Daemon Of Hacking
  • WELCOME!
    • 👋/home/usr/KruKnight
  • METHODOLOGIES & RESOURCES
    • Passwords & Attacks
    • Post Exploitation
      • 👀Situational Awareness
      • 🖥️Privilege Escalation
        • Linux Privilege Escalation
        • Windows Privilege Escalation
  • Writeups
    • CyCtf 2024
      • Vending Machine
      • Aerospace
      • OhMyCell
    • Portswigger Labs
      • Authentication
        • Username enumeration via different responses
        • 2FA simple bypass
        • Password reset broken logic
        • Username enumeration via subtly different responses
        • Username enumeration via response timing
        • Broken Brute-Force Protection, IP Block
        • Username enumeration via account lock
        • 2FA broken logic
        • Brute-forcing a stay-logged-in cookie
        • Offline password cracking
        • Password reset poisoning via middleware
        • Password brute-force via password change
        • Broken brute-force protection, multiple credentials per request
      • Os Command Injection
        • OS command injection, simple case
        • Blind OS command injection with time delays
        • Blind OS command injection with output redirection
        • Blind OS command injection with out-of-band interaction
        • Blind OS command injection with out-of-band data exfiltration
      • Cross-Origin Resource Sharing (CORS)
        • CORS vulnerability with basic origin reflection
        • CORS vulnerability with trusted null origin
        • CORS vulnerability with trusted insecure protocols
      • Server-side template injection
        • Basic server-side template injection
        • Basic server-side template injection (code context)
      • Server-Side Request Forgery (SSRF)
        • Basic SSRF against the local server
        • Basic SSRF against another back-end
        • Blind SSRF with out-of-band detection
        • SSRF with blacklist-based input filter
        • SSRF with filter bypass via open redirection vulnerability
      • Path Traversal
  • 🟩HTB Writeups
    • Heal
Powered by GitBook
On this page
  • Lab Description
  • Walkthrough
  • Step 1: Analyzing the Request
  • Step 2: Identifying the Vulnerable Parameter
  • Step 3: Exploiting the Vulnerability

Was this helpful?

  1. Writeups
  2. Portswigger Labs
  3. Os Command Injection

OS command injection, simple case

PreviousOs Command InjectionNextBlind OS command injection with time delays

Last updated 6 months ago

Was this helpful?

Lab Description

This lab contains an OS command injection vulnerability in the product stock checker.

The application executes a shell command containing user-supplied product and store IDs, and returns the raw output from the command in its response.

To solve the lab, execute the whoami command to determine the name of the current user.

Walkthrough

Step 1: Analyzing the Request

The first step is to identify how the application processes the input parameters. Using Burp Suite, intercept the request sent when checking the stock of a product. Here's the intercepted request:

The request contains two parameters:

  • productId

  • storeId

The response returns a numeric value in plain text. At this point, we suspect the parameters are being used as part of a system command. Let’s test for command injection by sending the request to Burp Suite’s Repeater tool.

Step 2: Identifying the Vulnerable Parameter

To confirm command injection, try appending a test command (like ;id) to each parameter. Test both productId and storeId to determine:

  1. Whether they are vulnerable to injection.

  2. The order in which the parameters are executed.

After testing:

  • Both parameters (productId and storeId) are injectable.

  • The commands are executed in sequence: productId first, followed by storeId.

Step 3: Exploiting the Vulnerability

Now that we know the parameters are injectable, we can craft a payload to execute the whoami command and identify the current user. Append the ;whoami command to the storeId parameter: