# DAMN VULNERABLE WEB APPLICATION
Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.
The aim of DVWA is to **practice some of the most common web vulnerabilities**, with **various levels of difficulty**, with a simple straightforward interface.
Please note, there are **both documented and undocumented vulnerabilities** with this software. This is intentional. You are encouraged to try and discover as many issues as possible.
- - -
## WARNING!
Damn Vulnerable Web Application is damn vulnerable! **Do not upload it to your hosting provider's public html folder or any Internet facing servers**, as they will be compromised. It is recommended using a virtual machine (such as [VirtualBox](https://www.virtualbox.org/) or [VMware](https://www.vmware.com/)), which is set to NAT networking mode. Inside a guest machine, you can download and install [XAMPP](https://www.apachefriends.org/en/xampp.html) for the web server and database.
### Disclaimer
We do not take responsibility for the way in which any one uses this application (DVWA). We have made the purposes of the application clear and it should not be used maliciously. We have given warnings and taken measures to prevent users from installing DVWA on to live web servers. If your web server is compromised via an installation of DVWA, it is not our responsibility, it is the responsibility of the person/s who uploaded and installed it.
- - -
## License
This file is part of Damn Vulnerable Web Application (DVWA).
Damn Vulnerable Web Application (DVWA) is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
Damn Vulnerable Web Application (DVWA) is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with Damn Vulnerable Web Application (DVWA). If not, see <http://www.gnu.org/licenses/>.
- - -
## Download
While there are various versions of DVWA around, the only supported version is the latest source from the official GitHub repository. You can either clone it from the repo:
```
git clone https://github.com/digininja/DVWA.git
```
Or [download a ZIP of the files](https://github.com/digininja/DVWA/archive/master.zip).
- - -
## Installation
**Please make sure your config/config.inc.php file exists. Only having a config.inc.php.dist will not be sufficient and you'll have to edit it to suit your environment and rename it to config.inc.php. [Windows may hide the trailing extension.](https://support.microsoft.com/en-in/help/865219/how-to-show-or-hide-file-name-extensions-in-windows-explorer)**
### Installation Videos
- [Installing Damn Vulnerable Web Application (DVWA) on Windows 10](https://www.youtube.com/watch?v=cak2lQvBRAo) [12:39 minutes]
### Windows + XAMPP
The easiest way to install DVWA is to download and install [XAMPP](https://www.apachefriends.org/en/xampp.html) if you do not already have a web server setup.
XAMPP is a very easy to install Apache Distribution for Linux, Solaris, Windows and Mac OS X. The package includes the Apache web server, MySQL, PHP, Perl, a FTP server and phpMyAdmin.
XAMPP can be downloaded from:
https://www.apachefriends.org/en/xampp.html
Simply unzip dvwa.zip, place the unzipped files in your public html folder, then point your browser to: `http://127.0.0.1/dvwa/setup.php`
### Linux Packages
If you are using a Debian based Linux distribution, you will need to install the following packages _(or their equivalent)_:
`apt-get -y install apache2 mariadb-server php php-mysqli php-gd libapache2-mod-php`
The site will work with MySQL instead of MariaDB but we strongly recommend MariaDB as it works out of the box whereas you have to make changes to get MySQL to work correctly.
### Database Setup
To set up the database, simply click on the `Setup DVWA` button in the main menu, then click on the `Create / Reset Database` button. This will create / reset the database for you with some data in.
If you receive an error while trying to create your database, make sure your database credentials are correct within `./config/config.inc.php`. *This differs from config.inc.php.dist, which is an example file.*
The variables are set to the following by default:
```php
$_DVWA[ 'db_user' ] = 'dvwa';
$_DVWA[ 'db_password' ] = 'p@ssw0rd';
$_DVWA[ 'db_database' ] = 'dvwa';
```
Note, if you are using MariaDB rather than MySQL (MariaDB is default in Kali), then you can't use the database root user, you must create a new database user. To do this, connect to the database as the root user then use the following commands:
```mysql
mysql> create database dvwa;
Query OK, 1 row affected (0.00 sec)
mysql> create user dvwa@localhost identified by 'p@ssw0rd';
Query OK, 0 rows affected (0.01 sec)
mysql> grant all on dvwa.* to dvwa@localhost;
Query OK, 0 rows affected (0.01 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
```
### Other Configuration
Depending on your Operating System, as well as version of PHP, you may wish to alter the default configuration. The location of the files will be different on a per-machine basis.
**Folder Permissions**:
* `./hackable/uploads/` - Needs to be writeable by the web service (for File Upload).
* `./external/phpids/0.6/lib/IDS/tmp/phpids_log.txt` - Needs to be writable by the web service (if you wish to use PHPIDS).
