Command Injection Exploitation in DVWA


Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.

The aim of DVWA is to practice some of the most common web vulnerabilities, with various levels of difficulty, with a simple straightforward interface. Please note, there are both documented and undocumented vulnerabilities with this software. This is intentional. You are encouraged to try and discover as many issues as possible.


Step 1. In order to ensure that the application is vulnerable to command execution we can try a simple command. command injection is a technique used via a web interface in order to execute OS commands on a web server. By using this Damn Vulnerable Web Application (DVWA), it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or string.


Command Injection Exploitation in DVWA


Step 2. Click on DVWA Security and set Website Security Level low


Command Injection Exploitation in DVWA


Step 3. Firstly,get your target I.P Address.

Here i am using own I.P Address as a target.Type ifconfig in your kali linux terminal.


Command Injection Exploitation in DVWA


Step 4. Go to the command execution page Enter an IP address and click on submit

Now you can see the reply that tells us that we have establish a connection with the server.


Command Injection Exploitation in DVWA


Step 5. We can also implement multiple commands simultaneously just by using & sign. For example next command is :

192.168.136.129 && dir

After the above command click on submit, performing the said command will itemize all directories and files.


Command Injection Exploitation in DVWA


Step 6. Type the next command and click on submit, this command will show the user’s list

192.168.136.129 && net user

Command Injection Exploitation in DVWA


For References :-




I hope you enjoyed this article.


Sharing is caring

google
linkedin

About Author

Akash is a co-founder and an aspiring entrepreneur who keeps a close eye on open source, tech giants, and security. Get in touch with him by sending an email (akashchugh1994@gmail.com).


You may also like :-




Leave a Comment

Your email address will not be published. Required fields are marked *




Popular Posts

Get Latest Stuff Through Email


Stay Connected

Who Should Read TechTrick?

All the tricks and tips that TechTrick provides only for educational purpose. If you choose to use the information in TechTrick to break into computer systems maliciously and without authorization, you are on your own. Neither I (TechTrick Admin) nor anyone else associated with TechTrick shall be liable. We are not responsibe for any issues that caused due to informations provided here. So, Try yourself and see the results. You are not losing anything by trying... We are humans, Mistakes are quite natural. Here on TechTrick also have many mistakes..