DVWA Command Injection

DVWA Command Injection banner

In my previous article of the DVWA series, I have demonstrated how to exploit DOM-based XSS vulnerabilities at low, medium and high security in DVWA Web Application and we have also reviewed the PHP source code which was running on the server. In this article, I will show you how to exploit Command Injection vulnerability in the same web application at low, medium and high security, simultaneously by reviewing their php source code. Again, I am writing this article from a very beginner’s point of view, keeping in mind you don’t know anything about Command Injection vulnerability.

Before we go to exploit the DVWA challenge let me clear your concept on Command Injection vulnerability and understand answers of some questions like:

What is Command Injection?

Why Command Injection vulnerability arises?

How to identify Command Injection vulnerability?

How to protect application from this vulnerability?

What is command injection?

Command Injection is the most dangerous web application vulnerability (rated mostly 9-10.0/10.0 in CVS Score) that allows an attacker to run any arbitrary OS command on host Operating System using vulnerable web application. This vulnerability is also referred with various other names like OS injection, OS command injection, shell injection, shell command injection, etc.

Once an attacker injects any arbitrary OS Command on server OS through the vulnerable application, he can completely compromise the server. This vulnerability always compromises the confidentiality, integrity and availability of the information present on the remote vulnerable machine.

Don’t get confuse with Code Injection because Code Injection and Command Injection both are different vulnerabilities.

Code Injection Vs Command Injection

Code InjectionCommand Injection
Code Injection is the general term for attack types which consists of injecting code that is then interpreted/executed by the application.Command Injection is an attack vector pertaining specifically to the injection of OS commands in remote machine through vulnerable web application.
Here the injected payload is any programming language code.  For example: any valid php code, python code, ruby code, etc.Here the injected payload is any programming language code.  For example any valid PHP code, python code, ruby code, etc.
In Code Injection, the privilege of the reverse shell is mostly root/admin after the execution of code on the remote machine because most of the time programming languages are executed with high privileges.It breaches the Confidentiality, Integrity, and Availability (CIA triad) of information only when the injected code is executed with high privileges.
Here the injected payload is an OS command. For example: id, whoami, ipconfig or any valid OS command.In this attack vector, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. For example, if the command injection is in the vulnerable web application, then mostly the privilege of the reverse shell is www-data.
Table: Code Injection Vs Command Injection

Why Command Injection Vulnerability arises?

Before understanding how command injection vulnerability arises let us understand the basics how any command is executed in any operating system shell. From the below screenshot, it is clear that whenever we want to execute more than one command simultaneously we use some concatenating characters like &&, ||, ;, etc. So, when there is more than one OS command, they are executed in a sequence (from left to right). Also, when a command in the sequence fails, it won’t stop executing the other commands. This concatenating feature of command is primarily responsible for OS command injection if not implemented properly by web applications.

Checking the working of Command Injection in DVWA

For example, suppose there is a web application that has a ping functionality and it allows the user to check whether the entered IP or domain is pingable or not. So, whenever the user enters his/her IP address in the input field then in the background the command executed is $ ping 172.217.161.14 on the command shell.

Checking functionality of the application during DVWA Command Injection challenge

Now what if an attacker enters 172.217.161.14 && whoami in the input field. It will also execute $ whoami command in the shell if no any input validation or check is implemented on the user input field in the user form (See below PoC).

Executing OS Command on Vulnerable application during DVWA Command Injection

Main cause of Command Injection

Command injection vulnerability mainly arises when the application does not perform proper input validation on input given by the user in the input field and passes that data to the system shell unmodified.

How to identify Command Injection Vulnerability?

Below are the steps which we generally use while checking for command injection vulnerability.

  1. Identify the behaviour/functionality of the application on giving input in the input field.
  2. If the application is executing any OS command in the backend to process your input, then you should definitely try to inject the command injection payload there.

Some of the applications where you can test for command injection are in any lookup application, shopping websites, website providing online tools, etc.

Note: Since each Operating System has different OS commands so try to inject those OS command in your payload on which the application is running.

Some of the OS commands that you can use for testing this vulnerability are:

Useful Commands: Linux

whoami, ifconfig, ls, uname -a

Useful Commands: Windows

whoami, ipconfig, dir, ver

Payload building Techniques

You can frame your own command injection payload using the following command execution rules using characters | ; & $ > < ' !.

  • cmd1|cmd2 : Uses of | will make command 2 to be executed whether command 1 execution is successful or not.
  • cmd1;cmd2 : Uses of ; will make command 2 to be executed whether command 1 execution is successful or not.
  • cmd1||cmd2 : Command 2 will only be executed if command 1 execution fails.
  • cmd1&&cmd2 : Command 2 will only be executed if command 1 execution succeeds.
  • $(cmd) : For example, echo $(whoami) or $(touch test.sh; echo ‘ls’ > test.sh)
  • cmd : It’s used to execute specific command. For example, whoami
  •  >(cmd): >(ls)
  • <(cmd): <(ls)

How to Avoid Command Injection vulnerability?

As we know, the main reason for command injection vulnerability is improper input validation. So the most significant way to protect it is by implementing proper input validation on the input given by the user from the client as well as server ends. Some of the other techniques are:

  • Avoid calling out directly to operating system commands. If that is not possible then prefer built-in APIs that cannot be manipulated to execute commands other than the one intended.
  • If possible, a whitelist should be used to restrict user input to a specific set of expected values rather than implementing blacklist.

Now we have learnt the basics. Let us exploit the Command Injection vulnerability in the DVWA application at low, medium and high levels.

