Ethical Hacking Week 9
Now that we have successfully installed DVWA, we will learn how to use this tool. First thing that we have to do is start the apache2 and mysql service. If you read this part after you just installed DVWA, you do not need to start the services again.
Now open the browser and enter localhost/login.php. You will see a page asking for a username and password.
By default, the username is ‘admin’ and the password is ‘password’. Click Login and you will see the DVWA homepage.
Now we can see methods that we could try such as “Brute Force”, “SQL Injection”, and many others, but before trying different methods, we need to set the level of security. Click the DVWA Security and set it to Low.
Command Injection
Security Level: Low
Now let’s use “Command Injection” and see the following page.
Try entering an ip address. (I used google.com)
you should see the result of the ping. Now we know that the this is similar to using the terminal and using the command “ping www.google.com”. Now lets try finding the user ID. With the unix command we will be using “ping www.google.com; id”. so lets try putting in “www.google.com; id” in the text box.
We can see the result and find our user ID which is 33. Now click the “View Source” button on the bottom of the page to see the source code.
Security Level: Medium
Now lets change the security level to medium and try the same command again. You will find out that it will not give you any result. Click on the “View Source” button at the bottom of the page.
We now have a set of blacklisted character which means that character of ‘&&’ and ‘;’ is blacklisted and removed. This means that the command that we use is not “ping www.google.com; id” but “ping www.google.com id”. Lets try placing that command on the terminal.
The command failed.
So what can we do? Since we know that ‘&&’ and ‘;’ is blacklisted, we should use other character other than ‘;’. Lets try “www.google.com | id”.
We now get the id without using ‘;’ character. This solves the Medium level security.
Security Level: High
Turn the DVWA security level again to high and place the command “www.google.com; id” to use the ping service. The result is missing again so lets check the source code.
The number of blacklisted character increases. Now it seems that you cannot obtain the result. However, if you look closely at one of the blacklisted character of “| ” you can see that the character in there is ‘|’ and a blank space. Lets go around this by using “www.google.com|id”. Place the id next to the pipe. It should work as terminal does not care whether there is a space or not.
We can see that the ping works and we have solve the hard level DVWA security level.