DVWA Walkthrough Part 3: Command Injection

68747470733a2f2f7777772e72616e646f6d73746f726d2e636f6d2f696d616765732f746f6f6c732f647677612e706e67

For the third installment of our Damn Vulnerable Web App walkthrough we will tackle command injection via the web. This is very simple to exploit and really doesn’t require the aid of Burp Suite at all.

The intended use of this app is for the user to enter an IP address and the server will run the ping command against the provided IP.

Screen Shot 2014-11-09 at 4.00.22 PM

We can assume that the web server is running the following command:

ping 8.8.8.8

With a little bit of Linux knowledge, we know that we should be able to terminate the ping command and execute another command with a semicolon (semicolon is the command separator character). We try sending ; id, and what do you know, we received the output of the id command and we can see that the web server is running as the nobody account.

Screen Shot 2014-11-09 at 4.09.17 PM

 

We can run arbitrary commands on the server however our privileges are limited as we are running as the nobody account.

Screen Shot 2014-11-09 at 4.37.13 PMSome other things you can do with command injection:

  • Read content from non-web accessible directories
  • List directory contents
  • Execute commands
  • Upload files and make remote connections to other systems

 

Leave a Reply

Your email address will not be published. Required fields are marked *