Common Web Vulnerability - PHP
  • Introduction to Common Web Vulnerability
  • LFI (Local File Inclusion)
  • SQL Injection
  • OS Command Injection
  • Remote Code Injection
  • Cross Site Scripting
  • Insecure File Upload
  • IDOR (Insecure Direct Object Referrence)
  • RFI(Remote File Inclusion)
  • Broken Access Control
  • Broken Authorization
  • Source code disclosure
  • php type juggling
  • git of terror
Powered by GitBook
On this page

OS Command Injection

OS Command Injection is a type of security vulnerability found in web applications that allows attackers to execute arbitrary operating system commands on the server. It occurs when an application passes unsanitized user input to a system shell (such as Bash on Unix-based systems or Command Prompt on Windows) for execution. Attackers exploit this vulnerability by injecting malicious commands into input fields, which are then executed by the underlying operating system.

How OS Command Injection Works:

  1. Input Fields: Web applications often have input fields where users can submit data, such as search boxes, forms, or file upload functionalities.

  2. Unsanitized User Input: If the application fails to properly validate or sanitize user input, attackers can inject malicious commands into these input fields.

  3. Command Execution: The application passes the user-supplied input to the underlying operating system's shell for execution without proper validation, treating it as a legitimate command.

  4. Arbitrary Command Execution: As a result, the attacker's injected commands are executed with the same privileges and permissions as the web server process, allowing them to perform unauthorized actions such as reading or modifying sensitive files, executing additional malicious code, or even taking control of the entire server.

Example Scenario:

Consider a web application that allows users to ping a specified IP address to check its availability. The application executes the ping command directly with user-supplied input:

<?php
    $ip_address = $_GET['ip'];
    $output = shell_exec("ping -c 4 $ip_address");
    echo "<pre>$output</pre>";
?>

An attacker can exploit this vulnerability by injecting additional commands into the ip parameter:

http://example.com/ping.php?ip=127.0.0.1;ls -la

In this example, the attacker appends the ls -la command after the legitimate IP address. As a result, the ls -la command is executed on the server, listing the contents of the current directory along with the ping output.

Dangerous Functions List:

Some of the dangerous functions or techniques that can lead to OS Command Injection vulnerabilities include:

  1. shell_exec()

  2. exec()

  3. system()

  4. passthru()

  5. Backtick Operator (`)

Prevention of OS Command Injection:

To prevent OS Command Injection vulnerabilities, follow these best practices:

  1. Input Validation and Sanitization: Always validate and sanitize user input before using it in commands. Reject any input that contains special characters or characters with special meanings in shell commands.

  2. Parameterized Commands: Whenever possible, use parameterized commands or safe APIs provided by the programming language or framework instead of executing shell commands directly.

  3. Whitelisting: Maintain a whitelist of allowed characters and patterns for input validation. Only allow known safe characters and reject any input that deviates from the whitelist.

  4. Least Privilege Principle: Ensure that the web server process has minimal permissions and privileges necessary to perform its intended functions. Avoid running web server processes with root/administrator privileges.

  5. Regular Security Audits: Conduct regular security audits and penetration testing to identify and remediate OS Command Injection vulnerabilities and other security issues proactively.

PreviousSQL InjectionNextRemote Code Injection

Last updated 1 year ago