OS command injection, simple case


This lab contains an OS command injection vulnerability in the product stock checker: The application executes a shell command containing user-supplied product and store IDs, and returns the raw output from the command in its response.

Reproduction and proof of concept

  1. Use Burp Suite to intercept and modify a request that checks the stock level.

  2. Modify the storeID parameter, giving it the value 1|whoami.

  1. Observe that the response contains the name of the current user.

HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Connection: close
Content-Length: 13



An attacker will need to execute the whoami command to determine the name of the current user.