O'Reilly logo

Kali Linux Web Penetration Testing Cookbook by Gilberto Nájera-Gutiérrez

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Exploiting OS Command Injections

In the previous recipe, we have seen how PHP's system() can be used to execute OS commands in the server; sometimes developers use instructions similar to that or with the same functionality to perform some tasks and sometimes they use invalidated user inputs as parameters for the execution of commands.

In this recipe, we will exploit a Command Injection vulnerability and extract important information from the server.

How to do it...

  1. Log into the Damn Vulnerable Web Application (DVWA) and go to Command Execution.
  2. We will see a Ping for FREE form, let's try it. Ping to 192.168.56.1 (our Kali Linux machine's IP in the host-only network):

    That output looks like it was taken directly from the ping command's output. This ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required