Do you know how to do an i attackcommand injection in DVWA? Before we talk about it, remember that This content on how to run a command injection in DVWA is made for academic purposes. The use of the technique that we will see below in an unauthorized environment is considered illegal. Therefore, we will teach you how to perform the following exercise in a legal web hacking practice environment called Damn Vulnerable Web App (DVWA).
DVWA is an application that contains pages with the main web-type vulnerabilities, which hackers often exploit. This app, based on PHP and MySQL, was developed to carry out cyber attacks on it safely and without harming anyone in the process.
In this post, we will teach you how to do command injection attack on DVWA. But first, we will briefly review what this web cyber attack consists of.
What is command injection?
According to the OWASP Top 10 list, which determines which are the ten most used cyberattacks against web applications, code injection is in third place. As the name suggests, these attacks involve executing code within an application’s server or client browser. However, there are different types of code injection, such as SQL injection, cross site scripting and command injection.
Command injection is a type of attack that consists of executing commands for Linux on a server. That is, it is based on vulnerabilities that allow executing bash commands directly on the server that hosts the web page. In this way, it can be used to exfiltrate files, modify them, delete them or take control of the server.
Command injection in DVWA
Command injection occurs when an application uses user input to execute code on the server. On the Damn Vulnerable Web App page, we will see an example of this. To do this, we must first prepare the practice web environment for the exercise.
Preparation
Install a virtual machine with Kali Linux. Install DVWA on said virtual machine. Access the DVWA application from a web browser in Kali. Sign in with your credentials «admin» and «password«. Go to the tab «DVWA Security» and choose the option «Low«.
Execution
To execute a command injection attack on DVWA, go to the tab that says “Command Injection«. There, you will see the following vulnerable web page, written in PHP language:
As you will see, the page allows the user to enter the value of an IP address to perform a «ping.» By entering any IP address, such as 127.0.0.1we will see the following result:
The application has successfully pinged, so we can deduce that the server is using a input of the user to execute an action. Now, we will check if it is possible to concatenate other Linux commands to discover server information. We will start with the command «id«.
In the last line of the application’s response message, we will see that it gives us information about the server. This means that we have checked the vulnerability. Now, we will execute the command «cat /etc/passwd» to access sensitive system information.
The vulnerability allows information to be exfiltrated and execute code remotely in the application, therefore posing a risk to the servers and their clients.
How to learn more?
Now you know how to do a command injection attack on DVWA. If you want to learn more about web hacking techniquesAt we have the intensive training for you. Enter our Cybersecurity Full Stack Bootcamp and become a professional in the sector in just 7 months. What are you still waiting for? ¡Sign up now!