Below is an example of simple OS command injection. OS command injection is a vulnerability where we can inject an Operating System command into the URL or code of a web page and have it execute on the server. This is a critical flaw and can be used to run commands on the webserver underlying OS to retrieve information or even gain access.

In this example we are using a simple PHP webpage on a Linux host running NginX.  The PHP is called command.php

Below is the web page PHP code:

<?php
echo '<b>Command Injection Test:</b> ';
print_r('<br /><br />');
print_r('Syntax: /command.php?cmd=[command]');
print_r('<br /><br />');
print_r('Example: www.example.com/command.php?cmd=cat /etc/passwd');
print_r('<br /><br />');
print_r($_GET);
print_r('<br />');
print_r('<br />');
print_r('<u>Result:</u>');
print_r('<br />');
print_r('<br />');
system($_GET['cmd']);

The important line here is system($_GET['cmd']); as this is the line that will send the input to the command interpreter of the Linux webserver.

Below is the command.php page when it first comes up before any input:

In the next example, we will input the Linux command cat /etc/passwd which will display the passwd file from the Linux webserver to the console.

Note:  The ? character denotes a URL query string, providing a list of key=value pairs to a web page. The ? character introduces the list of arguments, and the & separates each key/value pair if the web page accepts more than one argument.  The cmd portion is the variable/key of and the cat /etc/passwd is the value submitted.

Below is another example with the command uname -a which is a command that will display the kernel version of the Operating System.