This report documents a Command Injection vulnerability identified in DVWA during security testing.
Testing Type: Offensive + Defensive Analysis
Environment: Local Lab
Security Level Tested: Low
- Vulnerability Name: Command Injection
- Severity: Critical
- Category: OWASP Top 10 – Injection
- Affected Module: DVWA – Command Injection (Ping a Device)
The application executes system-level commands using user-supplied input without proper validation or sanitization.
This allows attackers to inject additional operating system commands.
127.0.0.1; ls
- Login to DVWA.
- Navigate to the "Command Injection" module.
- Enter the payload in the IP address field.
- Click Submit.
After normal ping output, the following directory listing was displayed:
- help
- index.php
- source
This confirms that the injected ls command was executed successfully.
system("ping " . $target);
After Injection:
ping 127.0.0.1; ls
The semicolon (;) allows execution of multiple commands in sequence.
Thus, the server executed both:
- ping 127.0.0.1
- ls
If exploited in a real-world environment, this vulnerability could lead to:
- Server file disclosure
- Access to sensitive configuration files
- Execution of arbitrary system commands
- Reverse shell access
- Complete server compromise
- Direct use of system() function
- Lack of input validation
- No command escaping or filtering
Severity Level: Critical
Reason: Allows remote command execution on the server.
To prevent Command Injection:
- Avoid using system() or shell execution functions
- Use strict input validation (IP format validation)
- Implement allowlist validation
- Use escapeshellarg() when necessary
Secure Example (Conceptual):
$target = escapeshellarg($target); system("ping " . $target);
This testing was performed in a controlled lab environment (DVWA) strictly for educational and research purposes.