4 OS command injection操作系统命令注入

4 OS command injection操作系统命令注入

In this section, we’ll explain what OS command injection is, describe how vulnerabilities can be detected and exploited, spell out some useful commands and techniques for different operating systems, and summarize how to prevent OS command injection.

一、What is OS command injection?

1. OS command injection (also known as shell injection) is a web security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on the server that is running an application, and typically fully compromise the application and all its data. 它允许攻击者在运行应用程序的服务器上执行任意操作系统命令，通常会完全破坏应用程序及其所有数据。
2. Very often, an attacker can leverage an OS command injection vulnerability to compromise other parts of the hosting infrastructure, exploiting trust relationships to pivot the attack to other systems within the organization. 通常，攻击者可以利用OS命令注入漏洞来危害宿主基础设施的其他部分，利用信任关系将攻击转移到组织内的其他系统。

二、Executing arbitrary commands

1. Consider a shopping application that lets the user view whether an item is in stock in a particular store. This information is accessed via a URL like:考虑一个购物应用程序，该应用程序允许用户查看某一商品在特定商店中是否有库存。此信息通过类似于https://insecure-website.com/stockStatus?productID=381&storeID=29

2. To provide the stock information, the application must query various legacy systems. For historical reasons, the functionality is implemented by calling out to a shell command with the product and store IDs as arguments:要提供库存信息，应用程序必须查询各种遗留系统。由于历史原因，该功能是通过使用产品和存储id作为参数调用shell命令来实现的stockreport.pl 381 29

3. This command outputs the stock status for the specified item, which is returned to the user.该命令输出指定商品的库存状态，并将其返回给用户。

4. Since the application implements no defenses against OS command injection, an attacker can submit the following input to execute an arbitrary command:由于应用程序没有实现对OS命令注入的防御，攻击者可以提交以下输入来执行任意命令& echo aiwefwlguh &

5. If this input is submitted in the productID parameter, then the command executed by the application is: stockreport.pl & echo aiwefwlguh & 29

6. The echo command simply causes the supplied string to be echoed in the output, and is a useful way to test for some types of OS command injection. The & character is a shell command separator, and so what gets executed is actually three separate commands one after another. As a result, the output returned to the user is:echo命令只是在输出中回显所提供的字符串，是测试某些类型的OS命令注入的有用方法。字符&是shell命令分隔符，因此执行的实际上是三个依次独立的命令。因此，返回给用户的输出是 Error - productID was not provided aiwefwlguh 29: command not found

7. The three lines of output demonstrate that:

• The original stockreport.pl command was executed without its expected arguments, and so returned an error message.原始的stockreport.pl命令在没有预期参数的情况下执行，因此返回了错误消息。
• The injected echo command was executed, and the supplied string was echoed in the output.执行注入的echo命令，并且在输出中回显提供的字符串。
• The original argument 29 was executed as a command, which caused an error.原始参数29作为命令执行，从而导致错误。

Placing the additional command separator & after the injected command is generally useful because it separates the injected command from whatever follows the injection point. This reduces the likelihood that what follows will prevent the injected command from executing.

通常，将附加命令分隔符＆放置在注入命令之后是很有用的，因为这会将注入命令与注入点后面的内容分开。 这减少了随后发生的事情将阻止注入的命令执行的可能性。

Lab: OS command injection, simple case

This lab contains an OS command injection vulnerability in the product stock checker.

The application executes a shell command containing user-supplied product and store IDs, and returns the raw output from the command in its response.

To solve the lab, execute the whoami command to determine the name of the current user. 应用程序执行一个包含用户提供的产品和存储id的shell命令，并在其响应中返回该命令的原始输出。要解决实验室问题，请执行whoami命令来确定当前用户的名称。

1. Use Burp Suite to intercept and modify a request that checks the stock level.
2. Modify the storeID parameter, giving it the value 1|whoami.
3. Observe that the response contains the name of the current user.