OS Command Injection - [PortSwigger]
![Cover Image for OS Command Injection - [PortSwigger]](/assets/images/blog/PortSwigger/OS_command_injection_banner.png)
Introduction
In this post there is a compilation of every apprentice and practitioner lab related to the OS Command Injection topic from PortSwigger Academy.
OS command injection, simple case [Apprentice]
When checking the stock of a product, if you provide a ; instead of a number, you will get the following response.
After the ;, if you try to add whoami, you will get the following result.
Now that we know that the second parameter is also put on the command, we can put a comment so the script does not read it.
Blind OS command injection with time delays [Practitioner]
As said in the exercise statement, we need to play with delays under the email form. So, trying the payload ;+sleep+10+# on every field, we obtain that the email parameter is vulnerable to OS command injection.
Blind OS command injection with output redirection [Practitioner]
The filed email, as in the previous exercise, is vulnerable to command injection.
After redirecting the output, we can use the function to load images to retrieve the file's content.
Blind OS command injection with out-of-band interaction [Practitioner]
The vulnerability is the same as before, but only we need to change the command.
Blind OS command injection with out-of-band data exfiltration [Practitioner]
Same, but executing the whoami command, so it is concatenated as a collaborator's subdomain.