Skip to main content

🗂️PortSwigger Lab Writeup: Blind OS Command Injection with Time Delays

PortSwigger lab description page for Blind Command Injection – Time Delays

🎯 Objective

The objective of this lab is to exploit a blind command injection in a web application where it executes a shell command containing user-supplied input from feedback page and our goal is to cause a 10 second delay.

  • Lab URL: https://portswigger.net/web-security/os-command-injection/lab-blind-time-delays
  • Category: Command Injection
  • Difficulty: Practitioner

💉 Payloads Used

  • Used as a value for the email parameter - ✅
hacker@gmail.com& ping -c 10 127.0.0.1 ||

🧪 Exploitation Steps

🕵️Step 1: Observe the Website

  • Firstly open the lab URL in your browser, and observe what it is about and how it works. Lab instance showing Shopping website interface with feedback page
    Lab instance vulnerable feedback page
  • At first glance, the website seems to be a shopping website with very unique and unrelated products and also there is a feedback page. In the lab description, it is mentioned that the vulnerability is in the feedback function.

🧰Step 2: Capture Requests in BurpSuite

  • Start the BurpSuite and reload the website to capture requests.
  • Send the request containing POST data of feedback page to Repeater Tab by using CTRL + R BurpSuite Repeater showing intercepted feedback POST request with email parameter

🚀Step 3: Send the Payload

  • We will use the payload - & ping -c 10 127.0.0.1 || as the value for parameter email because it is most likely that email is being directly added in the shell command as usual without any sanitization.
  • This payload will force the existing shell command being executed by web application to run in the background and our command ping -c 10 127.0.0.1 to run immediately in the foreground which will cause a 10 second delay in execution.
  • & will background the current command and run our given command in foreground.
  • || will ignore any commands or text after our given command and will execute only that if our command fails.
  • But, before we send our payload it is necessary to URL encode the payload like this - hacker%40gmail.com%26%20%70%69%6e%67%20%2d%63%20%31%30%20%31%32%37%2e%30%2e%30%2e%31%20%7c%7c Successful blind OS command injection causing 10 second delay confirming server-side command execution
  • And💥Booom!, We were able to cause a 10 second delay.
  • And Finally, the Lab is solved. Solved confirmation message for PortSwigger lab

🧠 Conclusion

  • This lab demonstrated how a blind OS command injection in the email parameter can be exploited without direct output. By injecting a time-based payload (& ping -c 10 127.0.0.1 ||), we successfully caused a 10-second delay, confirming that arbitrary commands were executed on the server.
  • Such vulnerabilities can have a serious impact - an attacker could use different payloads to extract data, chain further commands, or even establish persistent access to the system.
  • This highlights the importance of proper input validation and sanitization, and the need to avoid directly passing user input into system commands.