Command Injection Exploitation in DVWA

Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.

The aim of DVWA is to practice some of the most common web vulnerabilities, with various levels of difficulty, with a simple straightforward interface. Please note, there are both documented and undocumented vulnerabilities with this software. This is intentional. You are encouraged to try and discover as many issues as possible.

Step 1. In order to ensure that the application is vulnerable to command execution we can try a simple command. command injection is a technique used via a web interface in order to execute OS commands on a web server. By using this Damn Vulnerable Web Application (DVWA), it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or string.

Step 2. Click on DVWA Security and set Website Security Level low

Step 3. Firstly,get your target I.P Address.

Here i am using own I.P Address as a target.Type ifconfig in your kali linux terminal.

Step 4. Go to the command execution page Enter an IP address and click on submit

Now you can see the reply that tells us that we have establish a connection with the server.

Step 5. We can also implement multiple commands simultaneously just by using & sign. For example next command is :

192.168.136.129 && dir

After the above command click on submit, performing the said command will itemize all directories and files.

Step 6. Type the next command and click on submit, this command will show the user’s list

192.168.136.129 && net user

I hope you enjoyed this article.