Skip to main content

OS Command Injection -Portswigger (LAB-1) | INFOCODX


Hey there, how are you all? I hope everything is going smoothly and everyone is doing fine. Today, we're diving into the exciting world of OS Command Injection labs from portswigger. Get ready for some hands-on action! 
 

So, the first thing we need to know is what OS command injection actually means.

A command injection allows attackers to run any commands they want by exploiting data handling vulnerabilities. This can lead to various attacks like injecting JavaScript or HTML code. OS Command Injection is a specific attack that enables the execution of commands on the target operating system or server.


Alright, let's begin, shall we?


LAB 1 : OS command injection




This lab contains an OS command injection vulnerability in the product stock checker. The application executes a shell command containing user-supplied product and store IDs, and returns the raw output from the command in its response. To solve the lab, execute the whoami command to determine the name of the current user.


We got our hands on a web application in the lab, and boy, does it have a ton of products listed! Take a peek at the picture below to get an idea.



By viewing the details of a product, we can access detailed information about it. When we visit a specific product, a parameter called productId is set. Unfortunately, my attempt at command injection was unsuccessful because the API blocks all special characters. However, there is another functionality that allows us to check the availability of stocks. You can see it in the picture below.




Upon using the functionality to check for stocks we can see that we are getting some results. But we are not getting any changes in parameter. Maybe there is something hidden going on in the request that we are not aware about. This is where the tool burp suite comes in the picture. Burp suite is web proxy tool to analyzing the requests or to modify requests or much more.




As we can see in above picture that when we capture the request of accessing the functionality of stock checker we see a hidden parameter called storeId is being used to fetch information. As we have already tested productId parameter for OS command injection and it is not vulnerable to it, now it is time to check for storeId parameter.



As we capture the request in burp suite now it is time to test OS command injection on the hidden parameter named storeId. We can use an special character to execute multiple commands at once. As we can in above picture that we use a pipe character to execute OS command on back-end server to test command injection. There are many other special characters that we can use like ‘ and and many more. You can test it by yourself. As we forward the above edited request we can see the result in below picture.

From the picture above, it's clear that our random command ran without any issues. This means we can carry out OS command injection. We can also try testing other commands such as pwd, uname -a, netstate, and so on.


 I want to express my gratitude to each and every one of you for investing your time in reading this. I hope you found it enlightening. If you have any feedback or questions, please share them in the comment section.


Happy hackers!!

Comments

Post a Comment

Popular posts from this blog

Storm-Breaker, enables the utilization of social engineering techniques to access webcams, microphones, and location finders

  Phishing represents a cyber attack method in which attackers aim to deceive individuals into revealing their personal information, such as login credentials or credit card numbers, by posing as a reputable entity, such as a bank or a social media platform. This fraudulent activity typically occurs through emails, text messages, or social media posts that contain a link to a counterfeit website or request personal information. Phishing attacks can be highly sophisticated and challenging to detect, often resulting in serious consequences like financial loss, identity theft, or unauthorized access to sensitive data. It is crucial to be vigilant about the signs of a phishing attack and take measures to protect both yourself and your personal information. Storm-Breaker  a command-line tool written in python, has garnered a strong following within the social engineering community. Its primary purpose is to provide access to webcams , microphones , and location finders . Setting ...
Post a Comment
Read more

Linux Fundamentals Part 3 | TryHackMe: Walkthrough | INFOCODX

  Discover a simplified and beginner-friendly documentation of the Linux Fundamentals Part 3 Room on TryHackMe, which includes a detailed step-by-step guide and answer key. Room URL:  Linux Fundamentals Part 3 Task 1 (Introduction) Ready to begin? This area will guide you through flags, arguments, advanced filesystem information, and permissions! Nothing more to do here but proceed to part 2! Task 2 (Accessing Your Linux Machine Using SSH) To proceed to task 3, it is crucial that you closely follow TryHackMe 's guide, as this task is highly specific to their platform. TASK 3-: Terminal Text Editors Create a file using Nano by using the command “ nano new_file_name ”. # Create a file using Nano Answer:   No answer needed # Edit “task3” located in “tryhackme”’s home directory using Nano. What is the flag? Answer:   THM{TEXT_EDITORS} Task 4 :  General/Useful Utilities      Type in the following command to start a python webserver on the default ...
Post a Comment
Read more

Linux Fundamentals Part 2 | TryHackMe: Walkthrough | INFOCODX

  Simplified and beginner-friendly documentation of the Linux Fundamentals Part 2 Room on TryHackMe, featuring a step-by-step guide and answer key. Room URL:  Linux Fundamentals Part 2 Task 1 (Introduction) Ready to begin? This area will guide you through flags, arguments, advanced filesystem information, and permissions! Nothing more to do here but proceed to part 2! Task 2 (Accessing Your Linux Machine Using SSH) To proceed to task 3, it is crucial that you closely follow TryHackMe 's guide, as this task is highly specific to their platform. Task 3 (Introduction to flags and switches) T erminal commands often accept arguments, which can be provided by using a hyphen ('-') followed by a keyword, commonly referred to as flags or switches. By default, commands perform their usual behavior. For example, the "ls" comma nd displays the contents of the current directory without showing hidden files. To modify command behavior  By using the -a option (--all), our output...
Post a Comment
Read more