Lab 3 - Blind OS Command Injection with Output Redirection
Lab 3: Setup
Burp Suite Startup
Open up Burp Suite by clicking on the Kali Linux icon on the left upper corner to expand the menu.
Type in: "Burp Suite" on the search bar.
- Click on "OK".
- Click on "I Accept".
- Click on "Next".
- Click on "Start Burp".
Intercept Requests Using Burp Proxy
- Once Burp Suite finished loading, click on "Proxy".
- Click on "Open browser".
Navigate to Command Injection Labs in Portswigger On Burp Suite Browser
- Log in to [PortSwigger](https://portswigger.net/) Website.
- Click on the three line under "MY ACCOUNT" on Portswigger Website. Then, click on "Academy".
- Click on the expand button. Then, click on "Latest topics" and "View all topics".
- Scroll down and click on "Command Injection".
- Scroll down and click on the lab "Blind OS command injection with output redirection".
- Click on "ACCESS THE LAB".
Visual Studio Code Downloads
- Open up Visual Studio Code. Import the file below to Visual Studio Code.
- Click on "Download raw file".
- [command-injection-lab-03.py](https://github.com/rkhal101/Web-Security-Academy-Series/blob/main/command-injection/lab-03/command-injection-lab-03.py)
Lab Description
This lab features a blind OS command injection vulnerability within the feedback function.
The application runs a shell command with user-supplied input, but it does not display the command's output. However, you can employ output redirection to capture the command's output. Additionally, there is a writable folder located at:
```/var/www/images```
The application hosts product catalog images at this location. Redirect the injected command output to a file in this folder, then access the file's content via the image loading URL.
To complete the lab, execute the 'whoami' command and obtain the result.
Lab Solution
The target goal: Exploit the blind command injection and redirect the output from the "whoami" command to the "/var/www/images" folder.
Steps:
1. Confirm blind command injection
2. Check where images are store
3. Redirect output to file
4. Check if file was created
Confirm Blind Command Injection:
- Navigate to Burp Suite turn Intercept On by clicking on "Intercept is off".
- Navigate to the Intercept Browser, click on "Submit feedback".
- Navigate back to Burp Suite turn Intercept On by clicking on "Intercept is on".
- Navigate back to the Intercept Browser, fill in the "Submit feedback".
- Name: "test".
- Email: "test@test.ca".
- Subject: "test".
- Message: "test".
- Click on "Submit feedback".
- The response from the form is just "Thank you for submitting feedback!
- Doesn't give you the response of the request that you performed.
- If any of the field is vulnerable to command injection, it could be "Blind command injection" instead of "In-band command injection".
- Notice a "post request" for "feedback/submit" have generated on Burp Suite on the HTTP history tab.
- Click on the post request. Right-click on the request on the bottom and select "Send to Repeater".
- Click on "Repeater".
- From the repeater, we can see it takes parameters in csrf, name, email, subject, and email.
Testing for Potential Injection Vulnerabilities
We are going to test each parameter that is visible on the website for potential injection vulnerabilities with the "sleep" command. (Excluding csrf)
Name Field:
- Adding "&" for chainning command. Then "sleep 10" to run "sleep" command. Then add "#" for making the rest of the command a comment.
- Add in: "csrf=W7KsRxyQSmSzYXrHORkztKR6e68lW2YB&name=test``` & sleep 10 #```&email=test%40test.ca&subject=test&message=test".
- Highlight ``` & sleep 10 #```. Then, press "Ctrl + U" to encode it.
- The command turns into: "```csrf=W7KsRxyQSmSzYXrHORkztKR6e68lW2YB&name=test+%26+sleep+10+%23&email=test%40test.ca&subject=test&message=test```".
- Click on "Send".
We got the result back right away, so the name field not vulnerable to the "sleep" command.
Email Field:
- Delete: ```+%26+sleep+10+%23```. Then Repeat the same thing for email field on the command.
- The command turns into: "```csrf=Ay1VbxDEsOHvNQi1pi9fLLFpmFdwJGmd&name=test&email=test%40test.ca+%26+sleep+10+%23&subject=test&message=test```".
- Click on "Send".
We got the result back in 10 seconds, so the email field is vulnerable to the "sleep" command.
Check Where Images Are Store
- Click on "Proxy" tab on Burp Suite. Then click on "HTTP history".
- Click on the "Filter Bar".
- Check the box for "Images". Then, click on "Apply".
- Navigate back to the Intercept Browser", click on "Home".
- Go back to Burp Suite, we can see there is a lot of images generated on the "HTTP history".
- Click on a random GET request with URL that has "/image?filename".
- Right-click on the request on the bottom and select "Send to Repeater".
- Click on "Send" will give you the content of the image.
Redirect Output to File
- Go back to the Repeater with the ```csrf=``` command.
- Instead of asking to sleep, run "whoami" command but redirect the output of the "whoami" command into a file in "/var/www/images/output.txt".
- Add in: "csrf=MQ7FaDJ140t92gTvPUwztnBH5F6pL1AE&name=test&email=test%40test.ca``` & whoami > /var/www/images/output.txt #```&subject=test&message=test".
- Highlight ``` & whoami > /var/www/images/output.txt #```. Then, press "Ctrl + U" to encode it.
- The command turns into: "```csrf=MQ7FaDJ140t92gTvPUwztnBH5F6pL1AE&name=test&email=test%40test.ca+%26+whoami+>+/var/www/images/output.txt+%23&subject=test&message=test```".
- Click on "Send".
- The response doesn't tell us if it works.
Check If File was Created
- Navigate back to the image repeater.
- change: "Get /image?filename=```36.jpg```" into "Get /image?filename=```output.txt```".
- Click on "Send".
- The response worked, the output shows the "whoami" command and it displays the user of the system: "peter-rmFf07".
Congratulations: Lab Solved
On the top of the page on the intercept browser will say: "Congratulations, you solved the lab!"
Command Injection with Script
- Open up Visual Studio Code
- Import the command-injection-lab-03.py into Visual Studio Code.
- Click on "Terminal". Then, "New Terminal".
- Change Directory to the folder that have command-injection-lab-02.py .
- Type in: ```cd Lab\ 3```
- Run command on the lab website URL.
- Type in: ```command-injection-lab-03.py "https://0a75006003508c5782895b1800c600c7.web-security-academy.net/" ```
- Result:
Lab 3 - Blind OS Command Injection with Output Redirection
Lab 3: Setup
Burp Suite Startup
- Click on "OK".
- Click on "I Accept".
- Click on "Next".
- Click on "Start Burp".
Intercept Requests Using Burp Proxy
- Once Burp Suite finished loading, click on "Proxy".- Click on "Open browser".
Navigate to Command Injection Labs in Portswigger On Burp Suite Browser
- Log in to [PortSwigger](https://portswigger.net/) Website. - Click on the three line under "MY ACCOUNT" on Portswigger Website. Then, click on "Academy".- Click on the expand button. Then, click on "Latest topics" and "View all topics".
- Scroll down and click on "Command Injection".
- Scroll down and click on the lab "Blind OS command injection with output redirection".
- Click on "ACCESS THE LAB".
Visual Studio Code Downloads
- Open up Visual Studio Code. Import the file below to Visual Studio Code. - Click on "Download raw file". - [command-injection-lab-03.py](https://github.com/rkhal101/Web-Security-Academy-Series/blob/main/command-injection/lab-03/command-injection-lab-03.py)Lab Description
This lab features a blind OS command injection vulnerability within the feedback function. The application runs a shell command with user-supplied input, but it does not display the command's output. However, you can employ output redirection to capture the command's output. Additionally, there is a writable folder located at: ```/var/www/images``` The application hosts product catalog images at this location. Redirect the injected command output to a file in this folder, then access the file's content via the image loading URL. To complete the lab, execute the 'whoami' command and obtain the result.Lab Solution
The target goal: Exploit the blind command injection and redirect the output from the "whoami" command to the "/var/www/images" folder. Steps: 1. Confirm blind command injection 2. Check where images are store 3. Redirect output to file 4. Check if file was createdConfirm Blind Command Injection:
- Navigate to Burp Suite turn Intercept On by clicking on "Intercept is off".- Navigate to the Intercept Browser, click on "Submit feedback".
- Navigate back to Burp Suite turn Intercept On by clicking on "Intercept is on".
- Navigate back to the Intercept Browser, fill in the "Submit feedback". - Name: "test". - Email: "test@test.ca". - Subject: "test". - Message: "test". - Click on "Submit feedback".
- The response from the form is just "Thank you for submitting feedback! - Doesn't give you the response of the request that you performed. - If any of the field is vulnerable to command injection, it could be "Blind command injection" instead of "In-band command injection".
- Notice a "post request" for "feedback/submit" have generated on Burp Suite on the HTTP history tab.
- Click on the post request. Right-click on the request on the bottom and select "Send to Repeater".
- Click on "Repeater". - From the repeater, we can see it takes parameters in csrf, name, email, subject, and email.
Testing for Potential Injection Vulnerabilities
We are going to test each parameter that is visible on the website for potential injection vulnerabilities with the "sleep" command. (Excluding csrf)Name Field:
- Adding "&" for chainning command. Then "sleep 10" to run "sleep" command. Then add "#" for making the rest of the command a comment. - Add in: "csrf=W7KsRxyQSmSzYXrHORkztKR6e68lW2YB&name=test``` & sleep 10 #```&email=test%40test.ca&subject=test&message=test". - Highlight ``` & sleep 10 #```. Then, press "Ctrl + U" to encode it. - The command turns into: "```csrf=W7KsRxyQSmSzYXrHORkztKR6e68lW2YB&name=test+%26+sleep+10+%23&email=test%40test.ca&subject=test&message=test```". - Click on "Send".We got the result back right away, so the name field not vulnerable to the "sleep" command.
Email Field:
- Delete: ```+%26+sleep+10+%23```. Then Repeat the same thing for email field on the command. - The command turns into: "```csrf=Ay1VbxDEsOHvNQi1pi9fLLFpmFdwJGmd&name=test&email=test%40test.ca+%26+sleep+10+%23&subject=test&message=test```". - Click on "Send".We got the result back in 10 seconds, so the email field is vulnerable to the "sleep" command.
Check Where Images Are Store
- Click on "Proxy" tab on Burp Suite. Then click on "HTTP history".- Click on the "Filter Bar".
- Check the box for "Images". Then, click on "Apply".
- Navigate back to the Intercept Browser", click on "Home".
- Go back to Burp Suite, we can see there is a lot of images generated on the "HTTP history".
- Click on a random GET request with URL that has "/image?filename".
- Right-click on the request on the bottom and select "Send to Repeater".
- Click on "Send" will give you the content of the image.
Redirect Output to File
- Go back to the Repeater with the ```csrf=``` command. - Instead of asking to sleep, run "whoami" command but redirect the output of the "whoami" command into a file in "/var/www/images/output.txt". - Add in: "csrf=MQ7FaDJ140t92gTvPUwztnBH5F6pL1AE&name=test&email=test%40test.ca``` & whoami > /var/www/images/output.txt #```&subject=test&message=test". - Highlight ``` & whoami > /var/www/images/output.txt #```. Then, press "Ctrl + U" to encode it. - The command turns into: "```csrf=MQ7FaDJ140t92gTvPUwztnBH5F6pL1AE&name=test&email=test%40test.ca+%26+whoami+>+/var/www/images/output.txt+%23&subject=test&message=test```". - Click on "Send".- The response doesn't tell us if it works.
Check If File was Created
- Navigate back to the image repeater. - change: "Get /image?filename=```36.jpg```" into "Get /image?filename=```output.txt```". - Click on "Send".- The response worked, the output shows the "whoami" command and it displays the user of the system: "peter-rmFf07".
Congratulations: Lab Solved
On the top of the page on the intercept browser will say: "Congratulations, you solved the lab!"Command Injection with Script
- Open up Visual Studio Code - Import the command-injection-lab-03.py into Visual Studio Code. - Click on "Terminal". Then, "New Terminal".- Change Directory to the folder that have command-injection-lab-02.py . - Type in: ```cd Lab\ 3``` - Run command on the lab website URL. - Type in: ```command-injection-lab-03.py "https://0a75006003508c5782895b1800c600c7.web-security-academy.net/" ``` - Result: