If I ever get time I'll write something meaningful here. For now, I'm either hacking, coding or off doing something outdoors to get away from all the technology.
If you like my work, you can Buy me a smoothie*.
* I don't drink coffee
Damn Vulnerable Web Application (DVWA)
License: GNU General Public License v3.0
If I ever get time I'll write something meaningful here. For now, I'm either hacking, coding or off doing something outdoors to get away from all the technology.
If you like my work, you can Buy me a smoothie*.
* I don't drink coffee
I'm using DVWA 1.0.7 and I'm experiencing a strange issue. The security
settings for XSS Stored page are always set to "High" no matter what I do.
I've tried changing them to low and it works for every other page but that
one.
I've restarted Apache and MySQL with no luck. I'm on Mountain Lion 10.9.2
using XAMMP 1.8.3-3.
Upload file vulnerability won't work (Low security, PHPIDS disabled).
Iv'e tried everything, I've been on this for 3 days now, 16 hours a day.
I reinstalled localhost machine (running CentoOS) multiple times (tried 7 and 6), tried multiple php and mysql version, tried change all server files permissions to chmod 777, tried just /var/www chmod 777, tried disabling SELinux, tried disabling IPtables, nothing, absolutely nothing works!
doesn't matter if everything is running as root or not, it just won't work.I've also tried multiple web admin panels and multiple apache configs, nothing.
I've seen this issue posted here before, but fix wasn't explained.
Also, there is absolutely nothing in the logs! (Both error and access logs).
Help please! Thanks.
*Getting Error after clicking on Create and reset database button
*
Fatal error: Uncaught Error: Call to undefined function mysql_connect() in C:\xampp\htdocs\DVWA\dvwa\includes\DBMS\MySQL.php:9 Stack trace: #0 C:\xampp\htdocs\DVWA\setup.php(17): include_once() #1 {main} thrown in C:\xampp\htdocs\DVWA\dvwa\includes\DBMS\MySQL.php on line 9
Could any 1 can help to reslove this issues
Detail
Setup Check
Operating system: Windows
Backend database: MySQL
PHP version: 7.0.4
Web Server SERVER_NAME: 127.0.0.1
PHP function display_errors: Enabled (Easy Mode!)
PHP function safe_mode: Disabled
PHP function allow_url_include: Enabled
PHP function allow_url_fopen: Enabled
PHP function magic_quotes_gpc: Disabled
PHP module php-gd: Installed
reCAPTCHA key: --------
Writable folder C:\xampp\htdocs\DVWA/hackable/uploads/: Yes)
Writable file C:\xampp\htdocs\DVWA/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt: Yes
Apache Server not Connecting, MYSQL works, error says
8:30:50 AM [Apache] Status change detected: stopped
8:30:50 AM [Apache] Error: Apache shutdown unexpectedly.
8:30:50 AM [Apache] This may be due to a blocked port, missing dependencies,
8:30:50 AM [Apache] improper privileges, a crash, or a shutdown by another method.
8:30:50 AM [Apache] Press the Logs button to view error logs and check
8:30:50 AM [Apache] the Windows Event Viewer for more clues
8:30:50 AM [Apache] If you need more help, copy and post this
8:30:50 AM [Apache] entire log window on the forums
Please help!!
Hi everyone !
First of all, thanks for creating this great learning tool :) I've been playing with it for some time and had good time.
I'd like to use DVWA to learn some tools too. I'm able to access DVWA (which is installed on VM machine) externally, that is from other VM machines and for manual learning it works fine. However when I try to use for example some SQLi tools (jsql for example) and I'm targeting SQLI module I get response that it's not possible although security is set to low. I'm guessing the problem may be first login page - correct me if I'm wrong.
Is there a way to disable logging in requirement to make all labs "public" ?
Thanks in advance :)
How to use live CD? Can I use it through USB Flash drive? Does it work if simply copy and paste the contents of the iso file? Does it work in windows?
I have all the files in /var/www/ but it wont pull up the local host? Looks like this has been a common problem on the tutorial I'm watching on Udemy. Thanks
What about adding a padding oracle vulnerability ?
I'd be willing to write it if you think it would bring value.
I tried the given solution and numerous solutions available as well as my own.
None of them would give any output or results. Please confirm so this issue can be solved
Hi,
I am unable to login with the default username admin and password password. it keeps redirecting me to the login page. I used the setup page to create dvwa database and it was successful as i could see tables in the dvwa database. I also change all the permission to 777 to ensure it is not a permission issue
Not sure what else i can try, can someone please assist?
In low.php (line 7 and 8) and medium.php (line 6 and 7) for the captcha vulnerability, it gets the new password and confirmation of password and assigns these values to variables.
But this only happens for step 1.
In step 2, these two variables $pass_new and $pass_conf are always blank when it is written to the database.
Hi, I have a issue with CAPTCHA key, even after copying the right & inserting it to public & server it still says could not Could not connect to the MySQL service. Please check the config file. & how to fix
Writable file /var/www/html/DVWA/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt: No
kindly suggest me a fix.
Hi Guys, can you step me through how I get the SQL injection working with the latest version of XAMPP (1.8.3).
If I modify .htaccess per the readme I get a Error 500 loading the page
cheers
If the setup page gives a warning about something then give a link or help baloon which gives information on fixing the problem. The one I've just had is this
PHP function allow_url_include: Disabled
So the help would either say "go to php.ini and set X" or just point them at this page:
I might be wrong here, but I think that the "SQL Injection (Blind)" section in dvwa is just a regular SQL Injection vulnerability.
According to DVWA what makes a SQLi vulnerability to be blind is not showing SQL error messages to the user.
Showing the SQL error messages to the user is just: a SQL injection vuln + a misconfiguration issue.
A blind SQL injection might occur when the columns of the results returned by a query are not shown to the user. However, the user can tell somehow if the query returned any records or none.
E.g.: Suppose the url "http://www.example.com/user?id=USER_ID" returns:
But it won't show any information from the query results (e.g. username, address, phone, etc)
If the page is vulnerable to SQLi, an attacker won't be able get info from the DB printed in the result page, but he might be able to infer it by asking yes/no questions.
E.g. if user id 1 exits:
of course the attacker doesn't need to ask the DB if 1=1 or 1=2 (he can ask a calculator that), but he might ask more interesting yes/no questions like:
I suggest you add a real blind sql injection section in DVWA. While displaying or not SQL errors can be just a difference between the security=low and security=medium levels of the regular SQL Injection section.
More info:
https://www.owasp.org/index.php/Blind_SQL_Injection
http://en.wikipedia.org/wiki/SQL_injection#Blind_SQL_injection
I donβt know why that my user_taken and session_token always unequal...So I can't create my dbs
when I change the code "$_SESSION[ 'session_token' ] = md5( uniqid() )" to "$_SESSION[ 'session_token' ] = md5('a')", this workedγ
I guess this porblem is βuniqid()β.
-data'create db=create+%2F+Reset+Database' http://127.0.0.1/dvwa/setup.php# --cookie PHPSESSID=1
curl: option --datacreate db=create+%2F+Reset+Database: is unknown
curl: any idea to solve??
It would be good to be able to delete entries from the stored xss guestbook without having to go to the database. A button on each entry to remove it would be useful.
