Tuesday, January 10, 2012

DVWA Command Execution on Low Security

Command Execution, or Remote Code Execution, is a common vulnerability found in a wide range of web apps that allows an attacker to execute commands or code on the system, sometimes with administrator privileges and without the attention of the owner of the targeted website. It is a very risk vulnerability which can expose large amounts of information to an attacker, and even allow them to maliciously delete data or deface your website. 

This guide will show some of the possible attacks that can be used for Command Execution. I will be using Samurai by InGuardians and DVWA by OWASP. If you need to obtain and setup Samurai, please see this post.


There are a few things we need to do to prep the environment and make sure everything works the way we want it.

1. Fire up Samurai (again, if you need to obtain and setup Samurai, please see this post).

2. Open Firefox by clicking on the Firefox Icon or going to Applications >  Internet > Firefox Web Browser. And go to the DVWA webpage (http://dvwa/).

3. Go to the DVWA Security page and change the Script Security setting from high to low.

Now we can go to the Command Execution page and get started!

The Exploit:

1. Go to the Command Execution page in DVWA and try it out to see what it does.

Based on the response we get, we can figure out that when we enter an IP address and press submit, the server executes the command ping -c 3 and tells us the result. Now lets experiment and see what else we can get out of the server.

2. Next we try the command ; ls and see what happens.

Great! First we get back the same ping results, but we also get the results from the ls command which tells us that there are two folders, help and source, and one file, index.php, in the directory where the commands are being executed.

3. Lets find out where these commands are running at, and where the filed we found previously are located by issuing the command ; pwd and reviewing the results.

Now we can see that the commands are being executed in the /srv/dvwa-nologin/vulnerabilities/exec directory, and this is also where our files are located.

4. Lets find out who we are executing the commands as and what processes are running on the machine by executing ; whoami ; ps and viewing the results.

Now we can see that we are executing commands as the www-data user and all of the processes running on the machine.

5. Lets see if we can find out who is allowed to login to this machine with the ; cat /etc/passwd command (this could later be used to bruteforce passwords and gain superuser access).

The /etc/passwd file is a text-based database of information about users that may login to the system or other operating system user identities that own running processes. 

If you go to the links listed under More info you can try out some more commands. This is just a sample of the many things that could be done.

1 comment: