{"id":1183,"date":"2018-10-31T15:22:29","date_gmt":"2018-10-31T12:22:29","guid":{"rendered":"http:\/\/kifarunix.com\/?p=1183"},"modified":"2024-03-11T19:53:18","modified_gmt":"2024-03-11T16:53:18","slug":"how-to-setup-damn-vulnerable-web-app-lab-on-ubuntu-18-04-server","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/how-to-setup-damn-vulnerable-web-app-lab-on-ubuntu-18-04-server\/","title":{"rendered":"How to Install and Configure DVWA Lab on Ubuntu 18.04 server"},"content":{"rendered":"\n

Hello there, today we are going to learn how to install and configure DVWA lab on Ubuntu 18.04 server.<\/p>\n\n\n\n

DVWA<\/a> has been defined as a damn vulnerable PHP\/MySQL based web application whose main goals are to aid security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers or students to teach or learn web application security respectively in a class room environment.<\/p>\n\n\n\n

Installing DVWA on Ubuntu 18.04<\/h2>\n\n\n\n

To setup DVWA on Ubuntu 18.04 server, step through the following procedure.<\/p>\n\n\n\n

Update and upgrade all packages on your server.<\/p>\n\n\n\n

apt update\napt upgrade<\/pre>\n\n\n\n
One the upgrade is done, we are going to install the basic components of LAMP stack i.e Apache, MySQL, and PHP. Therefore you can check our previous article on how to install LAMP Stack on Ubuntu 18.04<\/a>.<\/p>\n\n\n\n
Once you have had LAMP Stack, proceed as follows.<\/p>\n\n\n\n
When prompted to set MySQL password you can set it to the default password that is used by the DVWA, p@ssw0rd<\/code><\/strong>. If you do set a different password, keep it as we will need it later.<\/p>\n\n\n\n
Download DVWA<\/h3>\n\n\n\n
DVWA is available either as a package that will run on your own web server or as a Live CD. In this guide, we are going to use DVWA package.<\/p>\n\n\n\n
We are going to install DVWA on the Apache web root directory,\/var\/www\/html<\/code><\/strong>. Therefore you have to remove the default index.html<\/code> <\/strong>file.<\/p>\n\n\n\n
rm -r \/var\/www\/html\/index.html<\/pre>\n\n\n\n
Once that is done, clone the latest version of the DVWA to some directory, say \/tmp<\/strong> by running the command below;<\/p>\n\n\n\n
git clone https:\/\/github.com\/ethicalhack3r\/DVWA \/tmp\/DVWA<\/pre>\n\n\n\n
The required DVWA source code files are now available under \/tmp\/DVWA<\/strong>. You need to move or copy these files to Apache default web root directory as shown below.<\/p>\n\n\n\n
rsync -avP \/tmp\/DVWA\/ \/var\/www\/html\/<\/pre>\n\n\n\n
You can now verify that all the DVWA source code files are under the Apache Web root directory.<\/p>\n\n\n\n
ls \/var\/www\/html\/\nabout.php     config       docs  external     hackable     index.php         login.php   phpinfo.php  README.md   security.php  vulnerabilities\nCHANGELOG.md  COPYING.txt  dvwa  favicon.ico  ids_log.php  instructions.php  logout.php  php.ini      robots.txt  setup.php<\/pre>\n\n\n\n
Configure DVWA on Ubuntu 18.04<\/h3>\n\n\n\n
Set Database connection details<\/h4>\n\n\n\n
Next, we are going to configure DVWA database connection details. You will notice that the DVWA configuration file named \/var\/www\/html\/config\/config.inc.php.dist<\/code><\/strong>. Therefore, rename this configuration file to \/var\/www\/html\/config\/config.inc.php<\/code><\/strong><\/p>\n\n\n\n
cp \/var\/www\/html\/config\/config.inc.php.dist \/var\/www\/html\/config\/config.inc.php<\/pre>\n\n\n\n
If you had set a different MySQL password, edit the configuration file, \/var\/www\/html\/config\/config.inc.php<\/code><\/strong> and find the line,  $_DVWA[ 'db_password' ] = 'p@ssw0rd';<\/strong><\/code> <\/strong>and replace the 'p@ssw0rd'<\/strong><\/code><\/strong> with your new password. For example, if you set your root password to NewP@SSw0rd<\/strong>, your configuration should look like as shown below;<\/p>\n\n\n\n
vim \/var\/www\/html\/config\/config.inc.php<\/pre>\n\n\n\n
...<\/strong>\n# If you are using MariaDB then you cannot use root, you must use create a dedicated DVWA user.\n#   See README.md for more information on this.\n$_DVWA = array();\n$_DVWA[ 'db_server' ]   = '127.0.0.1';\n$_DVWA[ 'db_database' ] = 'dvwa';\n$_DVWA[ 'db_user' ]     = 'root';\n$_DVWA[ 'db_password' ] = 'NewP@SSw0rd';<\/strong>\n...<\/strong><\/pre>\n\n\n\n
Note, if you are using MariaDB rather than MySQL, you can’t use the database root user and therefore you must create a new database and the database user using the commands below;<\/p>\n\n\n\n
mysql><\/span> create database dvwa;\nmysql><\/span> grant<\/span> all on<\/span> dvwa.*<\/span> to dvwa@localhost identified by '<\/span>STRONGP@SSW0rd'<\/span><\/span>;\nmysql><\/span> flush privileges;\nmysql> quit<\/pre>\n\n\n\n
Once you are done creating dvwa database user, edit the DVWA configuration and adjust the database configuration settings such that your configuration looks like;<\/p>\n\n\n\n
...<\/strong>\n$_DVWA[ 'db_server' ] = '127.0.0.1';\n$_DVWA[ 'db_database' ] = 'dvwa';\n$_DVWA[ 'db_user' ] = 'dvwa';\n$_DVWA[ 'db_password' ] = 'STRONGP@SSW0rd';\n...<\/strong><\/pre>\n\n\n\n
Save the configuration file and restart MySQL.<\/p>\n\n\n\n
systemctl restart mysql<\/pre>\n\n\n\n
Configure PHP<\/h4>\n\n\n\n
The version PHP installed in our case here is 7.2.<\/p>\n\n\n\n
php -v\nPHP 7.2.10-0ubuntu0.18.04.1 (cli) (built: Sep 13 2018 13:45:02) ( NTS )<\/pre>\n\n\n\n
Now edit the file, \/etc\/php\/7.2\/apache2\/php.ini<\/strong><\/code><\/strong> and make the following changes.<\/p>\n\n\n\n