DVWA which stand for Damn Vulnerable Web Application is a very vulnerable web application. Its existent helps us to study more about how to use ethical hacking tools in a safe environment without breaking the law.
Below is the steps of how to install the DVWA.
I already have php 7.0 in my kali linux. Make sure that you have either php version 5 or php version 7.
First of all, go to /var/www/html file from your terminal using cd /var/www/html command. Then, get the DVWA zip file from github using either git clone or wget command and then the url of the file. (github url: https://github.com/ethicalhack3r/DVWA/archive/master.zip)
After getting the zip file, unzip it using unzip command and the file name.
Next, we would like to move all of the file inside the DVWA-master to /var/www/html file using mv DVWA-master/* /var/www/html command.
Then we change the change the ownership using chown -R www-data:www-data /var/www/html
This is the explanation about the chown -R command
Showing the data using a long listing format.
Now, lets start the apache2 service and the mysql service using service apache2 start ; service mysql start command. You can also use service apache2 start && service mysql start command.
Securing the mysql installation. Follow the steps below.
Now go to your local host to check whether the server is working properly or not. Below is the appearance if the server is working properly.
Now, follow the step below and try to go to the config file and use gedit command to see what is inside the config.inc.php file.
This is what it looks like if you use the gedit command on config.inc.php file. As you can see here, there are command that stated that you will neet to generate your own keys at the url given. Copy that url and go to the browser.
Now, paste it and go. You will be asked to log in to a google account. Just sign in and go to the next step.
Now, find the section that is similar to the picture below. Copy the site key and the secret key.
Now, on your command line type gedit config.inc.php again to open and edit the file. paste the site key to the DVWA public key and the secret key to the DVWA private key.
Then restart the apache2 service and the mysql service. using service apache2 restart && service mysql restart. In my case below I stop it first and start it again but it is rather inefficient. To check the service status just type service name_service status. Name_service in this case is mysql and apache2.
Now, you can go to your localhost_ip/setup.php in your browser and see whether there are red-colored text or not and read the perquisite. In my case I need to fix the PHP function allow_url_include and PHP module gd.
To fix the first one below is the instruction from the DVWA.
So, after knowing that, lets check the php.ini file and change the allow_url_include. to find your php.ini you can use php –ini command.
Now, go to the file using the php.ini path before and type gedit php.ini command.
Find the allow_url_include and change from off to on. If by any chance after you restart the apache and the mysql the color of the text is still red, find another php.ini in your computer and change the allow_url_include to on.
Restart the service.
If you go back to your browser and still find the same problem that the PHP function allow_url_fopen still disabled, try to search another php.ini file in your system. In my case, I found another php.ini file in /etc/php/7.0/apache2. if this the case you need to edit the php.ini file too. Below is the screenshoot of my other php.ini file
Go to the browser and we can see now we do not have any problem with the allow_url_include anymore but we still have another problem.
To fix that problem you can just type apt-get install php7.0-gd -y && service apache2 restart.
Then gedit config.inc.php file that is in the config folder and change the configuration just like the picture below.
In your terminal go to the database by typing mysql -u root -p and then type enter and enter the password.
After the picture above, type all of these commands:
CREATE DATABASE cbn_workshop;
GRANT ALL PRIVILEGES ON cbn_workshop.* TO dvwa_user@localhost IDENTIFIED BY ‘your_password’;
note: ‘your_password’ should be the db password in config.inc.php.
After that you can click the create/reset database on the browser and this log in page will show up. To know about the password and user name find README.md file and using the cat README.md file find the username and password. Use that username and password and log in to the DVWA.
This is the front page of the DVWA.
Congratulation, you have finished installing the DVWA. Have fun and play with it!