Command Injection with DVWA

Background

Injection attacks are number 3 on the OWASP Top 10. There are a number of different types of injection attacks including SQL, OS command, and LDAP injection with 33 common weakness enumerations. We'll use the DVWA to demonstrate a simple exploitation of an OS command injection vulnerability.

The application uses a php script to execute a ping command and reflect the results back to the user. The user supplies the input and if not properly sanitized then an injection vulnerability may exist.

Source Code Review

The source code shows no sanitization is performed on the input we submit to the application. We can simply chain an OS level command to achieve remote code execution and as an example I will exploit the vulnerability to open a reverse shell.

Exploiting to get a shell

How to Reproduce

1. You will need a reverse shell payload, there are many sources to discover these using python, bin/bash, socat or others. I used a python payload.

1. The payload is chained with the ping to server 8.8.8.8 which will cause execution of the python in-line script.

1. Make sure your listener is ready for the incoming connection.

You can try many different payloads, its no guarantee that python is installed on every server. I linked some resources to payloads and more details on command injection below.

Resources

• https://github.com/digininja/DVWA

• https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/

• https://owasp.org/Top10/A03_2021-Injection/