Command Injection · Vulnerabilities

OS command injection, simple case

admin

All are welcome. One of the Directory Traversal labs from this portswigger will be performed in this tutorial.

You will learn the fundamentals of OS command injection through this lab. How do we carry out commands and how will they work in the background?

Consequently, the following is the home page for the lab that we are going to do.

There is a shopping application, as seen in the screenshot above, and we can click “view details” of a particular Product to brows it. So let’s click on the first item, “Adult Space Hopper.”.

So, as we can see in the screenshot up top, a feature called “check stock” exists. This allows us to check the availability of a particular product in a particular store.

In order to check the stock for the “London” store, let’s turn on the intercept in the browser, turn off the intercept in the Burp suite, and click on the “check stock” Button 

Go to the HTTP history to see that the request to check the stock is a POST request, and two parameters are passed in the request as seen in the screenshot above. The product ID is the first, and the store ID is the second.

We now know what a request is and how it will be executed. Let’s first understand a few fundamental concepts that will help you understand this vulnerability before we begin the lab.

How is the stock check command carried out?

The product ID and store ID are essentially passed to a code or script written in any language running in the background server.

Say the script’s name is “stock_check.py” for the time being. These two parameter values are currently passed to it and executed as shown below.

Stock_check.py 1 1

Now, our goal is to use that with any command. That command is “whoami” in our case.

Another concept that comes is that using the “;” symbol causes the commands to be executed one after the other sequentially. For instance, you can execute the following two commands one after the other:

Command1 ; Command2

In this manner, we can execute two or more commands sequentially.

Now, either we use these two concepts here and take advantage of them, and we solve the lab.

Now that we are aware of how our stock checking is carried out,

In order to manipulate the request there, let’s first send the POST request to the repeater.

Now that we are aware of how the command is carried out in the background, we need to manipulate it in order to execute the command we provided.

let’s do that

In order to execute our command, we are manipulating the “storeID” parameter and the value that is passed in the “storeID” parameter is provided. Below

3 ; whoami

Consequently, the commands that will be executed at the backend will be

Stock_check.py 1 3 ; whoami

As a result, the “whoami” command is run after the first command, and the results of both commands are then displayed on the web..



The current user is “peter-TjOkBm” and the output of the command is displayed on the webpage after our provided value was passed.

The Lab was thus resolved. As shown in the Screenshot below

I hope you gain something from it.

Thank you

Pate Krutagn,

Leave a Reply

Your email address will not be published. Required fields are marked *