Remote Code Execution — Damn Vulnerable Web Application(DVWA) - Medium level security

Hello Friends,

Today I am going to show you how to bypass medium level RCE on Damn Vulnerable Web Application(DVWA)

I am not going to get into details of RCE(Remote Code Execution) but I will share some high level details about RCE.

<?php
//Host Lookup script — -very secured????

$hostnamelookup = $_REQUEST[‘hostname’];

echo “Host choosen for whois lookup “ . $hostnamelookup;

echo shell_exec(“whois “ . $hostnamelookup) ;

?>

Consider the above code snippet.

Remote Code execution occurs when we have similar kind of code in one of the application.

Most of vulnerabilities are exploited when user input is not sanitised properly in POST request and also when accepting query string param during GET requests. GET request is considered more risky then POST so most of the developers prefer to use POST requests in their applications but these are equally dangerous when proper user input is not validate carefully.

In DVA RCE section, normally you can execute commands using special characters which basically append another command. These are like ‘;’, ‘&&’. But there are some more characters along with them which can be used to append commands.

So RCE can be done using below command in DVA low security:

127.0.0.1; ls
127.0.0.1 && ls

But in medium security , above characters are stripped before sending them as input to shell_exec . Let us see the code:

// Get input
$target = $_REQUEST[ ‘ip’ ];

// Set blacklist
$substitutions = array(
‘&&’ => ‘’,
‘;’ => ‘’,
);

// Remove any of the charactars in the array (blacklist).
$target = str_replace( array_keys( $substitutions ), $substitutions, $target );

if you can see && and ; characters are replace with ‘’. But so how can we bypass it.

Most of the time we use “more” command along with ‘ls’ to see directory listing one screen at a time. To do that we use ‘|’ pipe character to separate/append the more command with ls. It is the same character we can use here as well. Because if you closely, developer forgot to add pipe character in substitution list.

To exploit it , you can also use burp suite as well. Make sure that BurpSuite proxy is configured in your favourite browser and intercept it on in BurpSuite.

Interceptor must be on and so all the request sent to the server can be intercepted before it reach to the server and the input can be modified. You can use repeater here if you would like to do some more test with same POST request and see the result of that request in BurpSuite only. Probably to compare the results later on.

Another option is you can send the request to intruder to brute force and test the characters input is accepting.

To bypass , put | ls in text box and you will see the directory listing on the page.

That is it folks.

Mikewaals