DVWA COMMAND INJECTION (ALL LEVELS)

DVWA COMMAND INJECTION (ALL LEVELS) | by Chris Christian | in InfoSec Write-ups - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original DVWA COMMAND INJECTION (ALL LEVELS) LOW, MEDIUM AND HIGH Chris Christian Follow InfoSec Write-ups · ~3 min read · April 2, 2026 (Updated: April 2, 2026) · Free: Yes Low Security Scroll down and click "View source" button to view the source code of current level. Vulnerability: The code takes user input from $_REQUEST['ip'] and concatenates it directly into shell_exec() with absolutely no validation or sanitization. The application blindly trusts that the user will only enter an IP address. This allows an attacker to append any shell operator ( | , && , ; ) followed by arbitrary OS commands, which the server executes with web server privileges. Confirming Injection Start by confirming code execution with the simplest payload: ;whoami ;cat /etc/passwd When you submit ;whoami , the semicolon ; is a shell command separator that tells the terminal to run whatever comes after it as a completely new, independent command. So the shell executes ping first, then executes whoami right after regardless of whether ping succeeded or failed. Since there is no filtering on the input, the semicolon reaches the shell untouched and both commands run. Medium Security Scroll down and click "View source" button to view the source code of current level. Vulnerability: The code attempts to fix the issue using a blacklist, stripping && and ; from the input. This is incomplete because it only blocks two operators out of many. The pipe operator | is completely unaddressed and works as-is. Blacklists like this assume you know every possible attack vector in advance, which is never true. Confirming Injection The pipe operator | was never added to the blacklist. It passes through completely untouched: | whoami | cat /etc/passwd | id | uname -a When you submit | whoami , the pipe | is meant to send the output of the left command as input to the right command. However whoami does not need any input, it simply ignores whatever is piped into it and runs anyway. The important thing is that the pipe forces whoami to execute. Since the blacklist only strips && and ; , the pipe passes through untouched. The output of whoami is what gets captured by shell_exec() and rendered in the browser. High Security Scroll down and click "View source" button to view the source code of current level. Vulnerability: This blocks almost every common operator and even command substitution characters like backticks and $() . It looks thorough but has one critical mistake. The blacklist strips | which is a pipe followed by a space . It does not strip | on its own. This means a pipe with no space before the command bypasses the filter completely. Confirming Injection |whoami |cat /etc/passwd |id The Linux shell does not require a space after the pipe to understand it. |whoami and | whoami are treated identically by the shell. So whoami executes, and its output gets rendered in the browser. #dvwa #command-injection #all-levels Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).