penetration test vulnerability platform dvwa

Posted by tetley at 2020-03-14

DVWA (dam vulnerable web application) DVWA is a set of Web vulnerability testing program written in PHP + MySQL for the teaching and detection of conventional web vulnerabilities. Including SQL injection, XSS, blind injection and other common security vulnerabilities.

1 download address:

2. Download the compression package: xampp UU After decompression, click xampp UU 2016.exe to install normally. Generally speaking, we suggest that this kind of integrated environment should be installed on the virtual machine, for example, I should install it on Windows 2008 R2.

3 other information:

###MySQL default password: user: root password: root

Installation and use:

1: check the button under [service] to install the service

2: click the start button of each function to start the process

3: click the admin button of each function to manage the function

4: you need to install JDK before starting Tomcat

1 download address:

2 extract the compressed package to: C: \ xampp \ HtDocs\

3 normal access address:

4 other information: if we open a browser on the host and enter the address, we cannot access it. Solution:

Restart xampp ② shut down the firewall of the virtual machine ③ use [windows firewall] - [advanced settings] - [diagnosis / repair] - [incoming connection] - [allow other computers to connect to Apache HTTP server]

If the port of Apache and other services is occupied, we can consider changing the port of the corresponding service. For example, Apache's http.conf file can change port 80 to another port. Open the cover file and search 80 to find it.

If a service fails to start, open the task manager to shut down the process completely, and then log out and log in again. Or shut down and restart directly.

1 create database

Because DVWA has the connection password of database by default, but xampp also has the default MySQL user name and password, so we need to change the configuration file of DVWA here. The default installation path is: C: \ xampp \ HtDocs \ dvwa-1.9 \ config, open the file [config. Inc.php], and search [DB Uuser]

The default profile is:

$_DVWA[ 'db_user' ]     = 'root';

$_DVWA[ 'db_password' ] = '[email protected]';

Change to the following:

$_DVWA[ 'db_user' ]     = 'root';

$_DVWA[ 'db_password' ] = 'root';


2 login management interface

We can see the login box. The login password here is admi / password. Enter it to log in successfully

3 DVWA introduction

We can see that the left column has management options such as home, instruction and setup / resetdb. Here, we can see a series of information. For example, DVWA function introduction, more extension exercises, PDF document introduction, change log, phpids, etc. To emphasize here, we did not turn on phpids. Why not? PHP IDS is a fire-proof software package that directly protects PHP applications. Equivalent to a WAF.

4 DVWA Security

This function is very important. Here we can set the level of vulnerability risk, even if the larger the level is, the more difficult it is to find the vulnerability. There are four levels: low, medium, high and impossible. Among them, the level of [impossibility] is the most difficult. It is almost difficult to find any vulnerability when executing this level. Generally speaking, as a drill platform, we often use the level [low]. If you want to further challenge, you can execute the level [medium].


PHP IDS v0.6 (PHP intrusion detection system) is a PHP based security layer for web applications.

Phpids works by filtering any user supplied input from a potentially malicious code blacklist. As an example of web application firewall (WAFS) of DVWA, it can help to improve security. And in some cases, how can we avoid the web application firewall. Activating this property will record the trace of our attack.

6 phpinfo.php

Generally, we should delete the dangerous pages. There is a phpinfo.php in the folder [dvwa-1.9], which can be deleted directly. For example, my path is: C: \ xampp \ HtDocs \ dvwa-1.9

Here we mainly use burp for attack drill

1 Brute Force

Enter an account password. Through the burpsuit interception package, you can see that the user name and password are submitted by get method, as shown in the following figure:



Here, we can see that the request serial number is 1221, which was successfully brutally cracked. The user name is admin, and the password is password

There are a lot of methods of violent cracking in more information. We can use awvs brute force cracking, appscan authentication tester or other tools. After entering the user name and password:

        Through code audit, it is found that the code of this page not only has the problem of brute force guessing, but also has the SQL injection vulnerability; the parameter username is directly assigned to $user and substituted into the SQL statement for execution, which results in the SQL injection vulnerability, but the following code also verifies that the returned result must be one line, so the limit can be used to control the number of returned lines, so the SQ can be constructed User name of L injection

admin' or 1=1limit 1#

Password can be any successful login!

2 Command Injection

Enter & & ipconfig in the input box

Or execute other commands, such as & & dir

Through code audit, I found that dvwa-1.9 \ vulnerabilities \ exec \ sorce's low.php code $CMD = shell exec ('ping-c 3 '. $target)

The code here does not do any processing to $_request ['Ip ']; and assign it to $target, resulting in that $target can be arbitrarily controlled by the user, so it can be constructed and execute any system command.

3 CrossSite Request Forgery (CSRF)

This is to change the user password, which means that the password of other users can be changed by executing CSRF. It is also any password change. We change the password normally. You can see

In this link, if it is made into a hidden connection, or the link is attached to the picture, or through phishing email, forum false connection and other ways. Once the user who logs in to the website clicks the connection in other websites, the password will be changed automatically.

There is also a way:

Enter the following characters in the input box: you can change the password of the root user

User name: Gordon B password: abc123

123′ whereuser=’gordonb’



4 FileInclusion\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini



5 FileUpload

Here, choose a setup.php file to upload directly.


6 Insecure CAPTCHA

This one needs to apply for an account with Google and modify the corresponding configuration file, so this one won't be demonstrated.


7  SQLInjection

This problem is common in all web applications, and the harm of this problem is very large, which can directly obtain the key sensitive data. This is relatively simple. Just input the following statements directly. Of course, we can also use sqlmap or its tools to test. Of course, we have a [help] button in the lower right corner of the current page. We can view the help information.



8  SQL Injection(Blind)


9  ReflectedCross Site Scripting (XSS)

Enter the following string in the input:


10  StoredCross Site Scripting (XSS)

Enter the following string in the input:


1 corresponding to other levels, such as medium, high and impossible, these are often difficult. This bypass technique is needed, such as code bypass, encryption bypass, truncation string modification bypass, etc.

2. The answer to the corresponding question is not unique. You can get the answer or similar prompt in many ways. The tools in this paper can also be various, because there are many tools to complete the above operations. For example, brute force cracking, command execution, cross site scripting, file inclusion, SQL injection, etc.

3. Corresponding to the repair code of each vulnerability, there are specific code demonstrations in the DVWA level of [high] and [implosible].

4 similar vulnerability platforms include mutillidae, webgoat, bwapp, etc.

Welcome to share better ideas and look forward to it!