https://onnocenter.or.id/wiki/index.php?action=history&feed=atom&title=Hands-on_Command_Injection_Attack_%28en%29Hands-on Command Injection Attack (en) - Revision history2026-05-05T02:30:44ZRevision history for this page on the wikiMediaWiki 1.35.4https://onnocenter.or.id/wiki/index.php?title=Hands-on_Command_Injection_Attack_(en)&diff=71006&oldid=prevOnnowpurbo: Created page with "==Setting Up the Environment:== ===Install DVWA:=== * Download the DVWA ZIP file from [https://github.com/digininja/DVWA](https://github.com/digininja/DVWA). * Extract it to..."2024-10-20T12:42:33Z<p>Created page with "==Setting Up the Environment:== ===Install DVWA:=== * Download the DVWA ZIP file from [https://github.com/digininja/DVWA](https://github.com/digininja/DVWA). * Extract it to..."</p>
<p><b>New page</b></p><div>==Setting Up the Environment:==<br />
<br />
===Install DVWA:===<br />
<br />
* Download the DVWA ZIP file from [https://github.com/digininja/DVWA](https://github.com/digininja/DVWA).<br />
* Extract it to a directory on the Ubuntu server.<br />
* Install dependencies:<br />
<br />
sudo apt install apache2 mysql-server php libapache2-mod-php php-mysql<br />
<br />
===Configure Apache:===<br />
* Create a new Apache configuration file (e.g., `dvwa.conf`) in `/etc/apache2/sites-available/`.<br />
* Fill it with<br />
<br />
<VirtualHost *:80><br />
ServerName dvwa.local<br />
DocumentRoot /path/to/dvwa/<br />
<br />
<Directory /path/to/dvwa/><br />
AllowOverride All<br />
Require all granted<br />
</Directory><br />
</VirtualHost><br />
<br />
Replace `/path/to/dvwa/` with the path/directory of DVWA.<br />
* Enable the configuration:<br />
<br />
sudo a2ensite dvwa.conf<br />
<br />
* Restart Apache:<br />
<br />
sudo systemctl restart apache2<br />
<br />
===Configure MySQL:===<br />
<br />
* Create the DVWA database:<br />
<br />
mysql -u root -p<br />
CREATE DATABASE dvwa;<br />
<br />
* Import the DVWA database schema:<br />
<br />
mysql dvwa < /path/to/dvwa/dvwa.sql<br />
<br />
==Exploit Command Injection:==<br />
<br />
===Access DVWA:===<br />
* Open a web browser and go to `http://dvwa.local`.<br />
* Log in using the default credentials (`admin`/`password`).<br />
<br />
===Select the "Command Injection" Page:===<br />
* Click the "Command Injection" link.<br />
<br />
===Identify Vulnerable Input:===<br />
* The "Command Injection" page will display a form with a text input field. This input field is vulnerable to command injection.<br />
<br />
===Inject Command:===<br />
* Enter the following payload in the text input field:<br />
<br />
; cat /etc/passwd;<br />
<br />
<br />
The payload will execute the `cat` command to display the contents of the `/etc/passwd` file.<br />
<br />
===Submit Form:===<br />
* Click the "Submit" button.<br />
<br />
'''If the attack is successful, we will see the contents of `/etc/passwd`.'''<br />
<br />
==Additional Notes:==<br />
<br />
* We can experiment with other payloads to explore various vulnerabilities.<br />
* Always use a controlled environment with explicit permission from the system owner.<br />
* Remember that exploiting vulnerabilities is illegal and unethical.<br />
<br />
==Interesting Links==<br />
<br />
* [[Forensic: IT]]</div>Onnowpurbo