A, DVWA download
Download: https: //github.com/ethicalhack3r/DVWA
Two, DVWA installation
Before installation, a preparatory work needs to be done, let's do a PHP + Mysql environment to build.
1, download, install, start phpstudy (www.phpstudy.net).
phpStudy is a PHP program integrated debugging environment package. We can just use "PHP + Mysql + Apache".
2, unzip the downloaded DVWA to the next phpstudy website root directory.
For example: I unpacked this path is the "F: \ phpStudy \ WWW \ DVWA \".
3, the config.inc.php.dist copy command or weight the config.inc.php ;
For example: My profile path is "F: \ phpStudy \ WWW \ DVWA \ config".
4, in the code modify config.inc.php follows:
$_DVWA[ 'db_server' ] = '127.0.0.1'; #数据库地址
$_DVWA[ 'db_database' ] = 'dvwa'; #数据库名称 $_DVWA[ 'db_user' ] = 'root'; #数据库用户名 $_DVWA[ 'db_password' ] = 'root'; #数据库密码Because phpstudy default mysql database address "127.0.0.1 or localhost", user name and password are "root". The main modification is ' db_password ' as root , is very important here, modified naturally need to save the file, it goes without saying I believe we all know.
Three, DVWA use
In fact, using nothing more to say, but also very simple, only the following steps:
1, a database set or reset
Browser only needs to directly open "http://127.0.0.1/dvwa/setup.php" can be! If there are "red label" prompt, you might want to open some modules or do some settings, some of which are not otherwise test, for example: a file that contains the file upload vulnerability.
2, landing
Browser opens "http://127.0.0.1/dvwa/login.php" landing. The default user name: ADMIN , default password: password ;
3. Set the security level program
Browser opens "http://127.0.0.1/dvwa/security.php" do set, respectively, are "low, medium, high, impossible", the lower the security level of the program, the more likely explanation is compromised, do not do anything security. The main challenge is to self-program different levels of protection level!
Summary: The figure is my local browser to open renderings, you can clearly see DVWA contains the following specific vulnerabilities: brute force, command injection, CSRF, the file contains, upload files, code, SQL ordinary injection, SQL blind Note, weak session, XSS, security policy (CSP) bypass, JavaScript attacks.
There are a lot of people will ask: I opened the interface is in English? Why is your Chinese? Of course I use the Google browser to open, Google is the browser that comes with translation. understand? Translation may not be accurate for many newcomers might be misled literally. But for me, as long as there is a general sense, I can really understand what it refers to is, what it is to express the. So: we still must first have a foundation, look at documents in English on their own is better.
Original Address: https://www.fujieace.com/penetration-test/dvwa.html