StackZero
  • Homepage
  • Cryptography and Privacy
  • Ethical Hacking
  • Reverse Engineering
  • Contacts
  • About Me
No Result
View All Result
StackZero
No Result
View All Result

How To Perform Command Injection Attacks (DVWA) For Aspiring Hackers!

September 12, 2022
in Ethical Hacking
0 0
How To Perform Command Injection Attacks (DVWA) For Aspiring Hackers!
0
SHARES
3.9k
VIEWS
Share on FacebookShare on Twitter

In this write-up, I want to show you how to attack DVWA by using command injection.

Command injection is one of the easiest attacks to understand, however, there are not so many online tutorials covering that subject from a practical point of view.
As usual, I want to do my best to explain that in order to make you able to hunt this type of bug without any problem.

So let’s make our hands dirty by running our Kali VM and the DVWA machine on TryHackMe.

If you don’t know how to run DVWA, you can take a look at the dedicated paragraph in this article.

I have already shown how to turn the vulnerability into an arbitrary file upload and then a reverse shell, so in this article, I will just focus on how to bypass the filters.
The goal here will be to show the content of the /etc/passwd file.

Table of Contents

Toggle
  • Cheat Sheet for Command Injection
  • Step #1: Command Injection DVWA low-security
  • Step #2: Command Injection DVWA medium-security
  • Step #3: Command Injection DVWA high-security
  • Conclusion

Cheat Sheet for Command Injection

Usually, an application that is vulnerable to OS Command Injection attack, takes an input either without sanitization or with badly designed filters. What we want to do in order to run our exploit in DVWA is to understand how we can execute more commands in our Linux terminal.

If you have any doubts, I invite you to read this article before proceeding.

So let’s see a minimal list of operators that can be useful for our “chaining” goals (spaces between operators and commands are optional):

  • Ampersand Operator (&): Runs a command in the background and, as a side effect it states the end of the first command (the one in the background) and the beginning of the second one.
  • Semi-Colon Operator (;): Separates two commands and allows them to run like they were on two lines.       
  • PIPE Operator (|): The output of the first command becomes the input of the second command.
  • OR Operator (||): Executes the second command only if the first one fails.
  • AND Operator (&&): Executes the second command only if the first one succeeds.
  • Backtick Operator (`): Every command inside backticks are evaluated before the external one.

Step #1: Command Injection DVWA low-security

As it is easy to imagine we should first log into the machine by using the credentials:

  • username: admin
  • password: password

After a successful login, we can set the security level as “low” in the left sidebar.

If you have read my previous tutorial, this is nothing new, so we can start with the actual attack.

Let’s click on the menu item “Command Injection” in the left sidebar menu.

We have an input field on the page we landed, and if we try to Submit a random domain, like “google.com”, the output is exactly the same as the one of the ping commands.

command injection dvwa first test

So we can guess that the server executes something like this:

ping <INPUT>

Without proper sanitization, it will allow us to manipulate the input and then concatenate many commands or at least it should be.

After we made our assumption, we should only cross our fingers and then try with this input:

google.com; cat /etc/passwd

We are lucky, the output is exactly what we expected from a vulnerable application:

DVWA low security command injection succeed

Well done, now set the security level as “Medium” and then jump to step two.

Step #2: Command Injection DVWA medium-security

After setting the medium security, our previous exploit seems to don’t work so well, but we have our cheat sheet above!
We can try enumerating the chaining operators hoping for a poor input check!

So let’s try with the AMPERSAND Operator (&) like this:

google.com& cat /etc/passwd

And the resulting output, after submitting is:

DVWA medium security command injection succeed

So our Command Injection attack managed to pass the filter of DVWA with medium security!

Step #3: Command Injection DVWA high-security

Finally, we are at DVWA with a high-security level, and we are ready to perform our Command Injection attack!

I can anticipate that the purpose of this level is to show us that even a bit more sophisticated filter can contain a kind of typo.


