PortSwigger Lab: Blind OS command injection with output redirection
Task
This lab contains a blind OS command injection vulnerability in the feedback function.
The application executes a shell command containing the user-supplied details. The output from the command is not returned in the response. However, you can use output redirection to capture the output from the command. There is a writable folder at:
/var/www/images/
The application serves the images for the product catalog from this location. You can redirect the output from the injected command to a file in this folder, and then use the image loading URL to retrieve the contents of the file.
To solve the lab, execute the whoami command and retrieve the output.
Attempt
There’s a submit feedback feature which is vulnerable to OS command injection (aka shell injection, or simply command injection) according to the task description. Also I gotta do a sort of OOB (Out-of-Bound) attack.
First I fill out the form with random stuff and sent it. Captured the request:
POST /feedback/submit HTTP/2
Host: 0a8d0096034f589682e8831800170064.web-security-academy.net
Cookie: session=AifulZdO0TLltiqAJFPOkWflnnxKvGol
Content-Length: 117
Sec-Ch-Ua-Platform: "Linux"
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Sec-Ch-Ua: "Chromium";v="133", "Not(A:Brand";v="99"
Content-Type: application/x-www-form-urlencoded
Sec-Ch-Ua-Mobile: ?0
Accept: */*
Origin: https://0a8d0096034f589682e8831800170064.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a8d0096034f589682e8831800170064.web-security-academy.net/feedback
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=1, i
csrf=uyP0fUyg0Tx6CPZVYU8x98E69P238I29&name=myname&email=maemail%40example.com&subject=ohsubject&message=thisismessage
I tested ;sleep 1 for each field with different time. This method didn’t really work because when the form contains an injected command, the page immediately responds with internal server error. Regardless, with this error, I got to know the email field is vulnerable.
I sent the payload ;whoami>/var/www/images/output1.txt;. Opened an image while intercepting the response and set the value output1.txt to the filename parameter. Got the result.