In order to prevent brute force, the high.php introduces sleep(3);
. However, using parallel threads it is still possible to brute force this implementation. As the low.php is showing an sql injection instead of a brute force I would recommend the following:
implement something like this in low.php (pseudocode):
$user = mysql_real_escape_string( $_GET['user'] );
if (!mysql_query ("`users` contains $user β¦")) {
echo "Username does not exist!";
} else {
$password = $_GET['password'];
/* do password stretching */
for($i=0;$i<1024;$i++){
$password = sha512sum($password);
}
$stored_password = mysql_query ("SELECT password FROM `users` WHERE user = '$user'");
if ($stored_password != $password) {
echo "Password incorrect!";
}
}
I would propose the following for medium.php
$user = mysql_real_escape_string( $_GET['user'] );
if (!mysql_query ("`users` contains $user β¦")) {
echo "Username or Password incorrect!";
} else {
$password = $_GET['password'];
/* do password stretching */
for($i=0;$i<1024;$i++){
$password = sha512sum($password);
}
$stored_password = mysql_query ("SELECT password FROM `users` WHERE user = '$user'");
if ($stored_password != $password) {
echo "Username or Password incorrect!";
}
}
And the following for high.php
/* This solution has the drawback, that an attacker may:
* 1. Lock known accounts for 1 Minute (problematic if login
* function is availability-critical, e.g., online-auctions)
* 2. Flood the bruteforceusers database with dummy-entries
* (may be flushed with a cronjob)
* For a longer discussion you might want to read:
* https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks
*/
$user = mysql_real_escape_string( $_GET['user'] );
$account_lock_time = mysql_query("SELECT account_lock_time FROM `bruteforceusers` WHERE user = '$user'");
if ($account_lock_time < current_time() - 60) {
$password = $_GET['password'];
/* do password stretching */
for($i=0;$i<1024;$i++){
$password = sha512sum($password);
}
$stored_password = mysql_query ("SELECT password FROM `users` WHERE user = '$user'");
$wrong_attempts = mysql_query("SELECT wrong_attempts FROM `bruteforceusers` WHERE user = '$user'");
if (!mysql_query ("`users` contains $user β¦") || $stored_password != $password) {
echo "Username or Password incorrect!";
$wrong_attemts++;
mysql_query("UPDATE `bruteforceusers` SET wrong_attemts = $wrong_attemts WHERE user = '$user'");
if ($wrong_attemts > 5) {
mysql_query("UPDATE `users` SET account_lock_time = " . current_time() . " WHERE user = '$user'");
echo "This account has been locked for 1 Minute!";
}
} else {
echo "There were $wrong_attemts wrong password attempts since your last login";
mysql_query("UPDATE `bruteforceusers` SET wrong_attemts = 0 WHERE user = '$user'");
}
} else {
echo "This account has been locked for 1 Minute!";
}
I've been trying to install DVWA in a Debian 8 server and it looks that it wont connect to the database no matter what.
After some digging I foundthat you are using the "mysql" driver instead of "mysqli". The "mysql" driver is deprecated so it wont work on any modern GNU/linux distribution. (http://php.net/manual/en/function.mysql-connect.php)
Would it be possible to update to "mysqli" so this suite can be used with PHP >= 5.5 ?
Thanks!
I'm able to access 127.0.0.1/dvwa/setup.php but login.php as well as every other page is blank. I've searched up on the issue and only one other person has this issue. Any ideas on what I might have done wrong?
I'm running on Backbox, both mysql and apache2 are running.
I've tried to install dvwa on kali linux, ubuntu and windows but for some reason i cant get it to work.
Everything's fine and the installation goes smoothly, but when im about to connect to 127.0.0.1/dvwa/setup.php i get a blank page, its the same at login.php.
I dont understand what the matter is, i've seen other people with the same problem recently but without some solution.
I would appreciate some help on this matter.
i unzip the app on a default nginx install on arch linux
getting error 500 when clicking on the setup/reset database :/
php info works... i also followed this to make sure:
http://hackthistv.com/blog/how-to-install-dvwa-on-ubuntu-server-14-04/
I have done everything seen in guides and everytime (even on low security), it dosn't upload the file.
this does not work on php 7 (xammp)..
work perfect on php 5.6 below
Fatal error: Call to undefined function dvwaExternalLinkUrlGet() in C:\xampp\htdocs\dvwa\vulnerabilities[Insert Vuln Here]\help\help.php on line 33
It does this for all php files that use this function >:(
I want to know why in the file login.php
there isn't any conditional statement to use PostgreSQL as the database instead of MySQL, I can only see the PHP function mysql_query()
but not pg_query()
when the application is trying to register the login action.
