When you have command execution on a windows box via some sort of web app, you are going to want to somehow get an interactive shell. A common way to do this is too “echo” commands into a text file in order to use Windows built in FTP client to grab your shell. Another option is to use a wget vbs script. I personally like the vbs script since it doesn’t require putting credentials on the victim machine and it also doesn’t require an FTP server. In general, alot less can go wrong with using wget.
Doing this however, requires you to run multiple echo commands which can get pretty tedious. A quick way to do this is to use Burp’s Intruder function.
I will be using this wget vbs script.
- Paste your commands in a text file.
- Start the Burp Proxy and point your browser to it.
- Make sure you set Intercept to Off, or else you will have to forward every request.
- Navigate to where you have command execution and place the word “PLACEHOLDER” where you would typically place a command.
- Go to the Proxy tab in Burp and choose History. Find the request with “PLACEHOLDER” (it should be the last request) and right click on that. Choose “Send To Intruder”
6. Select the Intruder tab from the top, choose the Positions tab and on the right hand side select “Clear §”
7. Highlight PLACHOLDER and select from the right hand side “Add §”
8. Now, choose the Payloads tab and select load. Find your text file with your commands and choose that.
9. Select start attack. If you don’t have Burp Pro, it won’t be super fast but it will still be much faster than manually.
This works really well for finding directory traversal vulns as well as local file inclusions. You can manually dig through the requests for larger response sizes or using some of the more advanced Burp features to make it more automated. It just depends on how much you are going to be using this feature.