DVWA

From Embedded Lab Vienna for IoT & Security
Revision as of 15:22, 5 January 2022 by VHorvathova (talk | contribs)
Jump to navigation Jump to search

The so-called damn vulnerable web app (DVWA) is also a vulnerable PHP / MySQL web service [[1]]. It is very similar to bWAPP. DVWA is free and can be used by anyone. The purpose of this application is to improve and test the skills and tools of security professionals and enthusiasts in a legal and secure environment. It is also used to explore the different vulnerabilities in four difficulties. More detailed explanations and information can be found on the DVWA homepage or at the GitHub page.

Architecture

As already mentioned, the Damn Vulnerable Web Application (DVWA) is a free PHP application which is like bWAPP. It also uses a SQL database to persist information. The service is provided by Linux or Windows. XAMPP is also supported.

DVWA architecture.png

Installation (1)

The installation of DVWA is very similar to that of bWAPP. Because the application is very fragile, it is recommended to install it on a virtual machine, and not in the public HTML folder. The following steps show a successful installation:

  • The application could be downloaded on the official homepage of DVWA (http://www.dvwa.co.uk/). The ZIP file is extracted on any path.
DVWA official Website.png


  • The name of the folder is changed to “dvwa” and in the /xampp/htdocs path copied from XAMPP. Apache and MySQL should be activated in the XAMPP control panel.
  • The password is deleted from the configuration file “config.inc.php.dist”.
DVWA configfile.png


  • /localhost/dvwa is called by the browser, which leads you to the login.
    • Username is “admin”
    • Password is “password”
  • Now you are logged in and ready to work with DVWA.
DVWA installed and ready to use.png


Note: Before you start, the database should be set or reset.

Installation (2)

This is an alternative way of setting up the DVWA, which is sometimes more reliable than the first one. It requires creating a VM with a DVWA iso file, like you would do with any other VM. You just need to choose the correct ISO during setup. It can be downloaded here: https://www.vulnhub.com/entry/damn-vulnerable-web-application-dvwa-107,43/. Once the DVWA VM is running, you can access it in the browser of another VM via: http://<IP_DVWA_VM>/login.php. You just need to choose NAT as network setting on both used VMs, so that they aren't exposed to the actual network. Exposing the DVWA to the network is very dangerous, as this is in fact a very vulnerable server. Should it get compromised from outside, the attacker would gain access to your home network.

Examples

The example is also based on the SQL injection vulnerability.

  • In contrast to bWAPP, no search terms are entered in the search field, here we are searching by an identification number (ID) of the user in the database. An identification number returns the first name and last name of a user.
DVWA search.PNG


  • When we enter "1" in the search field, the query being sent to the database really looks like this:
$query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
$query  = "SELECT first_name, last_name FROM users WHERE user_id = 1;";
  • If we enter "1'" in the search field, we will get a syntax error with the associated error message. So, we recognize that the parameters in the URL are vulnerable to error-based SQL injection. This means we can send commands (queries) to the database to extract some information. The displayed error message is:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 1' at line 1
  • Next we can try executing an always true query. The example SQL code would look like this:
SELECT first_name, last_name FROM users WHERE user_id = 'a' OR '1'='1'
  • When we enter a’ or ‘1’=‘1 in the ID field, sending an always-true query, we get all users with their first and last names from the database.
True1.PNG


  • First have to merge all existing tables together with the union statement, then we can go forward and determine our desired result like user or database.
    • % 'Or 0 = 0 union select null, user () #
    • % ’Or 0 = 0 union select null, database () #
DVWA sqldatabase.PNG
DVWA sqluser.PNG


  • To display all tables of the information schema, you must enter the following command in the search field.
    • % ’And 1 = 0 union select null, table \ _name from information_schema.tables #

Note: The information schema is the place where information is shared with everyone else databases are stored.

  • We want to display the login data such as username and password. To do this, we should look for the 'User' table and print all containing fields. Now we know which fields exist in the table ’User’, so that we can select the right ones and print them out.
    • % ’And 1 = 0 union select null, table_name from information_schema.tables where table_name like’ user% ’#
    • % 'And 1 = 0 union select null, concat (table_name, 0x0a, column_name) from information_schema.columns where table_name =' users' #
    • % ’And 1 = 0 union select null, concat (first \ _name, 0x0a, last \ _name, 0x0a, user, 0x0a, password) from users #
  • Unfortunately, the data is hashed, and we have to use external software to crack them (John the Ripper).
DVWA hashpassword.PNG
Retrieved from "https://wiki.elvis.science/index.php?title=DVWA&oldid=9309"