DVWA: How to install DVWA server on Ubuntu

Overview

Damn Vulnerable Web Application (DVWA) is a PHP/MySQL source code application that precompiles web application security logic errors in PHP source code. Logical errors when programming can be applied to all kinds of programming languages ​​to reduce the possibility of creating security holes from careless programming thinking. The main goal of DVWA is to create a legitimate hacking/pentest practice environment. Help web application developers understand more about safe and secure programming. Besides, DVWA also provides teachers/students with methods to learn and practice basic and advanced web application security attacks.

How to configure

  • Install Ubuntu Linux 18.04 with GUI
  • Install mysql server -> Open Terminal and use the command sudo apt install mysql-server -> Wait for the mysql server installation to be completed (press y when prompted)
  • Install apache2 -> Use the command apt install apache2 -> Wait for apache2 installation to be completed (press y when prompted)
  • Open web browser and search DVWA -> Open website https://dvwa.co.uk -> Choose SOURCE CONTROL
  • Click Code -> Choose Copy link icon
  • Install git by command apt install git -y
  • Run the command git clone https://github.com/digininja/DVWA.git
  • Run the command cd /var/www/html
  • Click ls command to check files in the folder html
  • Change the name DVWA to dvwa by the commnad mv DVWA/dvwa/
  • Change the name index.html to abc.html by the command mv index.html abc.html
  • Open the web browser and access to localhost/dvwa/
  • Instal PHP -> Using the command apt install php (press y when prompted)
  • Go to the folder by the command cd dvwa/config/
  • Use the command ls to check and change the name config.inc.php.dist to config.inc.php by the command mv config.inc.php.dist config.inc.php
  • Open web browser and access localhost/dvwa/setup.php
  • Install vim by the command apt install vim (Press y when prompted)
  • Use the command cd /etc/php/7.2/apache2
  • Open php.ini and edit by the command vim php.ini
  • Enter ?allow_url -> Click Enter and press i to edit Off to On
  • Enter escape -> Click :wq to save
  • Restart apache by the command systemctl restart apache2.service
  • Go back to firefox and refresh the page to check status PHP function allow_url_include
  • Install php7.2-gd by the command apt install php7.2-gd -> Restart apache2
  • Check the state of PHP module gd
  • Install php7.2-mysql by the command apt install php7.2-mysql -> Restart apache2
  • Check the state of PHP module mysql and PHP module pdo_mysql
  • Go to the folder by the command cd /var/www/html/dvwa/config/
  • Edit config.inc.php file by the command vim config.inc.php
  • Click to link https://www.google.com/recaptcha/admin -> Click Open Link
  • Enter your email account
  • Click to icon +
  • Enter name for Label
  • Enter reCAPTCHA v3
  • Enter Domains
  • Click Accept the reCAPTCHA Terms of Service
  • Click SUBMIT
  • Click COPY SITE KEY and paste to public key
  • Click COPY SECRET KEY and paste to private key
  • Click escape -> Enter :wq to save and back to web browser to check
  • Go back to html folder by the command cd ../..
  • Enter ls command -> Change the permission of dvwa folder by the command chmod -R 777 dvwa/
  • Back to web browser and check
  • Go to config folder by the command cd dvwa/config/ -> Click ls to check -> Edit config.inc.php file
  • Edit db_user to root
  • Edit db_password to blank
  • Enter escape -> Click :wq to save
  • Enter mysql -u root
  • Enter use mysql;
  • Enter select Host, User, plugin from mysql.user;
  • Enter ALTER USER ‘root’@’localhost’ IDENTIFIED WITH mysql_native_password BY ”;
  • Back to web browser and click Create/Reset Database -> Click Login
  • You can access to DVWA’s login page
  • Back to terminal and click use dvwa;
  • Click exit
  • Back to web browser and login with username: admin, password: password
  • You can access to DVWA server and perform the desired vulnerability tests

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.