DVWA is Damn Vulnerable Web App – Where we can test our skills/ knowledge for pen-testing known vulnerabilities in Web Applications, Today we are checking on Command Execution Vulnerability.
Command Execution is a vulnerability that allows remote users to pass a arbitrary Command to website/ web application and execute it. Command can execute without the knowledge of Application / website owner and is very risk vulnerability.
In case of Command Execution Vulnerability, the user may have a remote shell on your machine/server.
The commands are executed with same privilege as that of Web server/Application.
Command Execution Vulnerability in most cases is result of lack of input data validation, which is later manipulated by hackers.
We have already discussed how to setup DVWA LAB on this link , You can download any VirtualMachine like OWASP-BWA, or Metasploitable2 which have hosted DVWA.
I have my LAB setup and I am using OWASP VirtualMachine, you can host your own, or only install DVWA on localhost.
All you need in case of VM is to check what is the IP Assigned to your VirtualMachine. You may run networkdiscover -i InterfaceName to find all active machines.
Default Username:Password for DVWA is
admin:admin , use this to login to DVWA.
As this is for beginner’s , we change DVWA Security to ‘LOW’. This will enable us to learn it easily.
Simple Test: Ping
We try to ping any IP Address and check what happens. Enter an IP Address in the input box and click submit. ( prefered from your network , I am doing it for VirbualBox Adapter vboxnet0, as I want a response back to demonstrate)
We notice that the output of Ping can be obtained on screen.
Lets now find out various things, as we see we can execute commands through the input box, we have Remote Code Execution ( RCE ) deadly bug.
Find User Details
We add one more command to see if we get the output.
" & 'command'" after IP Address to check. Here we input
"192.168.56.101 & id" (without quotes).
If we see the output on screen, we can observe input is triggered on the machine ( running web application), and we got user id current running by “id” command.
PING 192.168.56.101 (192.168.56.101) 56(84) bytes of data.
From 192.168.56.103 icmp_seq=1 Destination Host Unreachable
From 192.168.56.103 icmp_seq=2 Destination Host Unreachable
From 192.168.56.103 icmp_seq=3 Destination Host Unreachable
--- 192.168.56.101 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2001ms
, pipe 3
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Find Linux Version running on machine:
192.168.56.101 & uname -a
We can see the kernel version of the machine.
Get all stored Password
We now try to get all the password stored on the machine, as it is a linux machine, so the passwords ( hashed ) are stored on /etc/passwd or at times /etc/shadow is also needed.
192.168.56.101 & cat /etc/passwd
Command Execution Flaw
So we now know what is Command Execution Vulnerability, the impact it can cause is disaster, Lets take a deeper look into it.
On the page where we tried all the above, the the bottom right corner of page we can see “
View Source“, click that to open the source.
- We can see the input is not validated/sanitized here.The source of the page makes it clear that it is not checking if the input is IP ($target) in the format of
\d+.\d+.\d+.\d+, where “\d+” will be a number with the possibility of multiple digits, like 192.168.1.106.
- Also the commands are executed after checking if it is Windows Machine or Others like Linux.
- In Linux machines, we can run multiple commands using
command1; command2;.. and we can also do the same here.
- The lack of input validation also allowed us to append more commands after IP Address like we did above.
192.168.56.101 ; echo "Hello Hacker !!\nLearn at EthicalHackx.com"
A look at Web Request in Burp:
We try to intercept the traffic in Burp and see how is is passing, the parameters.
POST /dvwa/vulnerabilities/exec/ HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept-Encoding: gzip, deflate
Cookie: security=low; PHPSESSID=0hgrjjr6tobdnc4qsv9no1kpp5; acopendivids=swingset,jotto,phpbb2,redmine; acgroupswithpersist=nada
So we now know what has caused the vulnerability and how it works.
Lets do something more.
Find Other Files and Directories and Permissions.
192.168.56.101 ; ls -l
It’s up-to your imagination what you can do if you uncover a Command Execution Bug, plus how to secure it.
Command Execution is different from
Remote Code Execution, commands are the OS defined ones, check the list of commands for Linux and Windows.
We will discuss more on other common web vulnerabilities in upcoming posts.