Let’s learn WebApp Pentest from basic on DVWA. From setup to hack. Part 3. Command Injection(low to high).

Hey all. How are you doing?

This is part 3 of the WebApp Pentest from basic on DVWA. If you did not read or don’t know how to set it up then go through part 1. Here is the link: https://rahulmondal666.medium.com/lets-learn-webapp-pentest-from-basic-from-setup-to-hack-part-1-5a7d97843373

In part 2 we have done brute force from low level to high level. Here is the link: https://rahulmondal666.medium.com/lets-learn-webapp-pentest-from-basic-on-dvwa-from-setup-to-hack-part-2-bruteforce-low-to-high-82ba55e27a73

Now open dvwa. login. Click on command injection. Now we know what is command injection. Now we need to do it practically.

First, we will do this at a low level. Now let’s put any IP like 8.8.8.8

Now ping 8.8.8.8 is a command. Now we can use && put another command. If it is vulnerable then it will work.

and it worked. It is showing the user(because the command is whoami)

Now let’s put this

Why I am putting dir? because if we check the source code, we can see this code is for both Linux and windows. “dir” is for windows. we got the correct result. we can see the files.

This is how we do command injection. Now let’s do it at a medium level.

Now at the medium level, in the source code, we can see the black list of the && and ;

So, we need to use other operators other than “&&” and “;” like “&”, “|” and many more.

8.8.8.8 & whoami worked perfectly fine.

Now let’s move to high-security command injection

Here black list has more operator

But here is a flaw we have detected there is a space after the pipe function in the blacklist → “| ”

By using 8.8.8.8|whoami it gives the correct answer

8.8.8.8|dir is also working

This is what we should do for command injection. I hope you all understood properly.

We will meet again in part 4.