Usually, we cannot see the backend code, and the solution is by enumerating all the possibilities.
In this case, the goal is to understand the process and not to waste your time with a guessing process, so we would cheat a little bit.

I’m going to see the code by using the button “View Source” at the bottom right and in particular, pay attention to the filter that I’m listing below.

    // Set blacklist
    $substitutions = array(
        '&'  => '',
        ';'  => '',
        '| ' => '',
        '-'  => '',
        '$'  => '',
        '('  => '',
        ')'  => '',
        '`'  => '',
        '||' => '',
    );

    // Remove any of the charactars in the array (blacklist).
    $target = str_replace( array_keys( $substitutions ), $substitutions, $target ); 

The PIPE operator is followed by a space, and we know that it’s optional.
So the filter won’t replace a PIPE operator without a space, for example by chaining the commands in this way:

google.com|cat /etc/passwd

So try our exploit and BAM! We hit the mark!

DVWA high security command injection succeed

Finally, this level is complete and you are on the way to understanding better and maybe getting rewards from some bug bounty programs.

Conclusion

This walkthrough was just an enforcement of the concepts we learned in the previous article where I explained how such vulnerability can be dangerous.

Web application security can be extremely funny and rewarding, so if you liked this article I suggest you read what is OWASP TOP 10.

I would be honoured to embark on this journey of learning web application security with you. I hope you appreciate the practical approach of my articles, and if the answer is yes, also take a look to:

  • XSS
  • SQL Injection

Please don’t forget to follow my work and I hope to see you soon! New articles are coming!

Tags: application securitycommand injectioncybersecurityos command injectionweb application securityweb security
Previous Post

Reflected XSS DVWA – An Exploit With Real World Consequences

Next Post

How to exploit a stored XSS vulnerability on DVWA

Next Post
How to exploit a stored XSS vulnerability on DVWA

How to exploit a stored XSS vulnerability on DVWA

You might also like

Cryptographic functions

Cryptographic Hash Functions in Python: Secure Your Data Easily

November 3, 2024
Malware Obfuscation Techniques: All That You Need To Know

Malware Obfuscation Techniques: All That You Need To Know

March 25, 2024
How To Do Process Enumeration: An Alternative Way

How To Do Process Enumeration: An Alternative Way

March 4, 2024
How To Do DLL Injection: An In-Depth Cybersecurity Example

How To Do DLL Injection: An In-Depth Cybersecurity Example

February 8, 2024
Process Injection By Example: The Complete Guide

Process Injection By Example: The Complete Guide

January 24, 2024
How To Build Your Own: Python String Analysis for Malware Insights

How To Build Your Own: Python String Analysis for Malware Insights

November 10, 2023

StackZero

StackZero is a specialized technical blog dedicated to the realm of cybersecurity. It primarily provides insightful articles and comprehensive tutorials designed to educate readers on developing security tools. The blog encompasses a broad spectrum of subjects, starting from the foundational principles of cryptography and extending to more sophisticated areas such as exploitation and reverse engineering. This makes StackZero an invaluable resource for both beginners and professionals in the field of cybersecurity.
The blog covers a wide range of topics, from the basics of cryptography to the more advanced topics of exploitation and reverse engineering.

Tags

application security blind sqli blind sql injection bruteforce c cesar cipher command injection cryptography ctf cybersecurity debugging dom-based xss dvwa ethical-hacking ethical hacking exploitation file inclusion gdb hacking injection javascript malware malware analysis malware evasion network-security pentesting lab picoctf pico ctf python reflected xss reverse engineering sql sqli sql injection static analysis stored xss substitution substitution cipher vulnerable application web application security web exploitation web security windows windows api xss
  • About Me
  • Contacts
  • HomePage
  • Opt-out preferences
  • Privacy Policy
  • Terms and Conditions

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In
Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
View preferences
{title} {title} {title}
No Result
View All Result
  • Homepage
  • Cryptography and Privacy
  • Ethical Hacking
  • Reverse Engineering
  • Contacts
  • About Me