Blind OS command injection with time delays

Lab Description

Walkthrough

Step 1: Understanding the Feedback Functionality

Navigating to the Submit Feedback page, you will notice four input fields:

Name
Email
Subject
Message

The goal is to identify if one of these fields is vulnerable to command injection.

Step 2: Intercepting the Feedback Request

Using Burp Suite, intercept the feedback submission request. Below is an example of a normal intercepted request:

Each input parameter is passed to the server. The goal is to inject a payload into one of these fields to trigger a delay.

Step 3: Testing for Command Injection

Blind command injection exploits do not show any immediate response in the output. To verify injection, introduce a time delay command. For example:

||ping -c 10 127.0.0.1||

Code Breakdown

Payload: ||ping -c 10 127.0.0.1||

|| - Appends an additional command to the existing shell command executed by the server.
ping -c 10 - Sends 10 ICMP packets to the local server (127.0.0.1), introducing a delay.
127.0.0.1 - Localhost, ensuring the command executes without external dependencies.

Step 4: Sending the Payload

After injecting the payload, forward the request and observe the response time in Burp Suite.

Step 5: Verifying the Delay

The response time should increase significantly, indicating that the server executed the ping command. In this lab, the response took approximately 9.4 seconds, confirming the vulnerability.

PreviousOS command injection, simple case NextBlind OS command injection with output redirection

Last updated 1 year ago

hashtagWalkthrough

hashtagStep 1: Understanding the Feedback Functionality

hashtagStep 2: Intercepting the Feedback Request

hashtagStep 3: Testing for Command Injection

hashtagCode Breakdown

hashtagStep 4: Sending the Payload

hashtagStep 5: Verifying the Delay