Exploiting Blind OS Command Injection via Out-of-Band DNS.

🔓 Free Link

Table of Contents

1. Summary of the Vulnerability
2. Proof of Concept (PoC)
3. Impact

Summary of the Vulnerability

This lab demonstrates a blind OS command injection vulnerability within a feedback submission feature. The application constructs and executes a shell command using user-supplied input without proper sanitization.

The command runs in the background, the application does not return command output in the HTTP response. Traditional techniques such as output redirection or time-based inference are ineffective in this scenario.

However, the server is still able to initiate outbound network interactions. This behavior creates an opportunity for out-of-band (OOB) exploitation, where the attacker confirms command execution by observing external side effects rather than in-band responses.

By injecting shell metacharacters into the email parameter, an attacker can execute arbitrary commands such as nslookup to an attacker-controlled domain (for example, a Burp Collaborator instance).