Writeup: Blind OS command injection with out-of-band interaction @ PortSwigger Academy
This is a writeup for the Lab “Blind OS command injection with out-of-band interaction” from PortSwiggers Web Security Academy:
Python script: No script available
Burp Suite Professional is required to solve this lab!
Lab details
- OS command injection vulnerability in the feedback feature
- Application call a shell command with user input. Execution is asynchronous and has no observable impact on the application
Goals
- Cause a 10 seconds delay
Steps
As with the previous labs in this section, I first have a look at the website and its feedback feature. I submit a feedback and send the request to repeater. As the lab is about how to send an out-of-band request, I assume that the attack vector is the same as in the other labs: the email input field.
Therefore I open a new Burp Collaborator client (in the menu Burp --> Burp Collaborator Client
) and generate a new payload. URLencode the payload to avoid breaking the request.
After sending the request and poll for collaborator interactions, 4 DNS lookups are shown.
At the same time, the lab page updates to