DVWA goes for Damn Vulnerable Web Application is open-source web application which is designed to be purposely vulnerable so that users can learn about various vulnerabilities on a web app. Practicing your attacks on normal websites say which are already running and bringing in potential customers to an organization might lead to severe punishments as per the law, so as to avoid it and still learn more about Web Application Security we have DVWA.
Installation
Installing DVWA in Linux might get complicated but its easy when you follow below steps:
(I’ll advice to use Kali Linux as it already comes preinstalled with most required packages )
Step 1: Clone DVWA from github at /var/www/html
cd /var/www/html
git clone https://github.com/ethicalhack3r/DVWA
chmod -R 777 DVWA/ && cd DVWA/Step 2: Make changes in configuration file and do keep original ones too.
cd config
cp config.inc.php.dist config.inc.php
nano DVWA/config/config.inc.php
Make changes in db_user and db_password and then save it by Ctrl + X -> Y -> Enter Key
Step 3: Start mysql as will be using a database attacks too and apache service for our web server
sudo service apache2 start
sudo service mysql startStep 4: Set up database by running below command, then enter root password.
mysql -u root -pForward queries for new user to be same as from config file in DVWA
create user 'user'@'127.0.0.1' identified by 'pass';
grant all privileges on dvwa.* to 'user'@'127.0.0.1' identified by 'pass';CTRL+C to exit the MariaDB interface
Step 5: Edit a php file at /etc/php/7.3/apache2/php.ini
Make sure ‘allow_url_fopen=on’ and ‘allow_url_include=on’
Save and Exit the editor.
After this we are good to open it up in browser.
Step5: on browser type localhost/dvwa and you should see login page. Default credentials would be admin & password. If you see a different page like setup.php you can click on “Create / Reset Database” and then click on login page.
With this we are good to go and explore DVWA
Exploiting Vulnerabilities
Check out OWASP Top 10 to know about most performed attacks and from this list we will choose our attacks.
I’ll be showing 5 attacks at low security level just to get you guys started with WAS.
1. SQL Injection
For User ID we can enter numbers from 1 and it resulted few outputs. This doesn’t really prove that given web app is vulnerable to an attack so i went through the source code of page once and just got a simple idea of passing ” 2′ order by 2# ” in search query. Which returned output that means table has 2 columns.
Next i thought of getting usernames and db_names. How ?
I started playing with SQL Queries and entered ” 2′ union select user(), database()# ” which resulted in db_name and with usernames as ‘Gordon ‘.
Now i’ll hunt for table names and for that i entered a query ” 1′ union select 1, group_concat(table_name) from information_schema.tables where table_schema =’dvwa’# ” this gave table name as users, guestbook and our main interest should be ‘users‘.
Now i’ll fetch names from that table with a query ” 1′ union select 1, group_concat(column_name) from information_schema.columns where table_schema=’dvwa’ and table_name=’users’# “. I just got details of tables with few names as user_id, first_name, pass, etc.
Now, i’ll look for contents under the names which i just found;
” 0′ union select user, password from dvwa.users limit 0,1 # ” which gave me hash password for root user which can be further decrypted to ‘password‘.
2. Brute Force
A brute force attack is a method of cracking passwords or accessing systems by trying all possible combinations of usernames and passwords until the correct one is found. It is an automated, repetitive process that can be used to bypass security measures and gain unauthorized access to systems, networks, or applications.
I will be using BurpSuite in this attack so make sure you have setup your proxy and turn on intercept. Enter random username and password to check the behavior on Burpsuite.
If you’re new you might not able to intercept localhost traffic so in order to fix that on firefox you can enter ‘ about:config ‘ in URL. Check on Accept the risk and click on continue. Search for ‘network.proxy.allow_hijacking_localhost‘ and toggle it to true.
While intercepting you can see the username and password we just entered. Right click on page and send it to intruder so that we can work on it while intercept is off.
Besides Proxy you can see Intruder, there our Raw intercepts are saved waiting for us to provide some inputs for attack. First click on Clear and then double click on username and password values simultaneously adding them as our attack vectors. Choose the attack type as Cluster Bomb and then click on Payloads.
First: Payload Sets on 1 and keep Payload type as Simple List. When you select payload set on 1 that means you’re targeting username and when you keep it on payload set 2 its actually targeting password. For payload options you can either manually enter few values and click on add or you can also Load text file which can already have multiple values.
Change the Payload Set to 2 and set list of passwords
It will take some time to match all the combinations and then get the results. Once its 100% done click on ‘Length’ label and the ones with high values means they matched. in this case we matched admin and password.
Enter the values on Login Page
3. Command Injection
In command injection attacks, the attacker manipulates the input to a system in order to inject additional commands that are executed by the system. For example, in a web application, the attacker might submit a form with a malicious command in the input field, which is then executed by the server.
The dashboard wants us to enter ip address where we can ping, i simply entered ‘localhost’ and then checked the source code which was quite simple and my ping was working fine too. Then i thought of adding few extra linux commands followed by localhost;
localhost && pwd — This command prints present working directory
This time i entered localhost && cd /root && ls this resulted the files in root directory.
This is how you can play with it.
4. CSRF
CSRF (Cross-Site Request Forgery) is a type of security vulnerability where an attacker tricks a victim into making an unintended action on a website. The attacker does this by sending a request to the website using the victim’s browser, without the victim’s knowledge or consent.
In a CSRF attack, the attacker takes advantage of the fact that a user’s browser automatically includes authentication information, such as cookies, in every request to a website. By crafting a malicious request and tricking the victim into making it, the attacker can perform actions on the website as the victim
Here when we enter new password and confirm the password a GET request is forwarded when we click on submit button, it should look like this;
http://localhost/DVWA/vulnerabilities/csrf/?password_new=password&password_conf=password&Change=Change#A hacker can simply use a URL Shortener like bit.ly or Google and shorten the URL without letting user new content of URL. To spice it a bit hacker can also encode new username and password before shortening entire URL.
DVWA on medium level just adds a layer of security by authenticating user via IP but even that can be intercepted in BurpSuite by simply replacing IP with loop back IP
5. File Upload
File upload vulnerability refers to a security weakness in a web application that allows an attacker to upload and execute malicious files, such as scripts or executables, on the server hosting the application. This can result in unauthorized access to sensitive information, data breaches, and other harmful actions.
In this DVWA File Upload Vulnerability we can see we get an option to upload and a small description above it says ‘Choose an image to upload’. This upload field will accept any type so we will upload a shell and gain shell access. This shell you can easily get in Kali by typing ‘locate webshells’ and select ‘simple-backdoor.php‘.
Simply upload this backdoor in upload section and you can enter commands (cmd=) in URL and get the output in browser screen.
Be First to Comment