Blind OS command injection with output redirection

Lab Description

Walkthrough

Step 1: Understanding the Feedback Functionality

Navigating to the Submit Feedback page, you will notice four input fields:

Name
Email
Subject
Message

The goal is to determine if one of these fields is vulnerable to command injection and whether the output can be redirected to the writable directory /var/www/images/.

Step 2: Intercepting the Feedback Request

Using Burp Suite, intercept the feedback submission request. Below is an example of a normal intercepted request:

The request contains the user input as parameters, making it a good candidate for injection.

Step 3: Crafting the Payload

Modify the Email parameter to include the following payload:

||whoami>/var/www/images/whoami.txt||

This payload runs the command whoami and saves it

Payload Breakdown:

|| is used to append and execute additional commands.
whoami retrieves the current user running the application.
>/var/www/images/whoami.txt redirects the output of the command to a file in the writable directory.

Submit the request with the modified payload.

Step 4: Accessing the Output

To retrieve the saved command output:

Note that the application serves images from /var/www/images/ via a parameter filename= in the URL.
Navigate to any image URL in your browser
modify the parameter to filename=whoami.txt

Visiting the URL, the browser displays the output of the whoami command, confirming that the injection was successful. For example:

PreviousBlind OS command injection with time delays NextBlind OS command injection with out-of-band interaction

Last updated 1 year ago

hashtagLab Description

hashtagWalkthrough

hashtagStep 1: Understanding the Feedback Functionality

hashtagStep 2: Intercepting the Feedback Request

hashtagStep 3: Crafting the Payload

hashtagPayload Breakdown:

hashtagStep 4: Accessing the Output