Blind OS command injection with output redirection Write-up
To access the lab visit the following link
This lab contains a blind OS command injection vulnerability in the feedback function.
The application executes a shell command containing the user-supplied details. The output from the command is not returned in the response. However, you can use output redirection to capture the output from the command. There is a writable folder at:
/var/www/images/The application serves the images for the product catalog from this location. You can redirect the output from the injected command to a file in this folder, and then use the image loading URL to retrieve the contents of the file.
To solve the lab, execute the whoami command and retrieve the output.
Target Goal
Exploit the blind command injection and redirect the output from “whoami” command to the /var/www/images/
Access the lab
Click on the given button to access the lab
Burp suite
I have started burp suite community edition with the web application side by side.
Route Traffic Through Burp Suite
Now, we will set proxy to burp. FoxyProxy allows us to easily switch browser’s proxy settings to route web traffic through Burp Suite which is crucial for intercepting and inspecting HTTP requests and responses.
Intercepting traffic
Turn on intercept in burp suite and click on submit feedback button on web application. Response will be intercepted.
Fill the feedback form and click on submit feedback.
As soon as the feedback is submitted we will see the POST request submitted in HTTP history tab of burp suite.
Identifying vulnerability
Click on the POST request and we can see the data of request made through burp.
Right click on the data and send that to repeater.
In the repeater tab we can see the csrf parameter which is actually the token used by web applications to ensure that actions initiated on their platform are authorized and not the result of malicious activities by third parties. This helps protect users from unintended actions, such as unauthorized data changes, when they click on links or visit web pages that might perform actions on their behalf without their knowledge.
we have already performed blind command injection in the previous lab so from that we know that email parameter is vulnerable to blind OS command injection. You can access the write-up for that lab here:
Now, Lets go back to HTTP history tab in burp suite and click on home section in web app. We can see the images intercepted by burp suite in HTTP history tab.
Click on any image and you can see the request made in requests tab in the bottom. Right click on that and send that request to repeater.
Modifying request
Now, we will modify request in repeater tab and try to execute command “whoami” after email parameter as we know its vulnerable and we will redirect the output to /var/www/images/ path because the output will not be returned in response tab.
& whoami > /var/www/images/output.txt
#--> & is used to bind the commands
#--> whoami prints the current username
#--> > is a redirection operator that redirects output to the path given
#--> /var/www/images/output.txt is the path where output of whoami will be saved
Select the command and press CTRL + U to encode and click on send. We got response code 200 which ensures the command execution was successful.
We can verify it in the previous tab. Lets modify the get request by removing image file and replacing it with the output.txt file we saved in /var/www/images and send the request.
We got the username in response. Congratulations!
On the other side the lab is also marked as solved.
Congratulations! The walkthrough of Third OS command injection lab finishes here.
