OS Command Injection
Last updated
Last updated
We will be able to see that it is a common store:
If we go to a product and scroll down to the bottom we can see that we can see if there is stock:
We will open BurpSuite and intercept the request when we hit Check stock to see what is going on behind the scenes:
We will be able to see that it is done by POST, we will try to execute the command sleep to delay it 5 seconds, for this we will send this request to the repeater:
Now we will try to concatenate a command by the storeId parameter:
With & whoami does not work, we will try putting a pipe | to chain commands and make the output of the first command the output and use it as input for the other:
In development...
