Web Security Academy

Blind OS command injection with time delays

This lab is part of the Web Security Academy by Portswigger. It is under the category “OS command injection”. This time we have to exploit a blind command injection vulnerability. When opening the web page, we see a web shop with some item.

But this time, the web shop has a “Submit feedback” form. When opening that form, we are redirected to a form, where we can submit a name, email, subject and message.

I thought about, that this form is using a bash command to save the data. Something like echo "data" > file.txt . So I injected the following payload into the “Name” input field: test" && sleep 10 # .

This payload worked and I was able to complete the challenge.

Mitigation

Instead of using OS commands to save the data, use programming specific functions. Every programming language has functions to interact with the file system, without using OS commands. Also escape or filter command joining symbols, such as && , || etc.