Operating system commands shouldn't be allowed using a web application that resides on a server. Sometimes, web applications are not as safe as they should be, and let users perform disallowed commands in an unexpected way.
In this lab, you will attempt a command execution attack through the DVWA (Damn Vulnerable Web Application) website to force the web server to execute operating system commands to read and display the contents of files and documents that reside outside of the web server's root hosting directory, and which normally should not be accessible from the web.
Upon completion of this lab you will be able to:
This lab is intended for:
This lab has no prerequisites.
September 21st, 2021 - Updated HyperV VMs to not used save state to avoid an issue with Azure VMs in the same SKU not all having the same processor features
September 7th, 2021 - Upgraded underlying disk, and Kali Hyper-V VM configuration for improved performance
August 30th, 2021 - Include Remote Desktop connection details for those preferring to use their local Remote Desktop client to connect
July 9th, 2020 - Enabled direct browser RDP connection for a streamlined experience