$ tree dvwa/includes/DBMS/
dvwa/includes/DBMS/
βββ DBMS.php
βββ MySQL.php
βββ PGSQL.php
0 directories, 3 files
Could not connect to the database.
Please check the config file.
This is error message I am receiving from DVWA. I am using XAMMP v 5.6.19-0. I have the password in the config file set to '', using root as username. I have looked for a solution to the issue but I appear to be on my own on this one. I am running OSX 10.11.3 Not sure what else to tell you Thanks for any help,
Charles
Hi,
Even after giving priviledges to upload folder, we were not able to upload any image file or php file. Then we modified the code and everything started to work fine. Is there any other solution to this? If you are facing similar issue in upload. Just copy and past our code into your low.php file in this directory
/var/www/dvwa/vulnerabilities/upload/source and everything will work fine.
You might need to modify the $target_path according to your OS
'; $html .= ' succesfully uploaded!'; $html .= ''; } } ``` ?>
It said in the instructions that the IP of DVWA was http://127.0.0.1/dvwa. Nothing shows up. I put the uncompressed file into the XAMP folder they told me to.
Hey,
I have talked with @ethicalhack3r and made changes to DVWA. fixing major unintended holes and some others that explained in http://www.paulosyibelo.com/2014/09/dvwa-unintended-security-issues.html
Other than that, fixed the Rosetta Flash attack for the high level, added some extra protection layers as a "high" level, and modified the graphics a lot.
I personally don't know how to use github to pull a request (embarrassed); neither do I have time. contacted ryan and he told me the same thing so, we were hoping some from here can do that for me and pull the newest, cooler, DVWA.
Here: can you try https://www.dropbox.com/s/s0t8rjm4vhlkllu/dvwa-final.zip?dl=0
Thanks,
Typographic error.
After the conversion of the files Readme.txt and Changelog.txt from the Subversion repository to the Git repository, you missed a change in the file instructions.php
where are specified the path to load the files README.md and CHANGELOG.md.
$ diff instructions.php instructions.php.fork
13,14c13,14
< 'readme' => array( 'legend' => 'Read Me', 'file' => 'README.txt' ),
< 'changelog' => array( 'legend' => 'Change Log', 'file' => 'CHANGELOG.txt' ),
---
> 'readme' => array( 'legend' => 'Read Me', 'file' => 'README.md' ),
> 'changelog' => array( 'legend' => 'Change Log', 'file' => 'CHANGELOG.md' ),
I am using XAMPP web server, and it is working well. Only, I do not know why "localhost" is loading the setup.php and not the login.php. When I remove "setup.php" from the URL and replace it with "login.php", the URL is flipping back to "setup.php".
So, I tried already to reinstall DVWA - XAMPP - MySql -PHP5, etc, but always the same problem occurs.
What can I do to change in a good direction?
Anyone can help?
Thanks !
Why the captcha form is hidden?
https://github.com/RandomStorm/DVWA/blob/master/vulnerabilities/captcha/index.php#L35
I believe that the session should not be able to be set via client side techniques when you are running in high secure mode.
I really do not know how to enable shell_exec for command injection, plz help
i cant generate the database, every time i click the button i get the message "Could not connect to the database - please check the config file."
There are several points in the application where directory traversal is possible.
For example /vulnerabilities/view_source.php?id=csrf&security=../../../config/config.inc will reveal the configuration of the application.
These vulnerabilities are found in:
vulnerabilities/view_help.php (14)
vulnerabilities/view_source_all.php (12, 16, 20)
vulnerabilities/view_source.php (56)
the parameters id and security are not sufficiently validated.
Probably this was not an intended vulnerability.
Bonjour Misure, just noticed something odd. I was able to bypass the filtering on command injection with security token set to HIGH using a simple '|'. Took a look at the source and it seems you have a stray white space in the pipe filter (see below).
