Over the previous episode, we talked about SQL injection with DVWA.
DVWA contains a file upload vulnerable page as well.
In fact, if the security level is setup to low, that page allows to upload any sort of file, without input validation whatsoever.
I took advantage of this vulnerability to upload a php reverse shell, available here.
Afterward, I navigated to the URL of the reverse shell, highlighted in red, to launch it.
Getting a shell
At the same time, by launching netcat on port 1234, I was able to get a shell.
We can use a Python one-liner to spawn an interactive shell.
The only problem left is how to become root on DVWA.
I tried both with sudo (I'm not in /etc/sudoers) and su -, to no avail.
However, I'm successful by launching su and using the default root password on a Kali VM (toor).
At that point, I could access /etc/shadow and /etc/passwd to recover all username and passwords in the database.
Once again, DVWA does a very good job demonstrating how severe the impact from security vulnerabilities can be and how they can get contained and prevented.
In fact, setting the security level to impossible, I wasn't able to upload a php shell. I was requested to upload an image.
That's not a big deal, as there are ways to insert a php shell inside an image, but it implies more hassles for a potential attacker.
This is a very important concept.
The whole point, other than preventing attacks, is to make it harder for an attacker to get an easy target. It's a psychological deterrence technique.