In this post, we’re going to solve the PortSwigger lab: “OS command injection, simple case”.

OS command injection lab cover

To solve the lab, we need to execute the whoami command on the server. To do this, we need to exploit the OS Command Injection vulnerability found in the product stock checking feature.

So let’s navigate to any product on the website:

Product page in the lab

Inside the selected product, we can see that it has a section to check the stock:

Section to check product stock

If we click on it:

Stock check result

It simply shows us the product stock. Now, let’s intercept the request that the client makes when clicking this button, and at the same time, prepare Burp Suite to receive it:

Burp Suite configuration for interception

Activating intercept in Burp Suite

Preparation to capture the request

Request intercepted in Burp Suite

Once the request is intercepted, we send it to the Repeater by pressing Ctrl + R:

Request sent to Repeater

As we can see, it’s a normal request. However, let’s try changing the value of storeId:

Modifying the storeId value

We see an sh error, which means that the value of storeId is being passed to a Linux program. Knowing this, we can try a fairly simple OS Command Injection:

Executing whoami on the server

In this case, simply using a semicolon to separate the value so it’s treated as another command allows us to isolate the whoami command from what comes before it and have it execute. This way, we successfully solve the lab:

Lab solved

Share on X Share on LinkedIn Share on Telegram
Comment on Discord Visit the author page