First of all, login into your DVWA application by default credential admin : password or something else which you have set.

Dvwa login page

Low Level

We will start from low level and will proceed to high level gradually. Click on DVWA security button on the left pane to change the difficulty to low and select Command Injection challenge.

Low level command injection security select

We are on the challenge page. First of all, we have to check the functionality of the application how it is behaving. On entering the loop back address or any valid IP address we found that the application is pinging it.

Checking the functionality of application at low security

From our previous concept, we also know that pinging can only be done by the $ ping command [in Windows as well as Linux] which means, this application is executing OS command in the background to perform the desired functionality. What if we concatenate our command injection payload with the loopback address? If this application is vulnerable to command injection, we will find our injected OS command gets executed.  I have injected 127.0.0.1 && ipconfig payload in the input field and found that our injected command $ ipconfig also got executed (check arrow 4 for PoC).

Executing OS command at dvwa low security by injecting OS command ipconfig

We can also inject other OS commands for our surety. This time I have used the payload 127.0.0.1 && ver and the result of $ ver command can be observed indicated by arrow 4.

Executing OS command at dvwa low security by injecting OS command ver

Source Code Analysis

Let us check the source code of this level. $_Request[‘ip’],php global variable (denoted by arrow 1), accepts user input inside ip parameter. Arrows 2 & 3 indicate whatever input given inside ip parameter by the user is directly passed inside the shell_exec() function. shell_exec() function is responsible for executing OS command. Since there is no any input validation or sanitization implemented on ip parameter therefore our injected payload got executed.

Php source code review of Command Injection challenge at low level security in DVWA

Medium Level

Now change the dvwa security to medium as shown below.

Selecting the medium security of the application during Command Injection exploitation

We got the same page as we had in the low-level challenge. Again, we will follow the same general steps for finding command injection vulnerability. Again, enter the loopback IP address and click on Submit button to check the functionality of the application.

Checking the functionality of application at medium security

This time too the application is executing OS command in the background. Let us concatenate our basic command injection payload 127.0.0.1 && ipconfig with the loopback address and submit it.

OS command execution failed at dvwa

We got the error Bad parameter ipconfig. It appears that the application is performing some type of input validation on the ip parameter.

Source Code Analysis

Let us analyze the source code to find what is happening in the background.  Block no 1, 4 & 5 indicate the same code as we had in Low-level security. Block 2 contains an array that contains characters && and ; inside substitutions variable and passes it inside the str_replace() function in block 3 to replace these characters [ && and ; ] with ‘ ’ (space). This was the reason, when we were concatenating our payload && ipconfig, it became ipconfig ( after && is replaced with space) and we got the error.

Source code review at medium level

Bypass

We can bypass this by using some other concatenating characters like &, |, ||, etc. Let us use the payload 127.0.0.1 & ipconfig instead of the previous one. We found that our injected payload got executed [indicated by arrow 4].

Executing OS command at dvwa medium security by injecting OS command ipconfig

We can also inject other OS commands for our surety. This time I have used the payload 127.0.0.1 & ver and the result of $ ver command is shown by arrow 4.

Executing OS command at dvwa medium security by injecting OS command ver

High Level

Change the DVWA security level to High as shown below.

Selecting the high security of the application during Command Injection exploitation

Again, we got on the same page as we had at low and medium levels. Again, we will follow the same general steps for finding command injection vulnerability. So, click on Submit button by entering the loopback address to check the functionality of the application.

Checking the functionality of application at high security

This time too, the application is executing OS command in the background. Let us concatenate our basic command injection payload with the loopback address and submit it.

OS Command injection failed at high security

We got the error Bad parameter ipconfig. I have also tried the payload 127.0.0.1 && ipconfig, and again it gave the same error. It appears that the application is again performing some type of input validation on the ip parameter.

Source Code Analysis

Let us analyze the source code to find what is exactly happening in the background.  All the blocks are the same as we have at the medium level.  Block no 2 contains some extra characters like &, -, $, (, etc. inside substitutions variable and passes it inside the str_replace() function in block 3 to replace these characters with ‘ ’ (space). This was the reason, when we were concatenating our payload && ipconfig or & ipconfig with 127.0.0.1, we got the error.

Php source code of high level challenge

Bypass

One thing that is catchy in block 2 in the above source code that there is a space after pipe [| ] character which means, when the input in ip parameter is | ipconfig (note the space) it will replace it with ‘ ’ [space]. We can bypass it by using the payload |ipconfig (without space) and it will not block it. So, our final payload will become something like 127.0.0.1|ipconfig.

Let us use this payload instead of the previous one. We found that our injected payload got executed [indicated by arrow 3].

Executing OS command at dvwa high security by injecting OS command ipconfig

We can also inject other OS commands for our surety. I have used the payload 127.0.0.1 |ver and the result of $ ver command is shown by arrow 3.

Executing OS command at dvwa high security by injecting OS command ver

So, we have successfully exploited the Command Injection vulnerability in the DVWA web application at low, medium and high security.

Thanks for reading this article on Command Injection. Hope you would have learnt something new from it or have refined your concept of Command Injection. For any query and suggestion feel free to write us at [email protected].

References

https://owasp.org/www-community/attacks/Command_Injection

https://owasp.org/www-community/attacks/Code_Injection

https://portswigger.net/web-security/os-command-injection

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of Ethicalhacs.com. I am InfoSec Consultant in day and Bug Bounty Hunter & CTF player at night. Sometimes write walkthrough and other cyber security articles here. You can connect me at https://www.linkedin.com/in/deepakdkm/