OS Command Injection
Finding an OS Command Injection Vulnerability
- Insert a quote character in the web form fields that are likely used to build OS commands (or other invalid characters)
- If an error is triggered within the OS, the web app responds with an error
- Append a command to the input to see if it is executed
If the server executes code like this
String filename = request.getParameter("filename");
Process p = Runtime.getRuntime().exec("cat " + filename);
the attacker can inject a command like ; ls -lha or file"; ls -hal to get a list of all files in the current
directory. This can be extended to something like "; cat /etc/shadow to get the contents of the shadow file, if the
application runs with root privileges.
Countermeasures
- Don't invoke the underlying OS directly (e.g. use a library, I/O redirection, ...)
- Use strict input validation
- Run the application with minimal privileges