Lab: OS Command Injection

This lab demonstrates server side vulnerability of arbitrary command execution using requests to server. These are generally the result of improper data sanitization on the server and it can lead to giving complete control to the attacker.

I begin the lab by loading the website and looking around:

 

I couldn't find an account page so I choose a random product where I find a stock check option, I press it and look at the intercepted request:

 

The request is sending to variables which will likely be sent to an application. I send it to repeater to play around with different inputs to see if I can elicit any response:

After a few tries or random inputs I find the username, albeit a bit unconventionally. 

But this could also just be the directory the program is running from not necessarily the user ID running it so to verify I try a few ways to send `whoami`:

After a few unsuccessful tries when I look at request parameters, I figure out that I had been accidentally sending the command as a request parameter.

So I look for what the URL encoded '&' is in Decoder and it turns out to be '%26'. Now I use this to test if I can execute commands by trying a basic `echo`:

This works successfully so I send `whoami` to verify user running the application:

This confirms my initial findings so I submit the username and complete the lab.