Skip to main content

🗂️PortSwigger Lab Writeup: Blind OS Command Injection with Output Redirection

PortSwigger lab description page for Blind Command Injection – Output Redirection

🎯 Objective

The objective of this lab is to exploit a blind command injection in a web application where it executes a shell command containing user-supplied input from feedback page and our goal is to redirect the output of whoami into a file and retrieve it.

  • Lab URL: https://portswigger.net/web-security/os-command-injection/lab-blind-output-redirection
  • Category: Command Injection
  • Difficulty: Practitioner

💉 Payloads Used

  • Used as a value for the email parameter - ✅
hacker@gmail.com& whoami > /var/www/images/whoami.txt ||

🧪 Exploitation Steps

🕵️Step 1: Observe the Website

  • Firstly open the lab URL in your browser, and observe what it is about and how it works. Lab instance showing Shopping website interface with feedback page
    Lab instance vulnerable feedback page
  • At first glance, the website seems to be a shopping website with very unique and unrelated products and also there is a feedback page. In the lab description, it is mentioned that the vulnerability is in the feedback function.

🧰Step 2: Capture Requests in BurpSuite

  • Start the BurpSuite and reload the website to capture requests.
  • Send the request containing POST data of feedback page to Repeater Tab by using CTRL + R BurpSuite Repeater showing intercepted POST request with email parameter for injection

🚀Step 3: Send the Payload

  • We will use the payload - & whoami > /var/www/images/whoami.txt || as the value for parameter email because it is most likely that email is being directly added in the shell command as usual without any sanitization.
  • This payload will force the existing shell command being executed by web application to run in the background and our command whoami > /var/www/images/whoami.txt to run immediately in the foreground which will redirect the output of whoami into a file whoami.txt.
  • & will background the current command and run our given command in foreground.
  • > will redirect the output of whoami command into the file /var/www/images/whoami.txt
  • || will ignore any commands or text after our given command and will execute only that if our command fails.
  • But, before we send our payload it is necessary to URL encode the payload like this - hacker%40gmail.com%26%20%77%68%6f%61%6d%69%20%3e%20%2f%76%61%72%2f%77%77%77%2f%69%6d%61%67%65%73%2f%77%68%6f%61%6d%69%2e%74%78%74%20%7c%7c HTTP 200 OK response in BurpSuite indicating successful command injection execution
  • Hence, we got the 200 OK response which might indicate that out payload got executed successfully but to confirm this, we need to retrieve the whoami.txt file.
  • Now, we will retrieve the whoami.txt file from the website to complete this lab. Redirected output file
  • And💥Booom!, We retrieved the username using output redirection
  • And Finally, the Lab is solved. Solved confirmation message for PortSwigger lab

🧠 Conclusion

  • This lab demonstrated how a blind OS command injection vulnerability in the email parameter can be exploited using output redirection. By injecting & whoami > /var/www/images/whoami.txt ||, we successfully redirected the command output into a file and retrieved it from the web server.
  • Such vulnerabilities can have a critical impact, as attackers could redirect sensitive data (like /etc/passwd), drop backdoors, or overwrite important files.
  • This highlights the importance of validating and sanitizing user input and avoiding direct command execution with unsanitized parameters.