Saturday, 21 March 2020

Damn Vulnerable Web App (DVWA) | Command Injection Attack

In this post we are going to discuss about Command Injection Attack. For this we are going to use Damn Vulnerable Web App (DVWA) VM.

Background:
  • What is Damn Vulnerable Web App (DVWA)?
    • Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.
    • Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
  • What is Command Execution?
    • Command Execution is where a website application provides the ability to execute system commands.
  • What is a Command Injection Attack?
    • The purpose of the command injection attack is to inject and execute commands specified by the attacker in the vulnerable application.
    • In situations like this, the application, which executes unwanted system commands, is like a pseudo system shell, and the attacker may use it
      as an authorized system user.
    • Note, the commands are executed with the same privileges as the application and/or web server.
    • Command injection attacks are possible in most cases because of lack of correct input data validation, which can be manipulated by the attacker (forms, cookies, HTTP headers etc.).
  • What is Command Injection Harvesting?
    • Command Injection Harvesting is where a malicious user manipulates a website command execution application to render sensitive data.  (E.g., usernames, config files, directory and file listings, etc).
      • Unix/Linux Example: 9.9.9.9; cat /etc/passwd
      • Windows Example: 9.9.9.9 && dir
Lab:
1) Access DVWA application on your browser.
2) Go to DVWA Security and choose Low and click on Submit.
3) Then Go to Command Injection
In this web application we have this feature to ping any IP address. Let's test this feature.
Yes. this is expected feature. Let's test if there is any security vulnerability in this feature.
4)  Now let's try to access /etc/passwd file content from this feature.

We can see the content of the file /etc/passwd on UI of our application. Similarly Attacker can run any operation on Victim machine by this Command Injection. i.e If we pass argument like 127.0.0.1 & rm -rf /var/ It will delete all content in /var folder and makes our application unusable.