Tips for an Information Security Analyst/Pentester career - Episode 13: File Upload (DVWA)
Over the previous episode, we talked about SQL injection with DVWA.
DVWA contains a file upload vulnerable page as well.
In fact, if the security level is setup to low, that page allows to upload any sort of file, without input validation whatsoever.
Prep
I took advantage of this vulnerability to upload a php reverse shell, available here.
Afterward, I navigated to the URL of the reverse shell, highlighted in red, to launch it.
Getting a shell
At the same time, by launching netcat on port 1234, I was able to get a shell.
We can use a Python one-liner to spawn an interactive shell.
Privilege escalation
The only problem left is how to become root on DVWA.
I tried both with sudo (I'm not in /etc/sudoers) and su -, to no avail.
However, I'm successful by launching su and using the default root password on a Kali VM (toor).
At that point, I could access /etc/shadow and /etc/passwd to recover all username and passwords in the database.
Wrap-up
Once again, DVWA does a very good job demonstrating how severe the impact from security vulnerabilities can be and how they can get contained and prevented.
In fact, setting the security level to impossible, I wasn't able to upload a php shell. I was requested to upload an image.
That's not a big deal, as there are ways to insert a php shell inside an image, but it implies more hassles for a potential attacker.
This is a very important concept.
The whole point, other than preventing attacks, is to make it harder for an attacker to get an easy target. It's a psychological deterrence technique.
The more you harden a server or an application, the longer the time needed to crack it, the more likely is for attackers to choose easier preys.
Episode 14
Episode 12
Episode 14
Episode 12
Comments
Post a Comment