DVWA: Command Execution – MEDIUM

It’s been a while, but I’m back, and we’re going to kick it up a notch. Let’s flip our DVWA instance to Medium Security Level and revisit our old favorite: Command Execution. I like command execution it lets me write my exploit in a familiar environment.

First, let’s try to get some information.

Ok, we weren’t able to print our working directory. Looks like the ; is being filtered. We have several options here. We could start off with an &, or we could switch to a pipe (|). Since most of the command we want to run can ignore the redirected input, this looks like a good bet.

Success. This was way too easy. If at first you don’t succeed, find some characters that aren’t filtered.

Posted in Command Execution | 1 Comment

DVWA: Reflected Cross Site Scripting (XSS) – LOW

Today we have an easy one.  XSS can be incredibly easy to exploit.

Easy XSS

While this is one of the easiest ways to test for XSS, it doesn’t really show the power of the attack.  What are some good ways to exploit it?

We can grab cookies.  We can even send these cookies elsewhere.  There does not need to be a pop-up dialog box explaining our XSS.  Our attack can run completely transparently (it just makes for bad screen captures).

Stealing cookies with XSS

Posted in XSS - Reflected | Leave a comment

DVWA: Command Execution – LOW

I decided I needed to start a blog so that I have an excuse to play around with things in order to have something to write about.  My first set of posts are going to walk through breaking Damn Vulnerable Web App at various difficulty levels.  DVWA is broken up into 8 vulnerability types, and can be set to 3 difficulty levels.  There is also an option to turn on PHPIDS, which I may tackle in later posts.

I decided to start off with a nice easy Command Execution at LOW difficulty setting.  We’re presented with a nice little Ping interface.  First, we’ll try using it as designed:

Command_Execution_LOW_01

This works out alright.  I wonder what else this form will do…

Command_Execution_LOW_02

Here we can see the working directory, and the username the process is running under, ad the process running as this user.  What else can we glean?

Command_Execution_LOW_03

Ok, so we can see the passwd file, but no shadow.  I guess we don’t have root.  How do we get around that?

I’ll look at trying to set up a backdoor or other interesting things to do next time.

Posted in Command Execution, DVWA | Leave a comment

Hello world!

Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!

Posted in Uncategorized | Leave a comment