Web Security Academy

Blind OS command injection with time delays

This lab is part of the Web Security Academy by Portswigger. It is under the category “OS command injection”. This time we have to exploit a blind command injection vulnerability. When opening the web page, we see a web shop with some item.

But this time, the web shop has a “Submit feedback” form. When opening that form, we are redirected to a form, where we can submit a name, email, subject and message.

I thought about, that this form is using a bash command to save the data. Something like . So I injected the following payload into the “Name” input field: .

This payload worked and I was able to complete the challenge.

Mitigation

Instead of using OS commands to save the data, use programming specific functions. Every programming language has functions to interact with the file system, without using OS commands. Also escape or filter command joining symbols, such as , etc.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rabbit

Passionate about Cyber Security. I am publishing CTF Writeups and Cybersecurity Content!