Detection Methods
π Discovery Techniques: Methods to detect and identify OS command injection vulnerabilities in web applications
Overview
The process of detecting basic OS Command Injection vulnerabilities is the same process for exploiting such vulnerabilities. We attempt to append our command through various injection methods. If the command output changes from the intended usual result, we have successfully exploited the vulnerability.
This may not be true for more advanced command injection vulnerabilities because we may utilize various fuzzing methods or code reviews to identify potential command injection vulnerabilities. We may then gradually build our payload until we achieve command injection.
Focus: This module focuses on basic command injections, where we control user input that is being directly used in a system command execution function without any sanitization.
Command Injection Detection
Target Analysis Example
Scenario: Host Checker utility that asks for an IP to check whether it is alive or not.
Initial Test:
# Input: 127.0.0.1
# Expected functionality: ping commandExpected Backend Command:
ping -c 1 OUR_INPUTAnalysis: If our input is not sanitized and escaped before it is used with the ping command, we may be able to inject another arbitrary command.
Detection Strategy
Goal: Determine if the web application is vulnerable to OS command injection by:
Identifying input points that may be processed by system commands
Testing injection operators to see if additional commands execute
Analyzing response changes to confirm successful injection
Mapping application behavior to understand the underlying command structure
Command Injection Methods
Injection Operators Reference
Injection Operator
Character
URL-Encoded
Execution Behavior
Use Case
Semicolon
;
%3b
Both commands execute
Command separation
New Line
\n
%0a
Both commands execute
Line termination
Background
&
%26
Both execute (second output usually shown first)
Parallel execution
Pipe
|
%7c
Both execute (only second output shown)
Output redirection
AND
&&
%26%26
Both execute (only if first succeeds)
Conditional execution
OR
||
%7c%7c
Second executes (only if first fails)
Error handling
Sub-Shell
`
%60%60
Both execute (Linux-only)
Command substitution
Sub-Shell
$()
%24%28%29
Both execute (Linux-only)
Modern command substitution
Operator Details
1. Semicolon (;)
Usage: Command separator - executes commands sequentially
Compatibility: Works on Linux/Unix and PowerShell, may not work on Windows CMD
2. New Line (\n)
Usage: Creates new command line
Compatibility: Universal across all platforms
3. Background (&)
Usage: Runs first command in background, executes second immediately
Note: Second command output often appears first
4. Pipe (|)
Usage: Pipes output of first command to second
Result: Only second command output is typically shown
5. AND (&&)
Usage: Executes second command only if first succeeds (exit code 0)
Advantage: Ensures first command completes successfully
6. OR (||)
Usage: Executes second command only if first fails (non-zero exit code)
Use Case: Exploit error conditions
7. Sub-Shell Backticks (`)
Usage: Command substitution - executes command and returns output
Limitation: Linux/Unix only
8. Sub-Shell Modern ($())
Usage: Modern command substitution syntax
Limitation: Linux/Unix only
Platform Compatibility
Universal Operators
These work across all platforms (Linux, Windows, macOS):
;(except Windows CMD)\n&|&&||
Unix-Only Operators
These work on Linux and macOS only:
`(backticks)$()(sub-shell)
Platform-Specific Notes
Windows CMD Limitations:
PowerShell Compatibility:
Linux/Unix Full Support:
Detection Methodology
Step 1: Identify Input Points
Common Vulnerable Parameters:
IP address fields
Filename inputs
System utilities (ping, nslookup, traceroute)
File processing functions
Search functionality
Configuration settings
Step 2: Test Basic Injection
Simple Test Payloads:
Step 3: Analyze Response Changes
Positive Indicators:
Additional command output appears
Error messages change
Response timing differences
Different HTTP status codes
Example Response Analysis:
Step 4: Confirm Injection
Verification Commands:
Detection Tips
Best Practices
1. Start Simple:
2. Use Safe Commands:
3. Test Multiple Operators:
4. URL Encoding:
Common Pitfalls
β Avoid These Mistakes:
Don't use destructive commands during detection
Don't ignore URL encoding requirements
Don't test only one injection operator
Don't forget platform-specific limitations
β Best Practices:
Use harmless verification commands
Test multiple injection methods
Consider the target platform
Document successful injection vectors
Practical Example
Host Checker Exploitation
Target: IP address input field in ping utility
Detection Process:
1. Normal Input:
2. Injection Test:
3. Verification:
4. System Enumeration:
This methodical approach ensures reliable detection of command injection vulnerabilities while maintaining operational security.
Lab Exercise
HTB Academy Challenge
Target: Host Checker utility at provided IP:PORT
Task: Try adding injection operators after the IP in the input field
Detection Question: What did the error message say when using injection operators?
Testing Approach:
Try each injection operator systematically
Note any error messages or changed responses
Document which operators trigger different behavior
Identify successful injection indicators
Expected Workflow:
Success Indicators:
Additional command output appears
Error messages mention injected commands
Response structure changes
Different timing in responses
Remember: The goal is to confirm whether the application is vulnerable to command injection through systematic testing of injection operators.
Last updated