One of the best ways to improve your skills as a hacker is to learn different ways to attack success. What did it mean to do a good job?
Today, we want to use the Kali Linux and Metasploit to attack the vulnerable web application DVWA, as part of the Metasploitable 2 virtual machine.
Web Delivery Overview
server created on the attacking machine. The web delivery script is run once the target machine connects to the server and the payload is then executed. Python, Powershell, and PHP applications.
The web delivery scripts primary advantage is stealth. The server and payload are both hosted on the attacking machine, so when the exploit is carried out, there is nothing written to disc on the target, making it less likely to trigger antivirus applications and other defenses.
This type of vulnerability is especially dangerous because of the intrinsic power of system commands.
Step 1: Fire Up DVWA
The first thing we need to do is open DVWA and log in using the default credentials.
Next, browse to the "DVWA Security" tab and set the security level to "low" to make sure our exploit is run
Step 2: Find a Vulnerable Entry Point
Now we can navigate to the "Command Execution" page. For this attack to work, we have to ensure that the target application can communicate with our local machine. We can take advantage of the default functionality of this page to ping our attacking machine.
After receiving a successful reply, the next thing we need to do is determine if this page is vulnerable to command injection. We can do so by appending to an IP address. Here, we want to add the ls && symbol and hit "submit" again.