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$target = trim($_REQUEST[ 'ip' ]);
// Set blacklist
$substitutions = array(
'&' => '',
';' => '',
'| ' => '',
'-' => '',
'$' => '',
'(' => '',
')' => '',
'`' => '',
'||' => '',
I've just scanned DVWA with Wfuzz and it found the /config directory and as directory indexing is enabled I can see the config.inf.php file but obviously can't read the contents as it is parsed by php.
It would be nice to have a "backup" of the file with .bak or .old in there that could be discovered as another vulnerability.
It would be great a redirection to the file setup.php
if the installation process was not started. I have this little piece of code checking in the information schema database if the table users exists in the database specified in the configuration file.
Only works with MySQL database.
$ diff login.php login.php.fork
22a23,31
> $users_exists_q = @mysql_query("SELECT table_schema, table_name, create_time
> FROM information_schema.tables
> WHERE table_schema='{$_DVWA['db_database']}' AND table_name='users'
> LIMIT 1");
> if( !mysql_fetch_assoc($users_exists_q) ){
> header('Location: setup.php');
> exit;
> }
>
Hi,
I have tried to set up DVWA on Kali Linux 2, mysql and apache2 are both running but the webpage states that 'Sever not found'. Any ideas?
Thanks,
Shane
I am using DVWA 1.0.8 and 1.0.7 respectively but doing all my effort and follows all the recommendation i got and error message after typing Username and Password that is Table 'dvwa.users' does'nt exist. Please help me if anybody solved it earlier. Or send me any file or description at: [email protected]
the first one actually is interesting. If you have DVWA, just in your HDD. this can lead to RCE, interesting exploit
Others are unintended too. :)
http://paulosyibelo.blogspot.com/2014/09/dvwa-unintended-security-issues.html
I have setup everything as instructed. I can see the /setup.php /instructions.php and /about.php pages but when I click on the create database button, I just get a blank screen.
The url it goes to after clicking create database is - http://localhost/dvwa/setup.php#
Nothing else happens, it doesnt take me to the login or anything. Any help would be great.
Getting error
Fatal error: Uncaught Error: Call to undefined function mysql_connect() in C:\xampp\htdocs\dvwa\dvwa\includes\dvwaPage.inc.php:461 Stack trace: #0 C:\xampp\htdocs\dvwa\login.php(8): dvwaDatabaseConnect() #1 {main} thrown in C:\xampp\htdocs\dvwa\dvwa\includes\dvwaPage.inc.php on line 461
"Unable to connect to the database.
mysql_error()
Click here to setup the database. "
I upload the web and that is all what it says when i open it.
If i click "here", it takes me to this:
"Click on the 'Create / Reset Database' button below to create or reset your database. If you get an error make sure you have the correct user credentials in /config/config.inc.php
If the database already exists, it will be cleared and the data will be reset.
Backend Database: MySQL "
and if i hit on the 'Create / Reset Database' it tells: Could not connect to the database - please check the config file.
I dont know what to do, im so newbie. Please help
To all who can help.
I've seen this issue has been posted before however, there has not been any resolution. I installed DVWA on XAMPP but, when I try to go to localhost/dvwa in the browser it sends me to the localhost/dvwa/login.php web page which is blank. I've manually typed localhost/dvwa/setup.php in the browser and that page comes up fine. So does, instructions.php and about.php. Can anybody help me with this issue.
More info:
Setup Check is showing the following information. Should some of the processes that are coming up as disabled be enabled. If so, how can I resolve this issue?
Operating system: Windows
Backend database: MySQL
PHP version: 5.6.19
Web Server Server_Name: localhost
PHP function display_error: Enabled (Easy Mode!)
PHP function safe_mode: Disabled
PHP function allow_url_include: Disabled
PHP function allow_url_fopen: Enabled
PHP function magic_quotes_gpc: Disabled
PHP module php-gd: Instaled
reCAPTCHA key: Missing
Writable folder C:\xampp\htdocs\dvwa/hackable/uploads/: Yes)
Writable file C:\xampp\htdocs\dvwa/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt: Yes
DVWA was installed on a system running Windows 8
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google β€οΈ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.