How it Works

  • Similar to SQL injection

  • Many languages include functionality to execute OS commands

    • PHP: shell_exec();

    • Java: java.lang.Runtime.getRuntime().exec();

    • Python: os.system()

  • Occurs when untrusted input passed to OS command execution function:

  • Example: shell_exec(“ping -c 5 “ . $input_from_user);

    • $input_from_user = “8.8.8.8”

      • Result: shell_exec(“ping -c 5 8.8.8.8”);

    • $input_from_user = “8.8.8.8 && cat /etc/passwd”

      • Result: shell_exec(“ping -c 5 8.8.8.8 && cat /etc/passwd”);

Demo

http://10.50.21.182/commandexec/example1.php?ip=127.0.0.1

How to detect

  • Source code analysis

    • exec

    • system

  • Test all suspected OS command inputs with special shell characters:

    • Ampersand: &&

    • Pipe: |

    • Semicolon: ;

    • Greater-than symbol: >

  • Scanners

    • Burpsuite

    • Zed Attack Proxy

Mitigations

  • Avoid calling OS command functions

    • Avoid passing user input to OS command functions

  • Filter untrusted input (e.g. regex)

    • Difficult to build complete filter

  • Whitelist input values

Summary

  • Weakness Prevalence: Medium

  • Consequences: Code Execution

  • Remediation Cost: Medium

  • Ease of Detection: Easy

  • Attack Frequency: Often

  • Attacker Awareness: High