opsxcq / docker-vulnerable-dvwa Goto Github PK

Damn Vulnerable Web Application Docker container

Home Page: https://github.com/opsxcq/docker-vulnerable-dvwa

PHP 87.56% HTML 0.05% CSS 2.38% JavaScript 9.44% Shell 0.10% Dockerfile 0.47%

docker vulnerabilities dvwa hacking training training-labs web-application web-app vulnerable

docker-vulnerable-dvwa's Introduction

Damn Vulnerable Web Application Docker container

Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.

The aim of DVWA is to practice some of the most common web vulnerability, with various difficultly levels, with a simple straightforward interface. Please note, there are both documented and undocumented vulnerability with this software. This is intentional. You are encouraged to try and discover as many issues as possible.

WARNING This image is vulnerable to several kinds of attacks, please don't deploy it to any public servers.

Run this image

To run this image you need docker installed. Just run the command:

docker run --rm -it -p 80:80 vulnerables/web-dvwa

And wait until it download the image and start it, after that you can see the image running in your local machine:

Just click on the Create / Reset database button and it will generate any aditional configuration needed.

Login with default credentials

To login you can use the following credentials:

Username: admin
Password: password

Set the dificulty level

The default dificulty level is the impossible level, you can change it in DVWA Security item in the left menu.

Hack and have fun !

If you are playing it in low dificulty, just to have a taste of how exploit a flaw in this app, go to SQL Injection in the left menu. In the id field, add this query:

%' and 1=0 union select null, concat(user,':',password) from users #

There are several other ways and other vulnerabilities do exploit, go ahead, have fun !

About DVWA

You can visit DVWA official website and official github repository if you want more information.

Disclaimer

This or previous program is for Educational purpose ONLY. Do not use it without permission. The usual disclaimer applies, especially the fact that me (opsxcq) is not liable for any damages caused by direct or indirect use of the information or functionality provided by these programs. The author or any Internet provider bears NO responsibility for content or misuse of these programs or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, system crash, system compromise, etc.) caused by the use of these programs is not opsxcq's responsibility.

docker-vulnerable-dvwa's People

Contributors

Stargazers

Watchers

Forkers

hemel-cse conanjun helium876 cybergoof phoenixml irvinlim arjitagarwal nand0p cmattoon mzack9999 m4n3dw0lf ro9ueadmin szagvozdin123 brooksgarrett dennismeeq stiassny pierrickv karolhor waterbolik goldrak kangjor francofor r-schmid marcus-sds piuliss massiverawr lalalland newlode davidvilla hunterlodge iiiokoladnevchemnevinovat stevenaldinger cryptocrowdclub qfz9527 vulnerables tsheth eurogig frankspierings shouamy anthturner tuxinvader zerolugithub sadhananatarajan12 dinofish gkor75 xx-sec xx-src iamissac igorassuncao soul9 crispy-peppers falanteris m-z-b abdullahfasih xiongjungit ehc-io jelowon gwyxjtu omega-coder sun363587351 srburton testinguser883 prateeksahu arsyad90 center1 vamseeaws sqreen xsevithx zjwjj securityanalysts rjw245 ulrichbayer jashim-2020 artiume arunpillai6 svicky96 slape securitym0nk millsapcyber cwm8 damingshidashi banoris dakario sixrq dagri-hub 5l1v3r1 anir0y z3r0n0rth lmccamley82 quingo3 summved mikaelapisani bjhulst zzzapzzz maregon edusantos33 nci-student-pentesters ahmedtorgoman 0thm4n3 kjnvarma

docker-vulnerable-dvwa's Issues

Is it still active

Is this still active and/or maintained. I am seeing a lot of timelapse in terms of commits from the official repo for dvwa.

Docker Version in Docker file is outdated

https://github.com/opsxcq/docker-vulnerable-dvwa/blob/master/Dockerfile

The FROM debian:9.2
is causing my Docker Jenkins pipeline to fail with Error :
The error mentions you're using debian:9.2. Consider using a more recent Debian base image, such as debian:stretch, which is a general tag that should provide access to the package repositories.

�[91mW: The repository 'http://security.debian.org stretch/updates Release' does not have a Release file.

Could you please update :
FROM debian:stretch

DVWA code is out-of-date

Not sure if there are substantive changes, but the footer on the login page and the about page both link to the now-spammy site, https://dvwa.co.uk/

Split services

Create another docker image with only the DVWA code, without the database.
Parameterize the database connection information using environment variables
Setup an example docker-compose.yml

Remote File Inclusion Not working

The PHP function allow_url_include is not enabled.

Changing Security Level

When I run 2 instances of vulnerables/web-dvwa in docker and I change the security level of one of them, the other also change. Can you tell me why is this happening? and how can I fix it?

starting MySQL database server Failed!

Sorted out Cheers.

not db

when click on setup it say cannot connect to db.
can I help fix or I do somethign wrong?

failed to run image

Starting MySQL database server: mysqld

The problem remains in the version of Nov 1.

[+] Starting mysql...
[FAIL] Starting MySQL database server: mysqld . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . failed!
[+] Starting apache
[....] Starting web server: apache2AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
. ok
==> /var/log/apache2/access.log <==
tail: unrecognized file system type 0x794c7630 for '/var/log/apache2/access.log'. please report this to [email protected]. reverting to polling

==> /var/log/apache2/error.log <==
[Mon Nov 06 08:24:21.797744 2017] [mpm_prefork:notice] [pid 782] AH00163: Apache/2.4.10 (Debian) configured -- resuming normal operations
[Mon Nov 06 08:24:21.797789 2017] [core:notice] [pid 782] AH00094: Command line: '/usr/sbin/apache2'
tail: unrecognized file system type 0x794c7630 for '/var/log/apache2/error.log'. please report this to [email protected]. reverting to polling

==> /var/log/apache2/other_vhosts_access.log <==
tail: unrecognized file system type 0x794c7630 for '/var/log/apache2/other_vhosts_access.log'. please report this to [email protected]. reverting to polling

sql injection failed because the input value will be url encode

the input box value is 1' or '1'=1

and the url search is change to: http://localhost:8080/vulnerabilities/sqli/index.php?id=1%27%20or%20%271%27=1&Submit=Submit&user_token=ba3b32ef112b359efab6bc6be2a5b335#

now matter how i change the url, it will also encode the query string

Mysql server failed

File Inclusion doesn't respect set security level

It appears to set the Security Level to impossible, despite the fact that the security level is set otherwise under security.php.

opsxcq / docker-vulnerable-dvwa Goto Github PK

docker-vulnerable-dvwa's Introduction

Damn Vulnerable Web Application Docker container

Run this image

Login with default credentials

Set the dificulty level

Hack and have fun !

About DVWA

Disclaimer

docker-vulnerable-dvwa's People

Contributors

Stargazers

Watchers

Forkers

docker-vulnerable-dvwa's Issues

Recommend Projects

Recommend Topics

Recommend Org