ComputerSecurityStudent (CSS) [Login] [Join Now]




|SECURITY TOOLS >> Damn Vulnerable Web App >> DVWA v1.0.7 >> Current Page |Views: 324410

(Damn Vulnerable Web App (DVWA): Lesson 1)

{ How to Install DVWA in Fedora 14 }


Section 0. Background Information
  • What is Damn Vulnerable Web App (DVWA)?
    • Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.
    • Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

     

  • Pre-Requisite Lab
  • Lab Notes
    • In this lab we will do the following:
      1. Install Apache Webserver
      2. Install Mysql Server
      3. Install PHP
      4. Install and Configure DVWA
  • Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.

     

Section 1: Configure Fedora14 Virtual Machine Settings
  1. Start VMware Player
    • Instructions
      1. For Windows 7
        1. Click Start Button
        2. Search for "vmware player"
        3. Click VMware Player
      2. For Windows XP
        • Starts --> Programs --> VMware Player

     

  2. Open a Virtual Machine (Part 1)
    • Instructions:
      1. Click on Open a Virtual Machine

     

  3. Open a Virtual Machine (Part 2)
    • Instructions:
      1. Navigate to Virtual Machine location
        • In my case, it is G:\Virtual Machines\Fedora14 - DVWA
      2. Click on the Fedora14 Virtual Machine
      3. Click on the Open Button

     

  4. Edit the virtual machine settings
    • Instructions:
      1. Highlight the Fedora14 VM
      2. Click on Edit virtual machine settings.

     

  5. Edit Network Adapter
    • Instructions:
      1. Click the Hardware Tab
      2. Highlight Network Adapter
      3. Select Bridged: Connected directly to the physical network
      4. Select the OK Button

 

Section 2: Login to Fedora14
  1. Start the Fedora14 VM Instance
    • Instructions:
      1. Select Fedora14
      2. Play virtual machine

     

  2. Login to Fedora14
    • Instructions:
      1. Login: student
      2. Password: <whatever you set it to>.

 

Section 3: Open Console Terminal and Retrieve IP Address
  1. Start a Terminal Console
    • Instructions:
      1. Applications --> Terminal

     

  2. Switch user to root
    • Instructions:
      1. su - root
      2. <Whatever you set the root password to>

     

  3. Get IP Address
    • Instructions:
      1. ifconfig -a
    • Notes:
      • As indicated below, my IP address is 192.168.1.116.
      • Please record your IP address.

     

Section 4: Disable SELinux
  1. Open the SELinux config file with gedit
    • Instructions:
      1. gedit /etc/selinux/config 2>/dev/null &
    • Notes (FYI):
      1. gedit, is a text editor for the GNOME Desktop.
      2. /etc/selinux/config, is the file name that gedit will open.
      3. 2>/dev/null, sends standard error messages to a black hole (/dev/null).
      4. The "&" is used to open gedit in the background.
      5. If you are the Linux Guru feel free to use the VI editor instead.

     

  2. Delete enforcing
    • Instructions:
      1. Arrow down to SELINUX=enforcing
      2. Highlight the word "enforcing" and press the delete button

     

  3. Replace enforcing with disabled
    • Instructions:
      1. Replace "enforcing" with the word "disabled"
        •  SELINUX=disabled
      2. Click Save
      3. Click the "X" to Close

     

  4. Open the SELINUX config file with gedit
    • Instructions:
      1. setenforce 0
      2. sestatus
    • Notes (FYI):
      • setenforce - is used to modify the mode SELinux is running in.
      • Generally, I do not support disabling SELinux.  However, we are going to turn this server into a vulnerable machine by later installing Mutillidae.

 

Section 5: Disable Firewall
  1. Disable the Firewall
    • Instructions:
      1. service iptables stop
      2. chkconfig iptables off
    • Notes (FYI):
      • Again, I do not support disabling the firewall.  However, we are going to turn this server into a vulnerable machine by later installing Mutillidae.

 

Section 6: Install Apache httpd Server
  1. Download httpd
    • Instructions:
      1. yum install httpd.i686
      2. y

     

  2. Start Apache
    • Instructions:
      1. service httpd start
        • This starts up the Apache Listening Daemon
      2. ps -eaf | grep httpd
        • Check to make sure Apache is running.
      3. chkconfig --level 2345 httpd on
        • Create Start up script for run levels 2, 3, 4 and 5.

