OS Command Injection to Meterpreter

Definition: Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.


Victim Machine: Here victim is a server (WinXP SP2), hosting DVWA where OS Command Injection is there in “LOW” Security.

OS: Win XP SP2


Web APP: Damn Vulnerable Web Application (DVWA)


Attacker Machine:


OS: BackBox 4.7

Browser: Mozilla Firefox

Tool: Commix ([comm] and [i]njection e[x]ploiter)Tamper Data (Mozilla Add-ons)



  1. First of all we need to find the Injection Point and Cookie for DVWA Command Injection. Tamper Data has been used for this purpose.


  1. After finding Cookie and Injection point, We have to run commix from terminal.


  1. After successful injection by commix it will ask for pseudo shell and we will choose that to interact with the victim.


  1. Before proceed further, we need to create python based reverse tcp listener in metasploit.


  1. Let’s continue with commix’s option. We have to select python based reverse shell at the end and provide LHOST and LPORT.


  1. After selecting Python based Meterpreter payload a reverse tcp connection will be made with our metasploit listener.



  1. https://www.owasp.org/index.php/Command_Injection
  2. http://www.dvwa.co.uk/
  3. https://github.com/commixproject/commix
  4. https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
  5. https://backbox.org
  6. https://portswigger.net/KnowledgeBase/issues/Details/00100100_OScommandinjection



One thought on “OS Command Injection to Meterpreter

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s