PRINT
PRINT
SEND MAIL
SEND MAIL

Original link: https://blog.g0tmi1k.com/dvwa/index/

This is a SERIES of blog posts, which will all relate to one another, but will take time.

I'm publishing as I go, but will come back and edit them in places at a later date - as well as adding in videos.

Best to check back when there is the "Undocumented" Bugs/Vulnerabilities post (that will be the last post!) ;-).


The following posts will demonstrate various environments, scenarios and setups. This will cover a mixture of Operating Systems (Linux & Windows), range of web servers (Apache, Nginx & IIS), different versions of PHP (v5.4 & v5.6), databases (MySQL & MariaDB) as well as user permissions (inside the services and also the ones running services on the OS itself). DVWA also comes with a (outdated) Web Application Firewall (WAF) called PHP-IDS, which also has its own issues with! Lastly, there are "undocumented" vulnerabilities with DVWA's core which are either hidden bugs and/or unintended issues...

DVWA Logo

Note: This list will be updated with links, over the next few weeks - once they have been published!

  • Login - HTTP POST form brute force with CSRF token
  • Brute Force
  • Command Injection (RCE)
  • Cross-Site Request Forgery (CSRF)
    • Low (CSRF)
    • Medium (Referer header check. Links with XSS module)
    • High (Anti-CSRF token used. Links with XSS module)
    • Impossible
    • PHPIDS (WAF)
  • File Inclusion (LFI/RFI)
    • Low (LFI & RFI)
    • Medium (Blacklisting patterns)
    • High (Whitelisting with wildcards)
    • Impossible
    • PHPIDS (WAF)
  • File Upload (FU)
    • Low (File Upload)
    • Medium (Spoofed upload type)
    • High (Merged image. Links with LFI module)
    • Impossible
    • PHPIDS (WAF)
  • Insecure CAPTCHA
    • Low (CAPTCHA bypass)
    • Medium (CAPTCHA bypass by using an extra field)
    • High (Hardcoded/debug values)
    • Impossible
    • PHPIDS (WAF)
  • SQL Injection (SQLi)
    • Low (SQLi)
    • Medium (mysql_real_escape_stringbypass - unable to use single/double quotes. POST requests in a dropdown menu)
    • High (SQLi in SESSION carried over from another page)
    • Impossible
    • PHPIDS (WAF)
  • SQL Injection (SQLi) Blind
    • Low (SQLi)
    • Medium (mysql_real_escape_string bypass - unable to use single/double quotes. POST requests in a dropdown menu)
    • High (SQLi in cookie value)
    • Impossible
    • PHPIDS (WAF)
  • Cross Site Scripting (XSS) Reflected
    • Low (XSS)
    • Medium (XSS filter to remove <script>)
    • High (XSS filter to remove <*s*c*r*i*p*t)
    • Impossible
    • PHPIDS (WAF)
    • Phishing
  • Cross Site Scripting (XSS) Stored
    • Low (XSS)
    • Medium (XSS filter to remove <script>. Limited input size)
    • High (XSS filter to remove <*s*c*r*i*p*t. Limited input size)
    • Impossible
    • PHPIDS (WAF)
    • Phishing
  • "Undocumented" Vulnerabilities

Targets

Going to use a mixture of targets:

  • 4x Operating Systems (Arch Linux, Raspbian Jessie, Windows Server 2012 & Windows XP)
  • 2x Apaches (One Windows & One Linux)
  • 2x Windows (One Apache & One IIS)
  • 2x Linux (One Apache & One Nginx)
  • 2x Raspberry Pis "B" (One v1 & One v2)
  • 2x Virtual Machines

192.168.1.11 (aka: ArchPi)

  • Machine: Raspberry Pi v1 "B"
  • Web Server: Nginx v1.8.0 (as "httpd")
  • Server Side Scripting: PHP v5.6.14
  • Database: MariaDB v10.0.21
  • OS: Arch Linux 2015.10.01 / Linux archpi 4.1.9-1-ARCH #1 PREEMPT Thu Oct 1 19:15:46 MDT 2015 armv6l GNU/Linux

192.168.1.22 (Aka: Raspbian)

  • Machine: **Raspberry Pi v2 "B"
  • Web Server: Apache v2.4.10 (as "www-data")
  • Server Side Scripting: PHP v5.6.13
  • Database: MySQL v5.5.44
  • OS: Raspbian Jessie September 2015 / Linux raspberrypi 4.1.7-v7+ #817 SMP PREEMPT Sat Sep 19 15:32:00 BST 2015 armv7l GNU/Linux

192.168.1.33 (aka: XAMPP)

  • Machine: VM - 512MB / 1 CPU
  • Web Server: Apache v2.4.10 (as "SYSTEM")
  • Server Side Scripting: PHP v5.4.31 (display_errors enabled by default)
  • Database: MySQL v5.5.39
  • OS: Windows XP Professional SP3 ENG x86 (Using XAMPP v1.8.2 package)

192.168.1.44 (aka: IIS)

  • Machine: VM - 2GB / 1 CPU
  • Web Server: IIS v8.0 (as "NT AUTHORITY\IUSR")
  • Server Side Scripting: PHP v5.6.0
  • Database: MySQL v5.5.45
  • OS: Windows Server 2012 ENG x64

©2021 By Cyber Sec Labs

   

CONTACT US

We're not around right now. But you can send us an email and we'll get back to you, asap.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account