DVWA or Damn Vulnerable Web Application is a PHP/MySQL web application for web security enthusiast to test their skills and tools in a legal environment.
This tutorial assumes you understand what a LAMP server is. Download ```dvwa``` in /var/www/html:
LAMP Server is required!
Unzip the file, and rename it to dvwa. Change into
/var/www/html/dvwa/config and rename the following file:
mv config.inc.php.dist config.inc.php
Restart the apache service and, run
localhost/dvwa in your browser. The first time you access the DVWA, it will perform a ‘Database Check’ to verify if your PHP settings, the ‘dvwa’ MySQL database, file permissions, and the reCAPTCHA key (public and private) are configured correctly. The page will look like this(mine is already configured).
Setup Check Operating system: *nix Backend database: MySQL PHP version: 7.2.15-0ubuntu0.18.04.2 Web Server SERVER_NAME: 192.168.100.8 PHP function display_errors: Disabled PHP function safe_mode: Disabled PHP function allow_url_include: Enabled PHP function allow_url_fopen: Enabled PHP function magic_quotes_gpc: Disabled PHP module gd: Installed PHP module mysql: Installed PHP module pdo_mysql: Installed MySQL username: dvwa MySQL password: ****** MySQL database: dvwa MySQL host: localhost reCAPTCHA key: 6LdVBZsUAAAAAPLL9ApvT2VhJ6slKqTU2kDsas3J [User: root] Writable folder /var/www/html/dvwa/hackable/uploads/: Yes [User: root] Writable file /var/www/html/dvwa/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt: Yes [User: root] Writable folder /var/www/html/dvwa/config: Yes Status in red, indicate there will be an issue when trying to complete some modules. If you see disabled on either allow_url_fopen or allow_url_include, set the following in your php.ini file and restart Apache. allow_url_fopen = On allow_url_include = On These are only required for the file inclusion labs so unless you want to play with those, you can ignore them.
So, everything that’s red, we have to change that to green. Let’s start with PHP. On my machine,
allow_url_fopen was disabled, and the
php-gd module was missing. The following commands fixed it:
allow_url_fopen edit the
; Whether to allow the treatment of URLs (like http:// or ftp://) as files. ; http://php.net/allow-url-fopen allow_url_fopen = On
in the same file, change
; Whether to allow include/require to open URLs (like http:// or ftp://) as files. ; http://php.net/allow-url-include allow_url_include = On
To install the
php-gd module, run(according to your version of php):
apt-get install php7.2-gd
For MySQL, login by executing
mysql -u root -p, and verify if the
dvwa database was created :
mysql> SHOW databases; +--------------------+ | Database | +--------------------+ | information_schema | | dvwa | | mutillidae | | mysql | | performance_schema | | sys | +--------------------+ 6 rows in set (0.00 sec)
If there’s no line that says
dvwa, run the following commands (or else skip this):
mysql> CREATE database dvwa; mysql> flush privileges; mysql> exit
Now, for the MySQL username and password, edit the
/var/www/html/dvwa/config/config.inc.php, and replace the username and password(a strong password is not important).:
# If you are using MariaDB then you cannot use root, you must use create a dedicated DVWA user. # See README.md for more information on this. $_DVWA = array(); $_DVWA[ 'db_server' ] = 'localhost'; $_DVWA[ 'db_database' ] = 'dvwa'; $_DVWA[ 'db_user' ] = 'dvwa'; $_DVWA[ 'db_password' ] = 'secretpassword';
For the reCAPTCHA key, from the same file as above, scroll down and look for those lines:
# ReCAPTCHA settings # Used for the 'Insecure CAPTCHA' module # You'll need to generate your own keys at: https://www.google.com/recaptcha/admin $_DVWA[ 'recaptcha_public_key' ] = '6LdVBZsUAAAAAPLL9ApvT2VhJ6slKqTU2kDsas3J'; $_DVWA[ 'recaptcha_private_key' ] = '6LdVBZsUAAAAAB3I9IQIav5UWv7XgLWM8-1H9Kgs';
https://www.google.com/recaptcha/admin, register your own key, and paste them in the required field.
To modify the files permission modes and group owner, run the following commands:
cd ../ chgrp www-data hackable/uploads/ chmod g+w hackable/uploads/ chgrp www-data external/phpids/0.6/lib/IDS/tmp/phpids_log.txt chmod g+w external/phpids/0.6/lib/IDS/tmp/phpids_log.txt chgrp www-data config/ chmod g+w config/
Restart the apache and mysql service for the changes to take effect:
systemctl restart apache2 && systemctl restart mysql.service
Now, the last thing to do is to reload the
localhost/dvwa page, and click on
Create / Reset Database(you should see something like this):
Database has been created. 'users' table was created. Data inserted into 'users' table. 'guestbook' table was created. Data inserted into 'guestbook' table. Backup file /config/config.inc.php.bak automatically created Setup successful!
If you see this error =>
Could not connect to the MySQL service. Please check the config file., log into mysql and run the following commands:
CREATE USER 'dvwa'@'localhost' IDENTIFIED BY 'secretpassword'; GRANT ALL PRIVILEGES ON dvwa.* TO 'dvwa'@'localhost'; FLUSH PRIVILEGES;
Login with the credentials (
password), and you’re good to go.
““When a blind man says, 'God is good,' this should be an eye-opener to those who can see.” ― Anthony Liccione
2019-03-30 00:00 +0000