25 lines
649 B
Markdown
25 lines
649 B
Markdown
|
|
||
|
## Overview
|
||
|
|
||
|
![[Screenshot from 2022-12-02 12-37-32.png]]
|
||
|
|
||
|
- Allows an attacker to execute commands on the web server
|
||
|
- Used to compromise other parts of the hosting infrastructure via pivoting
|
||
|
|
||
|
Example Exploit:
|
||
|
- Website that allows users to view whether and item is in stock:
|
||
|
https://insecure-website.com/stockStatus?productID=381&storeID=29
|
||
|
- Application calls out a shell command with product & store IDs as arguments
|
||
|
```
|
||
|
stockreport.pl
|
||
|
381 29
|
||
|
```
|
||
|
|
||
|
- Submit the following in the "productID" parameter
|
||
|
```
|
||
|
stockreport.pl & echo
|
||
|
aiwefwlguh & 29
|
||
|
```
|
||
|
|
||
|
- Useful Commands:
|
||
|
![[Screenshot from 2022-12-02 12-37-18.png]]
|