**PHP configuration**:
* `allow_url_include = on` - Allows for Remote File Inclusions (RFI) [[allow_url_include](https://secure.php.net/manual/en/filesystem.configuration.php#ini.allow-url-include)]
* `allow_url_fopen = on` - Allows for Remote File Inclusions (RFI) [[allow_url_fopen](https://secure.php.net/manual/en/filesystem.configuration.php#ini.allow-url-fopen)]
* `safe_mode = off` - (If PHP <= v5.4) Allows for SQL Injection (SQLi) [[safe_mode](https://secure.php.net/manual/en/features.safe-mode.php)]
* `magic_quotes_gpc = off` - (If PHP <= v5.4) Allows for SQL Injection (SQLi) [[magic_quotes_gpc](https://secure.php.net/manual/en/security.magicquotes.php)]
* `display_errors = off` - (Optional) Hides PHP warning messages to make it less verbose [[display_errors](https://secure.php.net/manual/en/errorfunc.configuration.php#ini.display-errors)]
**File: `config/config.inc.php`**:
* `$_DVWA[ 'recaptcha_public_key' ]` & `$_DVWA[ 'recaptcha_private_key' ]` - These values need to be generated from: https://www.google.com/recaptcha/admin/create
### Default Credentials
**Default username = `admin`**
**Default password = `password`**
_...can easily be brute forced ;)_
Login URL: http://127.0.0.1/login.php
_Note: This will be different if you installed DVWA into a different directory._
- - -
## Docker Container
- [dockerhub page](https://hub.docker.com/r/vulnerables/web-dvwa/)
`docker run --rm -it -p 80:80 vulnerables/web-dvwa`
Please ensure you are using aufs due to previous MySQL issues. Run `docker info` to check your storage driver. If it isn't aufs, please change it as such. There are guides for each operating system on how to do that, but they're quite different so we won't cover that here.
- - -
## Troubleshooting
These assume you are on a Debian based distro, such as Debian, Ubuntu and Kali. For other distros, follow along, but update the command where appropriate.
### "Access denied" running setup
If you see the following when running the
没有合适的资源?快使用搜索试试~ 我知道了~
温馨提示
DVWA全称为Damn Vulnerable Web Application,意为存在糟糕漏洞的web应用。它是一个基于PHP/MySQL开发的存在糟糕漏洞的web应用,旨在为专业的安全人员提供一个合法的环境,来测试他们的工具和技能。帮助web开发人员理解web应用保护的过程,还可以在课堂中为师生的安全性教学提供便利。DVWA是一个RandomStorm开源项目,了解更多关于RandomStorm开源项目可以访问 http://www.randomstorm.com。DVWA项目开始于2008年12月,并逐渐受到欢迎。 现在,全世界有成千上万的安全专业人员,学生和教师正在使用它。 DVWA现在已包含在流行的渗透测试Linux发行版中,例如Samurai的Web测试框架等。
资源推荐
资源详情
资源评论
收起资源包目录
DVWA-DVWA渗透测试平台文件 (589个子文件)
style.css 7KB
container.css 7KB
stylesheet.css 5KB
main.css 4KB
login.css 842B
banner.css 393B
source.css 319B
help.css 304B
ConfigForm.css 283B
config.inc.php.dist 2KB
close12_1.gif 85B
.gitignore 229B
.htaccess 500B
Converter.php.html 586KB
elementindex.html 554KB
Monitor.php.html 390KB
Filter_Storage.php.html 276KB
Report.php.html 158KB
Event.php.html 123KB
errors.html 108KB
Caching_File.php.html 103KB
Init.php.html 96KB
Filter.php.html 95KB
Caching_Factory.php.html 83KB
elementindex_PHPIDS.html 59KB
Caching_Session.php.html 44KB
IDS_Converter.html 26KB
IDS_Report.html 21KB
Caching_Interface.php.html 19KB
IDS_Monitor.html 18KB
IDS_Event.html 16KB
index.html 15KB
IDS_Filter.html 15KB
IDS_Init.html 14KB
IDS_Filter_Storage.html 14KB
IDS_Log_Email.html 11KB
IDS_Filter_Storage_Abstract.html 11KB
Caching.html 10KB
IDS_Caching_Database.html 9KB
IDS_Caching_Memcached.html 9KB
IDS_Caching_File.html 9KB
IDS_Caching_Session.html 9KB
IDS_Log_File.html 8KB
IDS_Log_Composite.html 8KB
IDS_Log_Database.html 7KB
_Caching---Database.php.html 5KB
_Caching---Memcached.php.html 5KB
_Caching---Session.php.html 5KB
_Log---Database.php.html 5KB
_Caching---File.php.html 5KB
_Log---Composite.php.html 5KB
_Log---Email.php.html 5KB
_Log---File.php.html 5KB
li_PHPIDS.html 5KB
IDS_Caching_Interface.html 5KB
IDS_Caching.html 5KB
IDS_Log_Interface.html 4KB
Filter.html 4KB
_Converter.php.html 3KB
_Caching---Interface.php.html 3KB
_Log---Interface.php.html 3KB
_Filter---Storage.php.html 3KB
_Caching---Factory.php.html 3KB
_Monitor.php.html 3KB
_Filter.php.html 3KB
_Report.php.html 3KB
_Event.php.html 3KB
_Init.php.html 3KB
classtrees_PHPIDS.html 3KB
_Filter---Storage---Abstract.php.html 2KB
_Filter---Filter.php.html 2KB
packages.html 994B
index.html 951B
blank.html 416B
pdf.html 105B
favicon.ico 1KB
Template.php.in 1011B
Config.ini 3KB
php.ini 154B
info.ini 24B
smithy.jpg 4KB
1337.jpg 4KB
admin.jpg 3KB
gordonb.jpg 3KB
pablo.jpg 3KB
container-min.js 63KB
yahoo-dom-event.js 30KB
high_unobfuscated.js 19KB
high.js 10KB
dvwaPage.js 1KB
add_event_listeners.js 593B
high.js 428B
impossible.js 421B
medium.js 258B
ConfigForm.js 120B
default_filter.json 16KB
LICENSE 7KB
README.md 15KB
CHANGELOG.md 7KB
DVWA_v1.3.pdf 412KB
共 589 条
- 1
- 2
- 3
- 4
- 5
- 6
资源评论
「已注销」
- 粉丝: 168
- 资源: 8
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功