Writeup: Blind OS command injection with output redirection @ PortSwigger Academy

This is a writeup for the Lab “Blind OS command injection with output redirection” from PortSwiggers Web Security Academy:

Lab: Blind OS command injection with output redirection | Web Security Academy

Python script: script.py

Lab description

• OS command injection vulnerability in the feedback feature
• Application call a shell command with user input
• Output is not returned, but can be redirected
• Writeable folder at /var/www/images/

Goals

• Retrieve the output of whoami

Steps

Analysis

As usual, the first step is to browse the application to find out what it does. Like in the previous lab, it contains a vulnerable feedback feature.

Craft the payload

The command to execute is whoami > /var/www/images/whoami to write the file. I will again try straight to inject into the email argument. And as in the previous lab, commenting out the remainder results in a 200 OK, while not doing so results in 500 Internal Server Error. Both ways work though.

Access the file

Now the file is in /var/www/images, but the path to it within the application is unknown and perhaps not even accessible directly. But I can utilize the way the application includes its images with a GET request to /image?filename=

At the same time, the lab page updates to

Originally published at https://github.com.

New to Medium? Become a Medium member to access all stories on the platform and support me at no extra cost for you!