Daemon Of Hacking
  • WELCOME!
    • 👋/home/usr/KruKnight
  • METHODOLOGIES & RESOURCES
    • Passwords & Attacks
    • Post Exploitation
      • 👀Situational Awareness
      • 🖥️Privilege Escalation
        • Linux Privilege Escalation
        • Windows Privilege Escalation
  • Writeups
    • CyCtf 2024
      • Vending Machine
      • Aerospace
      • OhMyCell
    • Portswigger Labs
      • Authentication
        • Username enumeration via different responses
        • 2FA simple bypass
        • Password reset broken logic
        • Username enumeration via subtly different responses
        • Username enumeration via response timing
        • Broken Brute-Force Protection, IP Block
        • Username enumeration via account lock
        • 2FA broken logic
        • Brute-forcing a stay-logged-in cookie
        • Offline password cracking
        • Password reset poisoning via middleware
        • Password brute-force via password change
        • Broken brute-force protection, multiple credentials per request
      • Os Command Injection
        • OS command injection, simple case
        • Blind OS command injection with time delays
        • Blind OS command injection with output redirection
        • Blind OS command injection with out-of-band interaction
        • Blind OS command injection with out-of-band data exfiltration
      • Cross-Origin Resource Sharing (CORS)
        • CORS vulnerability with basic origin reflection
        • CORS vulnerability with trusted null origin
        • CORS vulnerability with trusted insecure protocols
      • Server-side template injection
        • Basic server-side template injection
        • Basic server-side template injection (code context)
      • Server-Side Request Forgery (SSRF)
        • Basic SSRF against the local server
        • Basic SSRF against another back-end
        • Blind SSRF with out-of-band detection
        • SSRF with blacklist-based input filter
        • SSRF with filter bypass via open redirection vulnerability
      • Path Traversal
  • 🟩HTB Writeups
    • Heal
Powered by GitBook
On this page
  • Lab Description
  • Walkthrough
  • Step 1: Understanding the Feedback Functionality
  • Step 2: Intercepting the Feedback Request
  • Step 3: Crafting the Payload
  • Step 4: Accessing the Output

Was this helpful?

  1. Writeups
  2. Portswigger Labs
  3. Os Command Injection

Blind OS command injection with output redirection

PreviousBlind OS command injection with time delaysNextBlind OS command injection with out-of-band interaction

Last updated 5 months ago

Was this helpful?

Lab Description

Walkthrough

Step 1: Understanding the Feedback Functionality

Navigating to the Submit Feedback page, you will notice four input fields:

  1. Name

  2. Email

  3. Subject

  4. Message

The goal is to determine if one of these fields is vulnerable to command injection and whether the output can be redirected to the writable directory /var/www/images/.

Step 2: Intercepting the Feedback Request

Using Burp Suite, intercept the feedback submission request. Below is an example of a normal intercepted request:

The request contains the user input as parameters, making it a good candidate for injection.

Step 3: Crafting the Payload

Modify the Email parameter to include the following payload:

||whoami>/var/www/images/whoami.txt||

This payload runs the command whoami and saves it

Payload Breakdown:

  • || is used to append and execute additional commands.

  • whoami retrieves the current user running the application.

  • >/var/www/images/whoami.txt redirects the output of the command to a file in the writable directory.

Submit the request with the modified payload.

Step 4: Accessing the Output

To retrieve the saved command output:

  1. Note that the application serves images from /var/www/images/ via a parameter filename= in the URL.

  2. Navigate to any image URL in your browser

  3. modify the parameter to filename=whoami.txt

Visiting the URL, the browser displays the output of the whoami command, confirming that the injection was successful. For example: