DVWA Walkthrough Part 3: Command Injection


For the third installment of our Damn Vulnerable Web App walkthrough we will tackle command injection via the web. This is very simple to exploit and really doesn’t require the aid of Burp Suite at all.

The intended use of this app is for the user to enter an IP address and the server will run the ping command against the provided IP.

Screen Shot 2014-11-09 at 4.00.22 PM

We can assume that the web server is running the following command:


With a little bit of Linux knowledge, we know that we should be able to terminate the ping command and execute another command with a semicolon (semicolon is the command separator character). We try sending ; id, and what do you know, we received the output of the id command and we can see that the web server is running as the nobody account.

Screen Shot 2014-11-09 at 4.09.17 PM


We can run arbitrary commands on the server however our privileges are limited as we are running as the nobody account.

Screen Shot 2014-11-09 at 4.37.13 PMSome other things you can do with command injection:

  • Read content from non-web accessible directories
  • List directory contents
  • Execute commands
  • Upload files and make remote connections to other systems


Leave a Reply

Your email address will not be published. Required fields are marked *