Good ol’ command execution

First Lesson: DVWA Lesson 1: Installing on Windows. Now we have everything set up on our Windows machine, we can finally begin we some fun! Login in with the password set during the previous lesson, and head towards the ‘DVWA Security’ tab on the bottom left hand side. Continue by setting the ‘Script Security’ level to ‘Low’, and clicking ‘submit’. If you’ve installed DVWA on Windows or Linux, keep in mind which when executing commands! Head over towards the ‘Command Execution’ tab:

• Try entering ‘192.168.1.1’, what happens?
• Are you able to execute any other commands?
• No? Time to read the source, located at: DVWA-1.0.8/vulnerabilities/exec/source/low.php

<?php

if( isset( $_POST[ 'submit' ] ) ) {

$target = $_REQUEST[ 'ip' ];

// Determine OS and execute the ping command.
if (stristr(php_uname('s'), 'Windows NT')) {

$cmd = shell_exec( 'ping ' . $target );
$html .= '<pre>'.$cmd.'</pre>';

} else {

$cmd = shell_exec( 'ping -c 3 ' . $target );
$html .= '<pre>'.$cmd.'</pre>';

}

?>

As we can see, the $target variable contains our user input. Fortunately for us it’s not being sanitized when passed to the shell_exec function. Allowing for our commands to cause malicious behaviour. As we’re hosting DVWA on a Windows Operating System we’re able to run commands consecutively by using ‘&’ in-between each one. Try out the commands bellow, or your own, if you feel confident in a Windows Terminal environment. Examples

• “127.0.0.1 & tasklist” – List the hosts current processes
• “127.0.0.1 & netstat -a”- Gives us the current ports opened on the host

Further reading

• Stack Overflow Post Code Injection