Damn Vulnerable web application aka DVWA is a web application where we can practice some of the most common web vulnerabilities, with various levels of difficulty and a simple straightforward interface.
So in DVWA i am going to solve some vulnerability of it like: command injection, CSRF, File inclusion, file upload and SQL injection. so let’s start:
Command Injection
Command Execution or Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application.
Security — Low
At first let’s view source code for low:
While viewing the source code we can see the code does not check if $target matches an IP Address. There is no filtering and special characters. So i am going to ping my IP address.
Yeah we can ping our IP address. we know in Linux ; allows for command to be separated. So, Let’s check some commands Using semi colon (;) after our IP address. So let’s view to contents of /etc/passwd directory:
Security — Medium
Viewing source code:
we see that a blacklist has been set to exclude &&
and ;
. As noted above, we can use |
as a replacement. So again let’s view /etc/passwd but this time we use pipe (|) instead of semi colon (;) for command to be separated with IP address.
Security — High
While viewing source code, It looks more extensive blacklist has been set. Slightly trickier but while focusing on blacklist of source code i find out the answer is in the source code.
'| ' => '',
- Note that in blacklist of source code there is a space after the |
character. If we try | pwd
, no output is returned :
However if we use |pwd
we are including our command within this space, as shown below: