Exploiting File Upload In DVWA Using The Tool Dvwaupsploit

Recently, we developed a tool used to exploit file upload vulnerabilities. What tool is it? The tool is called “dvwaupsploit,” short form for “Damn Vulnerable Web Application Upload Sploit.” The term “sploit” is derived from “exploit,” as this tool is capable of exploiting file upload vulnerabilities in web applications.

However, there’s a catch that this tool only works within the DVWA environment. In reality, we are in need of open source developers to contribute at our GitHub organization. Ideally, we want to expand the capabilities of this tool to perform attacks on real world websites for penetration testing (Ethical hacking).

For now, we can only focus on developing this tool for the DVWA environment. If you are interested in contributing to our GitHub organization so you can pull request in any repo there then you’ll receive invitation link to join us. You can send a message to join our Telegram group at https://t.me/DeTechnocrats. After that, you can reach out to one of our admins via direct message.

DVWAUPSPLOIT

This tool can bypass security levels for low, medium, and high security on DVWA and the dvwaupsploit tool is written using Python. The tool has several backdoors that can be used to bypass security for all three levels. These backdoors are designed to execute remote code on the target server once the attack is successful.

Before using this tool, make sure you are already familiar with web attacks such as file upload vulnerability, local file inclusion, and command injection. This tool is designed for penetration testing purposes on web applications within the DVWA environment. We do not recommend using this tool if you are not familiar with the aforementioned web application attacks.

You can visit our dvwaupsploit tool repository at https://github.com/De-Technocrats/dvwaupsploit for documentation on the tool. This article will also guide you on how to use the tool. Please ensure that you are already familiar with and have installed the DVWA environment before proceeding.

Install

Make sure you have installed DVWA on your respective operating systems and placed it in the directory of your localhost web server. Lastly, ensure that you are using any web server like XAMPP, WAMP, MAMP, or Laragon that has DVWA installed.

We are using the Windows operating system. You can follow same steps whether you are using Linux or macOS. However, the difference lies in the way you use shell commands.

We are using Laragon as our web server and have already activated it.

Then, we cloned (installed) our tool to be used via following command:

git clone https://github.com/De-Technocrats/dvwaupsploit

The result when cloning (installation) of our tool is done in the terminal:

Now navigate to the directory where the tool is installed. Then run following command to install external libraries for tool.

pip install -r requirements.txt

Fortunately, the author has already installed some libraries, so it will output that the libraries have been installed.

Now, we entered in the DVWA environment and log in. The page will appear like this :

Usage

To retrieve all the usage settings of our tool, use the command below in the terminal:

python dvwa.py -h

Result :

To view several prepared backdoors using the dvwaupsploit tool, you can type the following command in the terminal :

python dvwa.py --backdoors

Result :

Low Level Security Exploitation

Before that, to perform attacks at low, medium, high security levels, you need to use the stored cookie in DVWA. This can be done by using the browser’s inspect element feature and switching to the application section. You can see the DVWA cookie in the image below :

To exploit the low level security vulnerability in DVWA, perform the following command in the dvwaupsploit tool :

python dvwa.py -u http://localhost/dvwa/vulnerabilities/upload/ --cookie "PHPSESSID=impeijl7bi8fip1fvi6vq93k9t; security=low"

Let’s break down the command :

1. python dvwa.py: This runs the dvwa.py Python script.
2. -u http://localhost/dvwa/vulnerabilities/upload/: This flag specifies the target URL (i.e. path) where the script will attempt to exploit a vulnerability. In this case, it's trying to exploit a vulnerability related to file uploads on the specified URL.
3. --cookie "PHPSESSID=impeijl7bi8fip1fvi6vq93k9t; security=low": This flag provides the necessary cookie values to authenticate or interact with the target web application. It contains two cookies: PHPSESSID and security. The PHPSESSID cookie represents a session ID that is used for tracking the user's session, and the security cookie is used to set the security level of the application to "low".

In summary, the command is running a Python script to exploit a vulnerability related to file uploads on a target URL by providing the required cookies for authentication and setting the security level to “low”. Upload a PHP file named one_liner.php as our low level security tutorial.

Result :

The image above successfully exploited the low level security vulnerability. You can perform remote code execution once the file upload attack is successful.

Medium Level Security Exploitation

To exploit the medium level security, the method requires an additional technique, which is using local file inclusion attack and this dvwaupsploit tool has two image files with the extensions jpg and png, which can bypass medium and high security levels. First, we need to change the DVWA security settings to medium and type this again, but use the medium security cookie :

python dvwa.py -u http://localhost/dvwa/vulnerabilities/upload/ --cookie "PHPSESSID=impeijl7bi8fip1fvi6vq93k9t; security=medium"

Then, upload a backdoor file named cat.jpg when the command above is executed. Dvwaupsploit needs to perform an additional technique :

The local file inclusion attack is performed by using the LFI payload like this :

F:\laragon\www\dvwa\hackable\uploads\(filename)

The author assumes you change the directory according to your web server.

Location :

The LFI payload above will reference the uploaded image file that was previously embedded with the backdoor. The bypass process can be similar to this in the local file inclusion URL :

http://localhost/dvwa/vulnerabilities/fi/?page=F:\laragon\www\dvwa\hackable\uploads\cat.jpg

Result :

High Level Security Exploitation

To exploit the high level security, we need to perform command injection technique. Execute the same command in the dvwaupsploit tool, but modify it with the high security cookie and upload a backdoor file named leon.png :

Now, switch to the command injection page in DVWA. Before that, change the DVWA security setting to high or medium. The author has set it to high security :

For the command injection payload, we need to inject the payload into the application’s input like this :

ping 8.8.8.8 |copy F:\laragon\www\dvwa\hackable\uploads\leon.png F:\laragon\www\dvwa\hackable\uploads\backdoor.php

Result :

And finally, access the file as follows in the DVWA web application URL :

http://localhost/dvwa/hackable/uploads/backdoor.php

Result :

Closing

It’s important to remember once again that this article is intended for penetration testing (Ethical Hacking) purposes. The author tried their best to ensure that readers could understand the content of this article.

You can try adding features to our tool if you find anything interesting in our GitHub repository. We are aware that our tool still has some limitations in terms of features that have not been added yet.

If you’re interested in learning how to create a Python exploit for a low level file upload vulnerability in DVWA, the author has written an article about it. You can visit the blog page titled how to write a python exploit for file upload vulnerability in dvwa at a low level. Hopefully, it will be useful!

For further video tutorials, you can visit our youtube channel as well . Click here . Don’t forget to hit the subscribe button it’ll motivate us to share more stuff for you guys.