handbook/tools/3.Web-Hacking/4.Injection/OS-Commands/Notes/1.What-is-Os-Command-Injection.md at 8c056cb3457e46049264dddda6d09ab63e9543c3 - x/handbook - Coding everything, everywhere, anytime.

x/handbook

Anton Nesterov af9011411c

vault backup: 2024-08-31 01:07:21

2024-08-31 01:07:22 +02:00

649 B

Raw Blame History

Overview

!

Allows an attacker to execute commands on the web server
Used to compromise other parts of the hosting infrastructure via pivoting

Example Exploit:

Website that allows users to view whether and item is in stock: https://insecure-website.com/stockStatus?productID=381&storeID=29
- Application calls out a shell command with product & store IDs as arguments
```
stockreport.pl
381 29
```
Submit the following in the "productID" parameter

stockreport.pl & echo
aiwefwlguh & 29

Useful Commands: !