2 minute read

Matthews Notes

Installing DVWA on kali.

download DVWA: http://www.dvwa.co.uk/

unzip it and put it in /var/www/html mv DVWA-1.9/ /dvwa chmod -R 755 dvwa sudo service mysql start mysql -u root -p create database dvwa; exit nano dvwa/config/config.inc.php and change the db_password to ‘’ service apache2 start go to /dvwa/setup.php

Fixing some permission errors: chgrp www-data dvwa/hackable/uploads/ chmod g+w dvwa/hackable/uploads/ chgrp www-data dvwa/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt chmod g+w dvwa/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt

to get php-gd we need to add a repo. nano /etc/apt/sources.list

at the end of the file add: deb http://repo.kali.org/kali kali-rolling main non-free contrib and save the file.

apt-get update apt-get install php-gd

nano /etc/php5/apache2/php.ini change allow_url_include from Off to On service apache2 restart

Now we’re good to start! You could try to brute force to login using burpsuite, but the default security setting is impossible. So use : username:admin password:password

Command Injection

Security: low

Heres we can see at /var/www/html/dvwa/vulnerabilities/exec/source/low.php that there is no blacklist,

so we can simply provide another command using the semicolon and it will execute the second one.; cat /etc/passwd

Security: medium

looking at /var/www/html/dvwa/vulnerabilities/exec/source/medium.php we can see a blacklist has been added to remove &&, and ; This means we can no longer do our low solution.

Theres this handy thing called a pipe “ ”, so what if we use it instead of a semi colon.

We can send | cat /etc/passwd

we could also do &;& cat /etc/passwd thus recreating && since the semicolon is santized. && executes a command if the previous one worked.

Hey it works!

Security: high

We have quite the blacklist for this one which prevents us from using a number of special characters. Unless we can somehow bypass the blacklist

The description for high level says “The developer has either made a slight typo with the filters, and believes a certain PHP command will save them from this mistake We can see they accidently only put one ‘&’ instead of two. The command different between medium and high is the trim command which strips whitespace from the beginning and end of the command This means whitespace in the middle of a command is perfectly safe from trimming What if we had something like \n which is treated like whitespace, we could use characters like this

It doesn’t work for some reason

XSS Stored

Security: low Here we can do a simple xss, and do alert(“XSS”) in

Security: medium Here we can see they are filtering message box pretty well, but its different for the name field, so we’ll start there It is looking for ‘

Security: high

Here they are filtering out anything that looks like script, so we have to use something else. <svg onload=prompt(‘xss’)>

File Inclusion

By clicking on the example files we can see that they are dynamically running them to gather information, this means that we could inject code into them, and similar to an XSS attack, run whatever we want on this website

Security: low

There are two types of exploits here, Local Files (LF) which are stored on the site. and Remote Files (RF) which are not, but that doesn’t mean we can’t do anything about them.