O/S Command Injection Vulnerabilities: Another attack vector that is part of injection is operating system command injection.
This occurs when a hacker is able to dictate what system level commands (commonly bash in Linux or cmd.exe in Windows) are run on the web server.
In most cases, a hacker will append on a malicious system command to an existing command that is provided by the web application.
For Example: if a web application allows the hacker to look up his own IP address or domain name by passing a parameter under his control, he will then append on a command to add another user to the system. If the web application is vulnerable, both commands will successfully execute.
O/S Command Injection for Hackers
Once operating system command injection vulnerability has been found by a hacker, there are a couple of common commands that are most likely to be executed.
It really boils down to the intension of the hacker, but rest assured that persistence access to the system is the most common attack, Such as:
- Add a user
- Add a user to a group (administrators group most likely)
- Delete a user (the existing system administrator or other similar accounts)
Another command attack with O/S command injection is to extract out as much data from the system as possible, such as user information, sensitive user files, and system configuration.
The other important aspect of this command injection attack to realize is that you execute commands at the specified access level of the web application. So, if the web application is running as root or administrator, your injected commands will run at top level access—a huge bag of win!
However, this is less likely than it used to be. It is much more common to find web applications running at a lower privilege level, such as SYSTEM in Windows, so you should use this attack to download source code and retrieve as many sensitive files off of the web server as possible.
In a Linux environment, you can use the useradd halverto command to add a new user named halverto and then issue the passwd halverto command to set an initial password for this user.
Once you have a user on the web server, you need to find out what groups are available by issuing the getent group command.
Assuming there is an admin group, you can add your halverto user to the group by issuing the usermod –G admin halverto command.
Once you have your account added as an administrator, you can see all other users in the admin group by issuing the getent group admin command.
You can then delete any other accounts you want (pengebretson in this example) by issing the userdel pengrebretson command.
You could issue this series of commands to add a new user, remove all other accounts, and make changes to the root account of the web server.
In a Windows environment, you can issue the net user /add halverto TrojansEH100 command to add a user named halverto with an initial password of TrojansEH100.
You can then add this user to the administrator group by issuing the net localgroup administrators halverto /add command and delete other users (pengebretson again in this example) by issuing the net user pengebretson /delete command.
This handful of commands would put you in full control of the Windows machine.
In instances that you are not running as a top-level administrator (root in Linux or SYSTEM in Windows), you can still issue useful commands such as id to retrieve your privilege level or viewing the passwd file to find out about other users with the cat /etc/passwd command.