Lab 2 - Blind OS command injection with time delays
Lab 2: Setup
Burp Suite Startup
Open up Burp Suite by clicking on the Kali Linux icon on the left upper corner to expand the menu.
Type in: "Burp Suite" on the search bar.
- Click on "OK".
- Click on "I Accept".
- Click on "Next".
- Click on "Start Burp".
Intercept Requests Using Burp Proxy
- Once Burp Suite finished loading, click on "Proxy".
- Click on "Open browser".
Navigate to Command Injection Labs in Portswigger On Burp Suite Browser
- Log in to [PortSwigger](https://portswigger.net/) Website.
- Click on the three line under "MY ACCOUNT" on Portswigger Website. Then, click on "Academy".
- Click on the expand button. Then, click on "Latest topics" and "View all topics".
- Scroll down and click on "Command Injection".
- Scroll down and click on the lab "Blind OS command injection with time delays".
- Click on "ACCESS THE LAB".
Visual Studio Code Downloads
- Open up Visual Studio Code. Import the file below to Visual Studio Code.
- Click on "Download raw file".
- [command-injection-lab-02.py](https://github.com/rkhal101/Web-Security-Academy-Series/blob/main/command-injection/lab-02/command-injection-lab-02.py)
Lab Description
This lab features a blind OS command injection vulnerability within the feedback function, where the application executes a user-supplied shell command without providing command output in the response. To complete the lab, exploit this vulnerability to introduce a 10-second delay.
Lab Solution
- Navigate to Burp Suite turn Intercept On by clicking on "Intercept is off".
- Navigate to the Intercept Browser, click on "Submit feedback".
- Navigate back to Burp Suite turn Intercept On by clicking on "Intercept is on".
- Navigate back to the Intercept Browser, fill in the "Submit feedback".
- Name: "test".
- Email: "test@test.ca".
- Subject: "test".
- Message: "test".
- Click on "Submit feedback".
- The response from the form is just "Thank you for submitting feedback!
- Doesn't give you the response of the request that you performed.
- If any of the field is vulnerable to command injection, it could be "Blind command injection" instead of "In-band command injection".
- Notice a "post request" for "feedback/submit" have generated on Burp Suite on the HTTP history tab.
- Click on the post request. Right-click on the request on the bottom and select "Send to Repeater".
- Click on "Repeater".
- From the repeater, we can see it takes parameters in csrf, name, email, subject, and email.
Testing for Potential Injection Vulnerabilities
We are going to test each parameter that is visible on the website for potential injection vulnerabilities with the "sleep" command. (Excluding csrf)
Name Field:
- Adding "&" for chainning command. Then "sleep 10" to run "sleep" command. Then add "#" for making the rest of the command a comment.
- Add in: "csrf=W7KsRxyQSmSzYXrHORkztKR6e68lW2YB&name=test``` & sleep 10 #```&email=test%40test.ca&subject=test&message=test".
- Highlight ``` & sleep 10 #```. Then, press "Ctrl + U" to encode it.
- The command turns into: "```csrf=W7KsRxyQSmSzYXrHORkztKR6e68lW2YB&name=test+%26+sleep+10+%23&email=test%40test.ca&subject=test&message=test```".
- Click on "Send".
We got the result back right away, so the name field not vulnerable to the "sleep" command.
Email Field:
- Delete: ```+%26+sleep+10+%23```. Then Repeat the same thing for email field on the command.
- The command turns into: "```csrf=Ay1VbxDEsOHvNQi1pi9fLLFpmFdwJGmd&name=test&email=test%40test.ca+%26+sleep+10+%23&subject=test&message=test```".
- Click on "Send".
We got the result back in 10 seconds, so the email field is vulnerable to the "sleep" command.
Repeat for Both Subject Field and Message Field
We got the result back right away for both of them, so the Subject and Message field are not vulnerable to the sleep command.
Congratulations: Lab Solved<
On the top of the page on the intercept browser will say: "Congratulations, you solved the lab!"
Command Injection with Script
- Open up Visual Studio Code
- Import the command-injection-lab-02.py into Visual Studio Code.
- Click on "Terminal". Then, "New Terminal".
- Change Directory to the folder that have command-injection-lab-02.py .
- Type in: ```cd Lab\ 2```
- Run command on the lab website URL.
