Academy command injection skills assessment

Appsec · October 5, 2022, 11:45am

Hi,

I am trying to solve the Command Injection Skills Assessment.
I have tried the below payloads but I am unable to solve the issue. could anyone guide me to solve this.

URL: http://167.99.202.193:32579/index.php?to=tmp&from=696212415.txt&finish=1&move=1
Parameter: from
Payload: 696212415.txt&&w’h’o’am’i
696212415.txt&&w"h"o"am"i
696212415.txt&&bash<<<$(base64${IFS}-d<<<Y2F0IC9mbGFnLnR4dA==)
$(rev<<<‘txt.galf/. tac’)

Response:
Error while moving: mv: missing destination file operand after ‘/var/www/html/files/696212415.txt’
Try ‘mv --help’ for more information.

xtal · October 6, 2022, 8:27am

You try to insert into a command like mv from to.

The Unix mv needs two arguments from and to. You must create an code injection which yield a valid mv command call followed by a command call you like to execute.

You can develop the needed arguments with a local bash. Like

from=filea
to=fileb
mv $from $to

If the arguments for from and to worked local, then you can test the bash command injection on the server.

Appsec · October 7, 2022, 5:59am

Hi Xtal,

Thank you for the information, I have solved the assessment.
Need to identify the working injection operator (|| or && or & or $() or and then find the proper payload to read the flag.txt (use o’bf’usc’at’ion or proper encoding and replace the filtered characters with environment variables or alternate characters)
Some time, the content of the flag.txt will appear with error message.

gitgud · November 12, 2022, 11:44am

Hi Appsec,

Currently working on this one, just keep getting hit with 302s so not sure where any purchase is. Do you know if I can use either download, copy, or move - will intercepting and injecting any of these commands work, or is there a specific one that’s the way in and if so do you know why? Thanks!

Ezi0 · December 21, 2022, 5:30pm

@Appsec Your hints helped me to get “flag.txt”

Newuser · January 13, 2023, 7:43am

Any tips about how to find the injection point?

Appsec · January 14, 2023, 9:57am

the input parameter is the injection point

kmahyyg · October 29, 2023, 7:51am

Thanks, this hint helped me a lot.

After you identify the vulnerable api endpoint, you see the error message contains something you could control. then why not just put flag here? use technique you’ve learned before, it just works.

By the way, if you try to do something to some folder, then you could download the source code of this vulnerable application.

tonymustgo · December 16, 2023, 8:10pm

I need some help here…
Can anyone explain this…?

haykeens · February 6, 2024, 9:13pm

I need someone to point me in the right direction please, what am I doing wrong? or what do i need to do?

AKAlex47 · March 7, 2024, 1:07pm

I’ve just completed it with a bit of help from the posts above.

You’re on the right track here with the injection point, which is why it’s throwing the “Malicious request” error. I had another look at the “Bypassing Other Blacklisted Characters” and played about with some of the parameters in there, putting them after “.txt” along with a payload.

haykeens · March 8, 2024, 11:27pm

Thanks, I wasted days before i could solve this and my subscription is expired for now

exxstacy · April 18, 2024, 12:54pm

i am stuck at the finding flag.txt in command injection i have tried
ip=127.0.0.1%0ac’a’t${IFS}${PATH:0:1}home${PATH:0:1}flag.txt
and crafted it with different paylods for burp i am still not able to find it