OS Command Injection

on

OS Command Injection/Command Injection
    1. When an application takes OS commands from users and does not sentitize properly before executing.
    2. In this process attackers can run and access various commands and important files respectively.
    3. Any application which holds a functionality where we can run the OS commands, can be vulnerable to OS command injection.
    4. Normally Scenarios as per bWAPP: -
      1. A functionality where we can dns lookup any URL/IP.


      1. Now we can add Command injection payloads.


      1. Use of commix tool: - to automate command injection.
        1. Open a burp proxy.
        2. Intercept the request where command injection is.
        3. Save the request in file as .txt.
          1. Right click >> save as a file >> .txt
        4. Go to the commix tool.
          1. ./commix.py -r << path of the saved request and file name >> -p target --all
          2. This tool enumerates the system properly and at last asks : for a commix shell open or not.

Comments

Post a Comment