OS Command Injection
Overview
Many web programming languages allow the direct execution of commands on the underlying operating system. OS Command Injection attacks targets this functionality. If the attacker is able to inject information into such commands, he can potentially carry out arbitrary operations on the web server. In this way, OS command injection attacks can sometimes give an attacker complete control over a webserver.
What makes a site vulnerable?
Sites are potentially vulnerable to direct OS command injection when they utilise user input in the construction of commands to be executed on the underlying operating system (via a call to the OS, such as PHP's exec()). If the user-input is not adequately controlled, then the attacker, through manipulation of the input, may be able to modify the structure and therefore the effect of the command. As for SQL Injection attacks, the attacker may employ techniques such as timing or DNS channels to view the output of commands even if the site does not directly supply the output to the user.
Impact of the attack
By being able to control the commands executed on the underlying OS, the attacker will be able to influence their return values. This could potentially be used to feed malicious input into those parts of the website which make use of these values. As a result, the attacker may be able to exert significant control over the website. Also dangerous is the attacker’s ability to execute commands which impact on the web server itself. This includes reading, modifying and deleting arbitrary files on the web server. Such an ability would give the attacker complete control over the website, any co-hosted websites, and over the web server itself.
Preventing the attack
As with most injection attacks the best strategy for preventing OS command injection is to only accept input which conforms to a strict format known to be handled correctly by the website. Techniques such as filtering out characters commonly associated with command injections may offer some degree of protection. However, they should not be relied on as many techniques exist for bypassing naïve filtering.