For the third installment of our Damn Vulnerable Web App walkthrough we will tackle command injection via the web. This is very simple to exploit and really doesn’t require the aid of Burp Suite at all.
The intended use of this app is for the user to enter an IP address and the server will run the ping command against the provided IP.
We can assume that the web server is running the following command:
With a little bit of Linux knowledge, we know that we should be able to terminate the ping command and execute another command with a semicolon (semicolon is the command separator character). We try sending ; id, and what do you know, we received the output of the id command and we can see that the web server is running as the nobody account.
We can run arbitrary commands on the server however our privileges are limited as we are running as the nobody account.
- Read content from non-web accessible directories
- List directory contents
- Execute commands
- Upload files and make remote connections to other systems