Installing DVWA on kali.
download DVWA: http://www.dvwa.co.uk/
unzip it and put it in /var/www/html mv DVWA-1.9/ /dvwa chmod -R 755 dvwa sudo service mysql start mysql -u root -p create database dvwa; exit nano dvwa/config/config.inc.php and change the db_password to ‘’ service apache2 start go to /dvwa/setup.php
Fixing some permission errors: chgrp www-data dvwa/hackable/uploads/ chmod g+w dvwa/hackable/uploads/ chgrp www-data dvwa/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt chmod g+w dvwa/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt
to get php-gd we need to add a repo. nano /etc/apt/sources.list
at the end of the file add: deb http://repo.kali.org/kali kali-rolling main non-free contrib and save the file.
apt-get update apt-get install php-gd
nano /etc/php5/apache2/php.ini change allow_url_include from Off to On service apache2 restart
Now we’re good to start! You could try to brute force to login using burpsuite, but the default security setting is impossible. So use : username:admin password:password
Heres we can see at /var/www/html/dvwa/vulnerabilities/exec/source/low.php that there is no blacklist,
so we can simply provide another command using the semicolon and it will execute the second one.
127.0.0.1; cat /etc/passwd
looking at /var/www/html/dvwa/vulnerabilities/exec/source/medium.php we can see a blacklist has been added to remove &&, and ; This means we can no longer do our low solution.
|Theres this handy thing called a pipe “||”, so what if we use it instead of a semi colon.|
We can send 127.0.0.1 | cat /etc/passwd
we could also do 127.0.0.1 &;& cat /etc/passwd thus recreating && since the semicolon is santized. && executes a command if the previous one worked.
Hey it works!
We have quite the blacklist for this one which prevents us from using a number of special characters. Unless we can somehow bypass the blacklist
The description for high level says “The developer has either made a slight typo with the filters, and believes a certain PHP command will save them from this mistake We can see they accidently only put one ‘&’ instead of two. The command different between medium and high is the trim command which strips whitespace from the beginning and end of the command This means whitespace in the middle of a command is perfectly safe from trimming What if we had something like \n which is treated like whitespace, we could use characters like this
It doesn’t work for some reason
Security: low Here we can do a simple xss, and do alert(“XSS”) in
Security: medium Here we can see they are filtering message box pretty well, but its different for the name field, so we’ll start there It is looking for ‘
Here they are filtering out anything that looks like script, so we have to use something else. <svg onload=prompt(‘xss’)>
By clicking on the example files we can see that they are dynamically running them to gather information, this means that we could inject code into them, and similar to an XSS attack, run whatever we want on this website
There are two types of exploits here, Local Files (LF) which are stored on the site. and Remote Files (RF) which are not, but that doesn’t mean we can’t do anything about them.