Writeup: Blind OS command injection with out-of-band interaction @ PortSwigger Academy

This is a writeup for the Lab “Blind OS command injection with out-of-band interaction” from PortSwiggers Web Security Academy:

Lab: Blind OS command injection with out-of-band interaction | Web Security Academy

Python script: No script available
Burp Suite Professional is required to solve this lab!

Lab details

• OS command injection vulnerability in the feedback feature
• Application call a shell command with user input. Execution is asynchronous and has no observable impact on the application

Goals

• Cause a 10 seconds delay

Steps

As with the previous labs in this section, I first have a look at the website and its feedback feature. I submit a feedback and send the request to repeater. As the lab is about how to send an out-of-band request, I assume that the attack vector is the same as in the other labs: the email input field.

Therefore I open a new Burp Collaborator client (in the menu Burp --> Burp Collaborator Client) and generate a new payload. URLencode the payload to avoid breaking the request.

After sending the request and poll for collaborator interactions, 4 DNS lookups are shown.

At the same time, the lab page updates to

Originally published at https://github.com.

New to Medium? Become a Medium member to access all stories on the platform and support me at no extra cost for you!