Home Tutorials Fixing/Patching DVWA Remote command Execution vulnerability

Fixing/Patching DVWA Remote command Execution vulnerability

By
Tuesday, September 23, 2014
Read
Add Comment

Hi readers! its me Rishal. It's been so long since i have posted any good tutorial, so today i will be showing you all something new & interesting which is "Fixing DVWA Remote command Execution vulnerability". Let's get started.



 
Things Required:


  • DVWA Installed on your localhost



Step by Step Guide:


  • Login into dvwa & set the security level to low. 























  • Go to the command execution Vulnerable Application. Now let's first test it by executing come command. In my case i'm using Windows OS so i will be using windows command "dir". 
         Command - 127.0.0.1 | dir 

         Now once the command gets executed you should get a result showing some volume info & the files in the current directory as shown in the below image. 






  • Now its very clear that the web application is vulnerable to the command execution vulnerability. Now let's check thew source code of the webpage.  Just click on view source below the webpage. 






 

As you can see in the source code there is "NO" filtration for the data entered by the user, therefore allowing the attacker to pass arbitrary commands.  To implement a fix we will have to add a filtration to the data entered by the user in the field.




The Fix :

  • escapeshellarg() - It adds single quotes around a string and quotes/escapes any existing single quotes allowing you to pass a string directly to a shell function and having it be treated as a single safe argument. This function should be used to escape individual arguments to shell functions coming from user end.

 Fix -

if( isset( $_POST'submit' ] ) ) {

    $target escapeshellarg($_REQUEST'ip' ]);

    // Determine OS and execute the ping command.
    if (stristr(php_uname('s'), 'Windows NT')) { 
    
        $cmd shell_exec'ping  ' $target );
        echo '
'.$cmd.'
';
        
    } else { 
    
        $cmd shell_exec'ping  -c 3 ' $target );
        echo '
'.$cmd.'
';
        
    }
    
} ?>
 Result - 
 

  • escapeshellcmd() - This function is used to escape any character in a string that might be used to trick a shell command into executing any arbitrary commands. By escaping any character it ensures that any data coming from user end is filtered before it is passed to exec() or system().
Fix -


if( isset( $_POST'submit' ] ) ) {

    $target escapeshellcmd($_REQUEST'ip' ]);

    // Determine OS and execute the ping command.
    if (stristr(php_uname('s'), 'Windows NT')) { 
    
        $cmd shell_exec'ping  ' $target );
        echo '
'.$cmd.'
';
        
    } else { 
    
        $cmd shell_exec'ping  -c 3 ' $target );
        echo '
'.$cmd.'
';
        
    }
    
} ?>



Result -
Hope you all learned something new :). Keep yourself updated to our website by liking our Facebook Fan Page.  
Tags :

Created By Nexus · Powered by Blogger
© All Rights Reserved

Terms Of Service · Privacy Policy · Disclaimer · Contact Us · About Us