Fixing/Patching DVWA Remote command Execution vulnerability
Hi readers! its me Rishal. It's been so long since i have posted any good tutorial, so today i will be showing you all something new & interesting which is "Fixing DVWA Remote command Execution vulnerability". Let's get started.
Things Required:
- DVWA Installed on your localhost
Step by Step Guide:
- Login into dvwa & set the security level to low.
- Go to the command execution Vulnerable Application. Now let's first test it by executing come command. In my case i'm using Windows OS so i will be using windows command "dir".
Now once the command gets executed you should get a result showing some volume info & the files in the current directory as shown in the below image.
- Now its very clear that the web application is vulnerable to the command execution vulnerability. Now let's check thew source code of the webpage. Just click on view source below the webpage.
As you can see in the source code there is "NO" filtration for the data entered by the user, therefore allowing the attacker to pass arbitrary commands. To implement a fix we will have to add a filtration to the data entered by the user in the field.
The Fix :
- escapeshellarg() - It adds single quotes around a string and quotes/escapes any existing single quotes allowing you to pass a string directly to a shell function and having it be treated as a single safe argument. This function should be used to escape individual arguments to shell functions coming from user end.
Fix -
if( isset( $_POST[ 'submit' ] ) ) {
$target = escapeshellarg($_REQUEST[ 'ip' ]);
// Determine OS and execute the ping command.
if (stristr(php_uname('s'), 'Windows NT')) {
$cmd = shell_exec( 'ping ' . $target );
echo ''
.$cmd.'';
} else {
$cmd = shell_exec( 'ping -c 3 ' . $target );
echo ''
.$cmd.'';
}
} ?>
Result -
- escapeshellcmd() - This function is used to escape any character in a string that might be used to trick a shell command into executing any arbitrary commands. By escaping any character it ensures that any data coming from user end is filtered before it is passed to exec() or system().
if( isset( $_POST[ 'submit' ] ) ) {
$target = escapeshellcmd($_REQUEST[ 'ip' ]);
// Determine OS and execute the ping command.
if (stristr(php_uname('s'), 'Windows NT')) {
$cmd = shell_exec( 'ping ' . $target );
echo ''
.$cmd.'';
} else {
$cmd = shell_exec( 'ping -c 3 ' . $target );
echo ''
.$cmd.'';
}
} ?>
Result -
Hope you all learned something new :). Keep yourself updated to our website by liking our Facebook Fan Page.