Description

Goals

Documentation Uses

Overview

Background

Contributors

Classes of Attack

Contact

Appendix

License


Contributors
Robert Auger
Ryan Barnett
Yuval Ben-Itzhak
Erik Caso
Cesar Currudo
Sacha Faust
JD Glaser
Jeremiah Grossman
Sverre H. Huseby
Amit Klein
Mitja Kolsek
Aaron C. Newman
Steve Orrin
Bill Pennington
Ray Pompon
Mike Shema
Ory Segal
Caleb Sima



OS Commanding
OS Commanding is an attack technique used to exploit web sites by executing Operating System commands through manipulation of application input.

When a web application does not properly sanitize user-supplied input before using it within application code, it may be possible to trick the application into executing Operating System commands. The executed commands will run with the same permissions of the component that executed the command (e.g. Database server, Web application server, Web server, etc.).


Example
Perl allows piping data from a process into an open statement, by appending a '|' (Pipe) character onto the end of a filename.

Pipe character examples: # Execute "/bin/ls" and pipe the output to the open statement open(FILE, "/bin/ls|") Web applications often include parameters that specify a file that is displayed or used as a template. If the web application does not properly sanitize the input provided by a user, an attacker may change the parameter value to include a shell command followed by the pipe symbol (shown above).

If the original URL of the web application is:
http://example/cgi-bin/showInfo.pl?name=John&template=tmp1.txt

Changing the template parameter value, the attacker can trick the web application into executing the command /bin/ls:

http://example /cgi-bin/showInfo.pl?name=John&template=/bin/ls|

Most scripting languages enable programmers to execute Operating System commands during run-time, by using various exec functions. If the web application allows user-supplied input to be used inside such a function call without being sanitized first, it may be possible for an attacker to run Operating System commands remotely. For example, here is a part of a PHP script, which presents the contents of a system directory (on Unix systems): Execute a shell command: exec("ls -la $dir",$lines,$rc); By appending a semicolon (;) followed by an Operating System command, it is possible to force the web application into executing the second command:

http://example/directory.php?dir=%3Bcat%20/etc/passwd

The result will retrieve the contents of the /etc/passwd file.


References

"Perl CGI Problems", By RFP - Phrack Magazine, Issue 55
http://www.wiretrip.net/rfp/txt/phrack55.txt
(See "That pesky pipe" section)

"Marcus Xenakis directory.php Shell Command Execution Vulnerability"
http://www.securityfocus.com/bid/4278

"NCSA Secure Programming Guidelines"
http://archive.ncsa.uiuc.edu/General/Grid/ACES/security/programming/#cgi

Search this site
Home :: About Us :: Projects :: Mailing Lists :: Library :: News :: Links :: Contact Us
© Copyright 2005, Web Application Security Consortium. All rights reserved.