Command Injection Attacker
This extension is a customizable payload generator, suitable for detecting OS command injection flaws during dynamic testing - which is usually conducted with no access to the source code or the filesystem. Creation of SUCCESSFUL payloads in this kind of assessments requires a lot of guesswork, especially:
- The eventual syntax of the expression we are injecting into (e.g. quoted expressions)
- Input sanitizing mechanisms rejecting individual characters (e.g. spaces)
- Platform-specific conditions (e.g. there is no "sleep" on windows)
- Callback method (e.g. asynchronous execution, no outbound traffic allowed)
The purpose of creating this tool was to reach the non-trivial OS command injection cases, which stay undetected by generally known and used tools and sets of payloads.
|Author||Julian Horoszkiewicz, Secarma Ltd.|
|Last updated||27 June 2018|
You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.
|You can view the source code for this BApp by visiting our GitHub page.|
|Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates.|
Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.