a or \\n)

Commands

• whoami (linux & windows)
• uname -a (linux)
• ver (windows)
• ifconfig (linux)
• ipconfig (windows)
• netstat -an
• ps -ef (linux)
• tasklist (windows)

With all of this information, create a fuzzing list. Or , use an existing one which I have created and uploaded to Github specifically for you : fuzzing-list

What’s left to do?

• Only thing left to do now, is hunt for these vulnerabilities using the knowledge you acquired

Step 1 — Open up burp

Step 2 — Use the methodology I have explained in my latest article to discover every single functionality and parameter of the website

Step 3 — Right click on the specific request that includes the parameter and send it to Burp Intruder

Step 4 — Go to positions > Sniper

Step 5 — Payloads > Payload Options [Simple list] > Load … > input the wordlist

Step 6 — Start attack

Step 3–4

Step 5

Final step

I hope you’ve found this piece of content useful. If you have, make sure to check out my latest article as well as my other “Explaing Vulnerabilities” article which goes over XSS.

Thank you for the attention && have a wonderful day