This is the start of a series where I will user DVWA to teach some basic Vulnerabilities using the DVWA frame work. To start with we need to install DVWA and the best tool to install it with is Docker. This allows us to spin it up quickly on various platforms.
What is DVWA?
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
It has vulnerabilities in PHP, mysql, file inclusion, Command Injection, and more. In this Article I describe the process of Installing DVWA in Docker.
So let’s get into it.
Set up for Installing DVWA
I will use my favourite BlackArch Linux install that I did in a previous blog post. For this write-up you can use any other flavour of Linux, for example BlackArch, Kali or any other modern Linux install with docker. As I use only ArchLinux based distributions the commands in this post will be for that platform only.
Also required is a network connection to the Internet. Without this you cant install Docker.
Installing Docker
If your using BlackArch or just ArchLinux then installation of docker is simple.
First update to the latest version of BlackArch/Arch
sudo pacman -Syu
Then install Docker.
sudo pacman -S docker
Installing DVWA
The docker image we will use is called “vulnerables/web-dvwa” and is available on docker hub. We can pull down the DVWA docker image with the below.
sudo docker pull vulnerables/web-dvwa
Below is the command we use for running DVWA
docker run --rm -it -p 8080:80 --name=dvwa vulnerables/web-dvwa
The optons are,
- –rm, Don’t save the state and delete the container when it stops running.
- -it, Keep the container interactive so we can connect to it.
- -d, Demonize the container so it keeps running in the background.
- -p 80:8080, run the docker image on my system Loopback address at 127.0.0.1 on port 8080.
- –-name, This is the name of the Container that Docker will know it by.
Now, that was easy! All going well if should be able to open “http://127.0.0.1:8080” in Firefox and DVWA should be reachable.
Configuring DVWA
Default login is
- Username: admin
- password: password
On the first run this will bring up the Database Setup page. Warning: because we used “–rm” when creating the docker image whatever we do here is not saved if the docker container is stopped.
Let’s Initialize the Database by clicking the “Create/Reset Database” button.
Now DVWA will ask you to login again and its ready for action.
Our First DVWA Vulnerability
Once logged back in there is a menu on the right has side that lists all the vulnerabilities that can be exploited. Let’s take a look at one “Command Injection”
This screen asks us to put in a IP address and it can be pinged. Lets try it by putting in Googles DNS server ip “8.8.8.8”
Seems to do a command line ping. Command Injection are when you take a the function of a command and change what’s its suppose to do. In the example we just gave you can see the output from a ping command. It doesn’t expect to do anything else. What if we added something unexpected to the end of that IP address?
Like 8.8.8.8;whoami
In Linux and other Unix type operating Systems you can chain commands on a single command line with a delimiter. In this case the delimiter is the semi-colon “;”.
See example below.
I ran date, whoami and uptime commands on the same command line prompt. We can try it in the DVWA by imputing the below into the field “Enter an IP address:“.
8.8.8.8;whoami
Bingo! See the “www-data” that’s the output from the “whoami” command. You can replace “whoami” with any Linux command and it will work.
Conclusion
I hoped you learned something from this post and if you have any comments please leave them below.
Be First to Comment