Open up Burp Suite by clicking on the Kali Linux icon on the left upper corner to expand the menu.
Type in: "Burp Suite" on the search bar.
- Click on "OK".
- Click on "I Accept".
- Click on "Next".
- Click on "Start Burp".
Intercept Requests Using Burp Proxy
- Once Burp Suite finished loading, click on "Proxy".
- Click on "Open browser".
Navigate to Command Injection Labs in Portswigger On Burp Suite Browser
- Log in to [PortSwigger](https://portswigger.net/) Website.
- Click on the three line under "MY ACCOUNT" on PortSwigger Website. Then, click on "Academy".
- Click on the expand button. Then, click on "Latest topics" and "View all topics".
- Scroll down and click on "Command Injection".
- Scroll down and click on the lab "OS command injection, simple case".
- Click on "ACCESS THE LAB".
Visual Studio Code Downloads
- Open up Visual Studio Code. Import the 2 files below to Visual Studio Code.
- Click on "Download raw file".
- [notes.txt](https://github.com/rkhal101/Web-Security-Academy-Series/blob/main/command-injection/lab-01/notes.txt)
- [command-injection-lab-01.py](https://github.com/rkhal101/Web-Security-Academy-Series/blob/main/command-injection/lab-01/command-injection-lab-01.py)
Lab Description
The lab features an OS command injection vulnerability in the product stock checker, where the application processes user-provided product and store IDs, executing shell commands and displaying their raw output in the response. To complete the lab, execute the "whoami" command to identify the current user.
Lab Solution
- Turn Intercept by clicking on "Intercept is off".
- After turning on Intercept. Click on "View details" on the first item.
- Set "Intercept" off. Navigate to HTTP history.
- Scroll down on the browser, and click on "Check stock".
- Notice a "post request" have generated on Burp Suite.
- Click on the post request. Right-click on the request on the bottom and select "Send to Repeater".
- Click on "Repeater".
- From the repeater, we can see it takes two parameters in the "product ID" and "store ID".
Testing for Potential Injection Vulnerabilities
We are going to test each parameter for potential injection vulnerabilities.
ProductID:
- Adding "&" for chaining command. Then "whoami" to run Who Am I command.
- Add in: productId=1``` & whoami```&storeI=1 .
- Since we don't have the source code for this application, we are going to tweak our command injection based on the response of the application.
- Highlight ``` & whoami``` and press "Ctrl + U" on keyboard to encode it. Then, Click on "Send".
- The command turns into: ```productId=1+%26+whoami&storeId=1```.
- Ran into an error while running the "whoami" Command.
- On line 5, it says it's unbound variable.
- Add a "#" to comment out the rest of the command.
- Add in: productId=1+%26+whoami``` #```&storeId=1 .
- highlight ``` #``` and press "Ctrl + U" on keyboard to encode it. Then, Click on "Send".
- The command turns into: ```productId=1+%26+whoami+%23&storeId=1```.
- We no longer got an error.
- Got the value of: "peter-noZB5X".
StoreID:
- We can also do it for StoreID side:
- Adding "&" for chainning command. Then "whoami" to run Who Am I command.
- Add in: productId=1&storeI=1 ``` & whoami```.
- Highlight ``` & whoami``` and press "Ctrl + U" on keyboard to encode it. Then, Click on "Send".
- The command turns into: ```productId=1&storeId=1 %26+whoami```.
- Output also is "peter-noZB5X" and "62".
Congratulations: Lab Solved
On the top of the page on the browser will say: "Congratulations, you solved the lab!"
Command Injection with Script
- Open up Visual Studio Code
- Import the command-injection-lab-01.py into Visual Studio Code.
- Click on "Terminal". Then, "New Terminal".
- Change Directory to the folder that have command-injection-lab-01.py .
- Type in: ```cd Lab \ 1```
- Run the "whoami" command on the lab website URL.
