Beyond the wall: command injection still alive.

Notes

  • I will change the name of the company I will talk about and call it Kings-Landing.
  • There is a short version of the story (TL;DR) & take away sections at the end of the write-up if you want to save yourself 7minutes || don’t have time for my jokes :)

HTTP history

The response? 500 Internal Server Error

The error is gone and it’s 200 Ok again.

Active Scan++

False Positive everywhere!

but the Active Scan++ extension had another thought about that case.

The Payload was: `sleep 11`

OS Command Injection

This was the perfect time for the engaging of the super ultimate weapon any hacker has, Google search engine.

Conditional IF

And the server falls asleep.

The Real Impact

Reporting

Many scenarios, yet the end is the same. Dracarys.
Really?!!

TL;DR

Takeaways

  • Always take a look at the HTTP history. you will always find something you missed.
  • Active Scan++ worth having it installed.
  • Automation is the key. Save your effort for the Logical bugs & investigating the weird behaviors reported by tools.
  • URL Encoding & double URL Encoding.
  • Kings-Landing is a Public program with dozens of solved reported, yet it had this kind of bugs.
  • Tunnel vision is:

Follow Me

--

--

Cyber Security Analyst.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store