Tricking applications into running unintended commands on the server it’s hosted on

What It Is: like finding a backdoor into the server's control room.

How It Happens: usually when an application takes input from the user (such as form data, URL parameters, or HTTP headers) and uses it unsafely within a system command

Attack Scenarios:

• Direct Execution: attacker’s input is directly included in a command to be executed by the system. For example, manipulating a form input that is passed to a system ping command to include additional malicious commands.
• Blind Injection: More stealthy, where the attacker doesn't see the output of the executed command directly but can infer its success through side effects or timing.

Defense Strategies:

1. Avoidance: The best defense is not to call OS commands directly with user-supplied input. use application-level APIs that perform the required functionality without involving system commands.
2. Sanitization: If direct OS command usage is unavoidable, rigorously validate and sanitize all user inputs. Whitelisting acceptable values can be more effective than trying to blacklist dangerous characters.
3. Escaping: For edge cases where command usage is unavoidable and inputs cannot be strictly validated, ensure inputs are correctly escaped to prevent them being interpreted as commands.

Recon by using whoami, uname -a, ipconfig /all or ifconfig

for blind injection use ping with a controlled domain to observe DNS requests or timing the response delay

• Lab - OS command injection, simple case
• Lab - Blind OS command injection with time delays
• Lab - Blind OS command injection with output redirection
• Lab - Blind OS command injection with out-of-band interaction