     

Section 7: Install mysql and mysql-server
  1. Install mysql
    • Instructions:
      1. yum install mysql.i686
      2. Continue to next step

     

  2. Install mysql
    • Instructions:
      1. y

     

  3. Install mysql-server
    • Instructions:
      1. yum install mysql-server
      2. y

     

  4. Start Up mysqld
    • Instructions:
      1. service mysqld start

     

  5. Start Up mysqld
    • Instructions:
      1. chkconfig --level 2345 mysqld on
        • Creates the start up scripts for run level 2, 3, 4 and 5.
      2. mysqladmin -u root password dvwaPASSWORD
        • Sets the mysql root password to "dvwaPASSWORD"

     

  6. Login to mysql and create dvwa database
    • Instructions:
      1. mysql -uroot -p
      2. dvwaPASSWORD
      3. create database dvwa;
      4. quit

     

Section 8: Install PHP
  1. Install PHP
    • Instructions:
      1. yum install php.i686
      2. y

     

  2. Install php-mysql
    • Instructions:
      1. yum install php-mysql
      2. y

     

  3. Install php-pear
    • Instructions:
      1. yum install php-pear php-pear-DB
      2. y

     

Section 9: Install wget
  1. Install wget
    • Instructions:
      1. yum install wget
      2. y

     

Section 10: Install Damn Vulnerable Web App (DVWA)
  1. Download DVWA
    • Note(FYI):
      • DVWA-1.0.7.zip is an older version.  ComputerSecurityStudent provides this zip file, since it is no longer available at google source.
      • The most recent version can be found at http://www.dvwa.co.uk/
    • Instructions:
      1. cd /var/www/html
      2. wget http://www.computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson1/DVWA-1.0.7.zip
        • Grab the DVWA-1.0.7 application.
        • Remember to down the zip file from computersecuritystudent and not googlecode.
      3. ls -l | grep DVWA
        • Confirm DVWA-1.0.7.zip was downloaded

     

  2. Unzip Package
    • Instructions:
      1. unzip DVWA-1.0.7.zip

     

  3. Remove Zip File
    • Instructions:
      1. ls -lrta
      2. rm DVWA-1.0.7.zip
      3. y

     

  4. Configure config.inc.php  
    • Instructions:
      1. cd /var/www/html/dvwa/config
        • This is the configuration directory for DVWA.
      2. cp config.inc.php config.inc.php.BKP
        • Make Backup copy
      3. chmod 000 config.inc.php.BKP
        • Remove Permissions to the Backup Copy
      4. vi config.inc.php
        • This is the configuration file for DVWA that handles the database communication from the Web App.

     

  5. Configure config.inc.php  
    • Instructions:
      1. Arrow down to the line that contains db_password
      2. Arrow right and place your cursor on the second single quote
      3. Press "i"
        • This puts the vi editor into INSERT mode.
      4. Type "dvwaPASSWORD"
      5. Press <Esc>
        • This takes the vi editor out of INSERT mode.
      6. Type ":wq!"
        • This save the config.inc.php file.

     

  6. Restart Apache
    • Instructions:
      1. service httpd restart
        • Restart Apache
      2. ps -eaf | grep -v grep | grep httpd
        • Make sure Apache is running.
    •  

  7. Start up a Web Browser  
    • Instructions:
      1. Applications --> Internet --> Firefox
    • Notes(FYI):
      • At this point, you can start up a web browser on any computer on your network (Windows, Mac, Whatever you want).

     

  8. DVWA Database setup  
    • Instructions:
      1. http://192.168.1.116/dvwa/setup.php
        • Replace 192.168.1.116 with the IP Address obtained from Section 3, Step 3.
      2. Click the Create / Reset Database button

     

  9. DVWA Creation Messages  
    • Instructions:
      1. You should see the below database created, data inserted, and setup successful messages.
      2. Click on Logout

     

  10. Login to DVWA  
    • Instructions:
      1. Username: admin
      2. Password: password

     

  11. Welcome to DVWA  
    • Note(FYI):
      1. Click Here for subsequent lessons.

     

Section 11: Proof of Lab
  1. Proof of Lab
    • Instructions:
      1. echo "select user,password from dvwa.users;" | mysql -uroot -pdvwaPASSWORD
      2. date
      3. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
    • Proof of Lab Instructions:
      1. Do a PrtScn
      2. Paste into a word document
      3. Upload to Moodle

     



Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth