Blind OS Command Injection with Output Redirection
Today, we’ll be diving into another blind vulnerability — a scenario more like what you’ll find while testing applications in the real-world.
What does it mean for a vulnerability to be blind? It means that the app itself is not going to verify the vulnerability for us through any form of reflection. Instead, we’ll need to rely on our methodology and alternative techniques to verify the presence of a vulnerability.
Objective
There is a writable folder at /var/www/images/ where the application serves images from the product catalog. Execute the whoami command and then retrieve the file contents.
What is OS Command Injection?
OS Command Injection is a vulnerability where an attacker can execute unauthorized operating system commands on a server through an application’s interface. This occurs when user input is improperly handled and passed directly to system commands, allowing attackers to take control of the system or access sensitive data.
If you enjoy this article and want to be the first to see more like it, consider subscribing to my newsletter, the Cybersec Cafe, for free. I post content there first, and here second. Plus, you’ll get it straight to your inbox.
My goal is to deliver you value in various cybersecurity topics each week and to become your ultimate destination for expanding your expertise or for any aspiring cybersecurity professionals to break into the field.
Methodology
Want to give the lab a try yourself and follow along? You can check it out on PortSwigger’s website here for free.
The Recon
The Shop we’re met with from this lab is familiar if you’ve read other editions in the series.
There is a single feature that sticks out as irregular though… the Submit Feedback button.
Let’s check it out.
We’re met with a form. As we do with our recon process, it’s best to submit a test request and capture the request in Burp.
Let’s kick off an active scan on this endpoint before we click around the rest of our app to cover our basis for a full Site Map.
Even though there’s not much exciting going on here, this is one of the most important processes when testing an app, so it’s important to get in the habit of doing it.
We need to make sure we have a full, holistic view of the entire application so we can be sure we’re not missing anything.
It looks like our scans picked up something:
Perfect, a Command Injection on the request!
It looks like we’ve found our injection point. Let’s send this over to the Repeater for Exploitation.
- Today’s Sponsor -
Prepare for a career in Cybersecurity, one sip at a time with The Security Sip. Learn a new cybersecurity topic each day in an order that encourages learning and prepares you to be a cybersecurity professional. Free and Paid Plans Available!
Exploitation
Since we know this is a blind vulnerability, this means we won’t be able to see any of our tests reflected back to us.
Just as the lab suggests, we’ll be going into this blind.
Let’s make note of a few things before we try to exploit this:
- We can use some special characters and command separators:
&, &&, |, || - We can execute a command and write the output of the command to a file like this:
whoami > /var/www/images/test.txt
So, let’s put it all together for a payload:
||whomai>/var/www/images/test.txt||
Let’s give it a shot in the email field:
It looks like we got a 200 response!
But as expected, not reflection back.
So, we’ll need to figure out how to retrieve our output from the file.
We know this file path that we wrote. our file to is where the application stores images for products. So, in order to retrieve our file, we’ll need to go retrieve an image first and intercept that request.
Let’s click on a product with the Proxy Intercept on. After forwarding the first request, we can see our image retrieval request:
Send this over to the repeater and replace the file with our test.txt filename.
Lab solved!
What We’ve Learned
In this lab, we saw a basic example of what an attacker can do with a command injection vulnerability. But this is truly only the surface. If an attacker can execute a command like this and retrieve the output, then they can also run much more complex commands to compromise infrastructure and exploit trust relationships. Just like SQL Injection from the last edition, Command Injection is no joke. When you’re developing apps it’s necessary to make sure that user input is being sanitized.
—
Remember: The Cybersec Café gets articles first. Subscribe for free here.
Interested in getting into Cybersecurity? I have a course called the Security Sip. The curriculum is designed to help you build skills progressively over 12 sections, 85 modules, and 155 exercises. With rapidly evolving threats and technologies widening the skill gap, it’s time to secure your future in cybersecurity. Available Now!
Oh, and if you want even more content and updates, hop over to Ryan G. Cox on Twitter/X. Can’t wait to keep sharing and learning together!
