Command Injection Assessment

Related Section:

Able to log in with guest and guest, this is the file manager page:

When selecting the individual documents we can see the URL calls the document directly:

Testing the URL I get an error with ; followed a whoami command, but I dont get an error with &&:

Here is &&:

Trying with BURP, this is the GET request:

Exploring around a bit more, there is a copy functionality:

When selecting it it looks to allow you to copy files to the tmp directory:

Selecting the tmp directory you can then MOVE the file:

Selecting MOVE we see the GET request contains a number of fields:

Working the Injection

probing the to= parameter with %0adir to see if we can list out the contents shows that we can successfully inject commands:

when trying to list out the root directory we see that it gets filtered:

Trying Base64 encoding from the Encoded Commands page. Making sure to encode the characters I try the following command:

$echo -n 'whoami' | iconv -f utf-8 -t utf-16le | base64
dwBoAG8AYQBtAGkA

Then I test payloads:

%0abash<<<$(base64 -d<<<'dwBoAG8AYQBtAGkA')

It didnt like something, so I will fill the space in base64 -d with tab %09 and that works:

Now lets encode the command to read /flag.txt:

$ echo -n 'cat /flag.txt' | iconv -f utf-8 -t utf-16le | base64
YwBhAHQAIAAvAGYAbABhAGcALgB0AHgAdAA=

And we get the flag:

Last updated 11 months ago