DVWA CSRF (Cross Site Request Forgery) LOW Level

Cross Site Request Forgery is very dangerous, and also quite common. OWASP describes Cross Site Request Forgery as:

 Cross-Site Request Forgery (CSRF) is an attack that tricks the victim into loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf, like change the victim's e-mail address, home address, or password, or purchase something. CSRF attacks generally target functions that cause a state change on the server but can also be used to access sensitive data.

1.       Go to the CSRF page in DVWA and Change your admin password by entering a password in the New password and Confirm new password fields and clicking the Change button.

Notice that the page is loading, but not complete. That is because we need to tell Burp Suite to forward the packet and let it finish it's process.

2.  Go to Burp Suite, click the Proxy tab, and view the password change http request and

forward it after and you will see that your Password Changed on the DVWA site.

Now the part we are interested in is the begenning of the http request which looks

something like:

http://localhost/dvwa/vulnerabilities/csrf/?

password_new=admin&password_conf=password&Change=Change#

Now all we have to do is construct a link that will perform the same function and hide it

in some html so our victim doesn't know it is happening.

just until here, if there which will continue please..

DVWA-FILE INCLUSION : LOW Level

File Inclusion (FI) is a type of vulnerability most often found on websites. It allows an attacker to include a local file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file, but depending on the severity.

1.) Open Browser And go to the DVWA web browser page (http://localhost/dvwa/Login.php)

2.) Input Username : admin and Password : password Next Login

3.) Go to the DVWA Security page and change the Script Security setting from high to low.

4.) Go to the File Inclusion page of DVWA and we will get started.

5.) Click the View Source button to see what the File Inclusion Source looks like, this will give us an idea of how this works and what we can do.

Now we can see that there is no filtering of what we include, so lets try some things out.

6.) Change the URL from http://localhost/dvwa/vulnerabilities/fi/?page=include.php to http://localhost/dvwa/vulnerabilities/fi/?page=/etc/passwd and see what happens.

As you can see, we get the contents of the passwd file and a few error messages. We now know the name of every user who can log into the local system, but what about all of the groups that exist?

7.) Again change the URL to http://localhost/dvaw/vulnerabilities/fi/?page=/etc/group and see what happens.

Again, we get the contents of the group file and some error messages. We could view the contents of any file the web server has read access. If this were a truly insecure website, we could also use this to view pages on other websites by changing the URL like we did before but instead pointing to a remote file or webpage.

DVWA COMMAND EXECUTION : LOW Level

1.) Open Browser And go to the DVWA web browser page (http://localhost/dvwa/Login.php)

2.) Input Username : admin and Password : password Next Login

3.) Go to the DVWA Security page and change the Script Security setting
from high to low.

4.) Go to the Command Execution page in DVWA and try it out to see what it does.

Based on the response we get, we can figure out that when we enter an IP address and press submit, the server executes the command ping -c 3 192.168.1.1 and tells us the result. Now lets experiment and see what else we can get out of the server.

5.) Next we try the command 192.168.1.1 ; ls and see what happens.

Great! First we get back the same ping results, but we also get the results from the ls command which tells us that there are two folders, help and source, and one file, index.php, in the directory where the commands are being executed.

6.) Lets find out where these commands are running at, and where the filed we found previously are located by issuing the command ; pwd and reviewing the results.

Now we can see that the commands are being executed in the /srv/dvwa-nologin/vulnerabilities/exec directory, and this is also where our files are located.

7.) Lets find out who we are executing the commands as and what processes are running on the machine by executing ; whoami ; ps and viewing the results.

Now we can see that we are executing commands as the www-data user and all of the processes running on the machine.

8.) Lets see if we can find out who is allowed to login to this machine with the ; cat /etc/passwd command (this could later be used to bruteforce passwords and gain superuser access).

The /etc/passwd file is a text-based database of information about users that may login to the system or other operating system user identities that own running processes.

If you go to the links listed under More info you can try out some more commands. This is just a sample of the many things that could be done.

Now lets check the source code of the vulnerable file:


High Command Execution Source
<?php

if( isset( $_POST[ 'submit' ] ) ) {

$target = $_REQUEST["ip"];

$target = stripslashes( $target );


// Split the IP into 4 octects
$octet = explode(".", $target);

// Check IF each octet is an integer
if ((is_numeric($octet[0])) && (is_numeric($octet[1])) && (is_numeric($octet[2])) && (is_numeric($octet[3])) && (sizeof($octet) == 4) ) {

// If all 4 octets are int's put the IP back together.
$target = $octet[0].'.'.$octet[1].'.'.$octet[2].'.'.$octet[3];


// Determine OS and execute the ping command.
if (stristr(php_uname('s'), 'Windows NT')) {

$cmd = shell_exec( 'ping ' . $target );
echo '<pre>'.$cmd.'</pre>';

} else {

$cmd = shell_exec( 'ping -c 3 ' . $target );
echo '<pre>'.$cmd.'</pre>';

}

}

else {
echo '<pre>ERROR: You have entered an invalid IP</pre>';
}


}

?>

Medium Command Execution Source
<?php

if( isset( $_POST[ 'submit'] ) ) {

$target = $_REQUEST[ 'ip' ];

// Remove any of the charactars in the array (blacklist).
$substitutions = array(
'&&' => '',
';' => '',
);

$target = str_replace( array_keys( $substitutions ), $substitutions, $target );

// Determine OS and execute the ping command.


Low Command Execution Source
<?php

if( isset( $_POST[ 'submit' ] ) ) {

$target = $_REQUEST[ 'ip' ];

// Determine OS and execute the ping command.
if (stristr(php_uname('s'), 'Windows NT')) {

$cmd = shell_exec( 'ping ' . $target );
echo '<pre>'.$cmd.'</pre>';

} else {

$cmd = shell_exec( 'ping -c 3 ' . $target );
echo '<pre>'.$cmd.'</pre>';

}

}
?>