When Life Throws Errors, I Throw Commands: My Command Injection Bug

The author found a way to inject commands into a web application they were testing, which led to them being able to execute arbitrary commands on the server.
The author used the filename parameter to test this theory, injecting in a URL to their Burp Collaborator server, which confirmed the command injection vulnerability.
They then used the vulnerability to retrieve the /etc/passwd file, which stores information about users on a Unix-based system.
The author reflects on the importance of careful input validation, and ensuring that user-supplied data is properly sanitised to prevent unauthorised access.
The article also serves as a reminder to pentesters to always look for unusual inputs that might lead to unexpected outputs, especially with common vulnerabilities like command injection.

Fast Feed