- Type in: ```python3 Command-Injection-Lab1.py "https://0afe00a2031cccb983a360ce00f200a8.web-security-academy.net" whoami ```
- Result:
Lab 1 - OS Command Injection, simple case
Lab 1: Setup
Burp Suite Startup
- Click on "OK".
- Click on "I Accept".
- Click on "Next".
- Click on "Start Burp".
Intercept Requests Using Burp Proxy
- Once Burp Suite finished loading, click on "Proxy".- Click on "Open browser".
Navigate to Command Injection Labs in Portswigger On Burp Suite Browser
- Log in to [PortSwigger](https://portswigger.net/) Website. - Click on the three line under "MY ACCOUNT" on PortSwigger Website. Then, click on "Academy".- Click on the expand button. Then, click on "Latest topics" and "View all topics".
- Scroll down and click on "Command Injection".
- Scroll down and click on the lab "OS command injection, simple case".
- Click on "ACCESS THE LAB".
Visual Studio Code Downloads
- Open up Visual Studio Code. Import the 2 files below to Visual Studio Code. - Click on "Download raw file". - [notes.txt](https://github.com/rkhal101/Web-Security-Academy-Series/blob/main/command-injection/lab-01/notes.txt) - [command-injection-lab-01.py](https://github.com/rkhal101/Web-Security-Academy-Series/blob/main/command-injection/lab-01/command-injection-lab-01.py)Lab Description
The lab features an OS command injection vulnerability in the product stock checker, where the application processes user-provided product and store IDs, executing shell commands and displaying their raw output in the response. To complete the lab, execute the "whoami" command to identify the current user.Lab Solution
- Turn Intercept by clicking on "Intercept is off".- After turning on Intercept. Click on "View details" on the first item.
- Set "Intercept" off. Navigate to HTTP history.
- Scroll down on the browser, and click on "Check stock".
- Notice a "post request" have generated on Burp Suite.
- Click on the post request. Right-click on the request on the bottom and select "Send to Repeater".
- Click on "Repeater". - From the repeater, we can see it takes two parameters in the "product ID" and "store ID".
Testing for Potential Injection Vulnerabilities
We are going to test each parameter for potential injection vulnerabilities.ProductID:
- Adding "&" for chaining command. Then "whoami" to run Who Am I command. - Add in: productId=1``` & whoami```&storeI=1 .- Since we don't have the source code for this application, we are going to tweak our command injection based on the response of the application. - Highlight ``` & whoami``` and press "Ctrl + U" on keyboard to encode it. Then, Click on "Send". - The command turns into: ```productId=1+%26+whoami&storeId=1```.
- Ran into an error while running the "whoami" Command. - On line 5, it says it's unbound variable.
- Add a "#" to comment out the rest of the command. - Add in: productId=1+%26+whoami``` #```&storeId=1 . - highlight ``` #``` and press "Ctrl + U" on keyboard to encode it. Then, Click on "Send". - The command turns into: ```productId=1+%26+whoami+%23&storeId=1```.
- We no longer got an error. - Got the value of: "peter-noZB5X".
StoreID:
- We can also do it for StoreID side: - Adding "&" for chainning command. Then "whoami" to run Who Am I command. - Add in: productId=1&storeI=1 ``` & whoami```. - Highlight ``` & whoami``` and press "Ctrl + U" on keyboard to encode it. Then, Click on "Send". - The command turns into: ```productId=1&storeId=1 %26+whoami```. - Output also is "peter-noZB5X" and "62".Congratulations: Lab Solved
On the top of the page on the browser will say: "Congratulations, you solved the lab!"Command Injection with Script
- Open up Visual Studio Code - Import the command-injection-lab-01.py into Visual Studio Code. - Click on "Terminal". Then, "New Terminal".- Change Directory to the folder that have command-injection-lab-01.py . - Type in: ```cd Lab \ 1``` - Run the "whoami" command on the lab website URL. - Type in: ```python3 Command-Injection-Lab1.py "https://0afe00a2031cccb983a360ce00f200a8.web-security-academy.net" whoami ``` - Result: