Os Command Injection Portswigger :LAB -3
In a previous blog post, I showcased a case of OS command injection from PortSwigger specifically Blind OS command injection with time delays. You can find the blog post here: https://medium.com/@mohammedtiba0/os-command-injection-portswigger-lab-1-752d603d2c88.
In this blog post, we will delve into the second lab from PortSwigger on OS command injection, specifically Blind OS command injection with output redirection. Follow along as we explore this topic further.
Blind OS command injection is similar to OS command injection, except that instead of receiving output back to the web application, in a blind OS command injection we do not receive any output. Thus, it can be challenging to determine if a blind OS command injection exists. However, one technique to identify this vulnerability is by using output redirection. By sending an OS command that takes some time to execute, we can test if there is a blind OS command injection vulnerability present in the system.
let’s access the web application and take a closer look at its functionality. Upon visiting, we can observe that there exists a feedback form submission option for users. In order to understand how this feedback form works, I submitted a random value in the provided form and captured the request on Burp Suite for further analysis.
After capturing the request of our feedback form on Burp Suite, we can see that several parameters are being passed with user input. In order to test for command injection, we need to analyze each parameter individually.
the task at hand is to write a file named “whoami” and to do so, the command “whoami > /var/www/images/whoami” must be executed. The plan is to attempt injecting this command directly into the email argument. Similar to a previous lab, commenting out the remainder of the code leads to a 200 OK response.
the file “whoami” has been successfully written to “/var/www/images”. However, the path of the file within the application is not certain and may not be directly accessible. Nonetheless, there is a way to use the application’s image inclusion feature by sending a GET request to “/image?filename=whoami” to access the file.
We have successfully tested for the blind OS command injection vulnerability using the output redirection and confirmed its presence in the “email” parameter. I hope you found this demonstration useful and informative. If you have any questions or doubts, please feel free to leave a comment. Thank you for taking the time to read this post!
