OS Command Injection

20CYS403 – Web Application

Security

Rahul Sreenivasan – CH.EN.U4CYS20061

Definition

• OS Command Injection is a security vulnerability that

occurs when an application allows untrusted data to be
executed as part of a command sent to the operating system.
Attackers can exploit this vulnerability to execute arbitrary
system commands with the privileges of the application.

• OS Command Injection is typically a server-side

vulnerability. It occurs when input from a client (e.g., a web
form, API request) is not properly sanitized or validated
before being used in a system command on the server.
Metacharacters

Metacharacters are the symbolic operators which are

used to separate the actual commands from the
unwanted system commands. The semicolon (;) and
the ampercent (&) are majorly used as separators
that divides the authentic input command and the
command that we are trying to inject.
Diagram
Steps to exploit – OS Command Injection

Step 1: Identify the input field

Step 2: Understand the functionality

Step 3: Try the Ping method time delay

Step 4: Use various operators to exploit OS Command Injection

“Command Injection differs from Code Injection”, in that code injection allows the attacker to add
their own code that is then executed by the application. In Command Injection, the attacker extends the
default functionality of the application, which execute system commands, without the necessity of
injecting code.
Working Demo

Figure 1: Exploiting OS command Injection

Impact of OS Command Injection
OS command injection is one of the most powerful vulnerability with “High Severity having a CVSS Score of 8”.

Thus, this injection is reported under:

1. CWE-77: Improper Neutralization of Special Elements used in a Command.

2. CWE-78: Improper Neutralization of Special Elements used in an OS Command.

• The impact of OS Command Injection can be severe. It can lead to data loss, unauthorized access, and even complete
compromise of the server.

• Attackers can execute arbitrary commands, which could include downloading sensitive data, modifying configurations,
or even taking control of the entire server.

• The impact depends on the privileges of the process executing the command and the level of access an attacker gains.
How to Prevent OS Command Injection
Use Proper Input Validation and Sanitization:
Ensure that user inputs are properly validated
and sanitized to remove or escape special
characters that could be used in commands.
Use Parameterized Queries: If your application
interacts with a database, use parameterized
queries or prepared statements to prevent SQL
injection, which can sometimes lead to
command injection.
Least Privilege Principle: Run your application
with the least necessary privileges, so even if an
attacker injects a command, it won't have
excessive system access.
Thank You