- Type in: ```command-injection-lab-02.py "https://0afe00a2031cccb983a360ce00f200a8.web-security-academy.net" ```
- Result:
Lab 2 - Blind OS command injection with time delays
Lab 2: Setup
Burp Suite Startup
- Click on "OK".
- Click on "I Accept".
- Click on "Next".
- Click on "Start Burp".
Intercept Requests Using Burp Proxy
- Once Burp Suite finished loading, click on "Proxy".- Click on "Open browser".
Navigate to Command Injection Labs in Portswigger On Burp Suite Browser
- Log in to [PortSwigger](https://portswigger.net/) Website. - Click on the three line under "MY ACCOUNT" on Portswigger Website. Then, click on "Academy".- Click on the expand button. Then, click on "Latest topics" and "View all topics".
- Scroll down and click on "Command Injection".
- Scroll down and click on the lab "Blind OS command injection with time delays".
- Click on "ACCESS THE LAB".
Visual Studio Code Downloads
- Open up Visual Studio Code. Import the file below to Visual Studio Code. - Click on "Download raw file". - [command-injection-lab-02.py](https://github.com/rkhal101/Web-Security-Academy-Series/blob/main/command-injection/lab-02/command-injection-lab-02.py)Lab Description
This lab features a blind OS command injection vulnerability within the feedback function, where the application executes a user-supplied shell command without providing command output in the response. To complete the lab, exploit this vulnerability to introduce a 10-second delay.Lab Solution
- Navigate to Burp Suite turn Intercept On by clicking on "Intercept is off".- Navigate to the Intercept Browser, click on "Submit feedback".
- Navigate back to Burp Suite turn Intercept On by clicking on "Intercept is on".
- Navigate back to the Intercept Browser, fill in the "Submit feedback". - Name: "test". - Email: "test@test.ca". - Subject: "test". - Message: "test". - Click on "Submit feedback".
- The response from the form is just "Thank you for submitting feedback! - Doesn't give you the response of the request that you performed. - If any of the field is vulnerable to command injection, it could be "Blind command injection" instead of "In-band command injection".
- Notice a "post request" for "feedback/submit" have generated on Burp Suite on the HTTP history tab.
- Click on the post request. Right-click on the request on the bottom and select "Send to Repeater".
- Click on "Repeater". - From the repeater, we can see it takes parameters in csrf, name, email, subject, and email.
Testing for Potential Injection Vulnerabilities
We are going to test each parameter that is visible on the website for potential injection vulnerabilities with the "sleep" command. (Excluding csrf)Name Field:
- Adding "&" for chainning command. Then "sleep 10" to run "sleep" command. Then add "#" for making the rest of the command a comment. - Add in: "csrf=W7KsRxyQSmSzYXrHORkztKR6e68lW2YB&name=test``` & sleep 10 #```&email=test%40test.ca&subject=test&message=test". - Highlight ``` & sleep 10 #```. Then, press "Ctrl + U" to encode it. - The command turns into: "```csrf=W7KsRxyQSmSzYXrHORkztKR6e68lW2YB&name=test+%26+sleep+10+%23&email=test%40test.ca&subject=test&message=test```". - Click on "Send".We got the result back right away, so the name field not vulnerable to the "sleep" command.
Email Field:
- Delete: ```+%26+sleep+10+%23```. Then Repeat the same thing for email field on the command. - The command turns into: "```csrf=Ay1VbxDEsOHvNQi1pi9fLLFpmFdwJGmd&name=test&email=test%40test.ca+%26+sleep+10+%23&subject=test&message=test```". - Click on "Send".We got the result back in 10 seconds, so the email field is vulnerable to the "sleep" command.
Repeat for Both Subject Field and Message Field
We got the result back right away for both of them, so the Subject and Message field are not vulnerable to the sleep command.Congratulations: Lab Solved<
On the top of the page on the intercept browser will say: "Congratulations, you solved the lab!"Command Injection with Script
- Open up Visual Studio Code - Import the command-injection-lab-02.py into Visual Studio Code. - Click on "Terminal". Then, "New Terminal".- Change Directory to the folder that have command-injection-lab-02.py . - Type in: ```cd Lab\ 2``` - Run command on the lab website URL. - Type in: ```command-injection-lab-02.py "https://0afe00a2031cccb983a360ce00f200a8.web-security-academy.net" ``` - Result: