Jump to content

Issues with DVWA


Life like Opossum
 Share

Recommended Posts

So I have been looking to start getting into hacking and rfecently I decided that now is the time and I decided to try and start with DVWA. I installed Windows XP into a VM as well as BT5 (this is R2, I have recently updated). I installed XAMPP on my XP machine, extracted DVQA into the htdocs directory, started the apache an SQL servers, discovered my ip and entered it into my backtrack web browser. I cna see the apache web server but I am unable to see DVWA as i shoud. Instead, I am only able to see thumbs.db. Is anyone familiar with DVWA that can help me out? I greatly appreciate all help :)

Here is a link to a post I made on the DVWA code.google page. I included screenshots in the post.

http://code.google.com/p/dvwa/issues/detail?id=22

Link to comment
Share on other sites

If using xampp, run the little bat script to install everything, make sure apache, mysql, and php is started. Then from the backtrack machine, go to http://x.x.x.x where x.x.x.x is the IP of the XP machine. On the XP machine, you should have an icon on the bottom right corner telling you what part of xampp is running, such as Apache, PHP, etc. You also need to configure the apache conf for the port Apache will run on, which might not be set to 80 as default. I haven't run xampp in years, but get that working first, before worrying about DVWA. There is also premade virtual machines as far as I know that have stuff like matiladae and DVWA already installed in them, just have to google for them.

Link to comment
Share on other sites

The default port is 80, I just double checked the conf file for apache. I have The apache server and mysql server running (i included screenshots in the link), I also went to http://192.168.17.130, which is the ip of the XP machine. You can see in the SS the information listed form the apache web server w/ php version, ip adress and port number. From what I can tell everything is set up correctly and according to the DVWA setup guide I should eb up and running. Theissue i seem to be ahving is that I cannot see DVWA in the web server, even tho i have it in the corect directory.

Thank you for the advise, I'll continue to look into this and see if I cna egt it working.

I will also look into getting a VM that already contains XAMPP and DVWA. Perhaps I am missing soemthing, but I can't figure out what I am doing wrong.

Thanks again for the info.

Link to comment
Share on other sites

So tried to access the Apache server via the XP machine and I can see the DVWA folder present when I do this. Going to 127.0.0.1 shows the dvwa folder. I am stumped as to why it is not showing up in my BT5 R3 VM. I have windows firewall disabled on the Xp machine, this doesn't see to be helping.

Link to comment
Share on other sites

is it htaccessed off, phpmyadmin locked out htpasswd locked, something disabled?

Try putting an htaccess file in the root of the site and add the following: (in windows, it doesn't like saving htaccess files as .htaccess, to use something like notepad++ to save it as .htaccess and make sure it doesn't end in .txt, so no htaccess.txt file, has to be .htaccess just like that. Also, check your phpmyadmin settings to see if indexing is disabled or what settings it setup for you and read your conf file to see that .htaccess overrides are allowed.

Options All Indexes
IndexOptions FancyIndexing
That should make reading all directories capable with file listings of any directory that doesn't have an index.html file, basically making things even weaker. Normally, you would NOT do this on a real site. For security reasons in your case though, its not a big deal.

On a production site you would make it to keep people from browsing indexes and returning a 403.

Options All -Indexes
Link to comment
Share on other sites

Well Saving the file as .htaccess was the easy part. I changed the save type to "All Types" and it let me save as .htaccess with no issues.

I can see exactly what you are saying I should see within the apache conf file.

<Directory "C:/xampp/htdocs">

Options Indexes FollowSymLinks Includes ExecCGI
Options All Indexes
IndexOptions FancyIndexing

AllowOverride All

Require all granted

(having the lines in .htaccess didn't seem to change anyhting (server root is C:/xampp/apache (default)), the override line was present by default)

I still cannot see the DVWA folder within my apache web server. I have verified the file is in the correct location of the folder and i know it works because i can view the file from the apache web server but only from the XP machine.

There is a line in the conf file that I am wondeirng about, I will tinker with it and see if it helps.

<Files ".ht*">
Require all denied (does this need to be granted?)
</Files>

Still abffled by this... I just can't figure it out :/

Edit: tried changing the Require all denied line to Require all granted. This changed nothing. I should also add that I can verify that the Fancy indexing is working within apache as when I add the lines the .conf file layout of my apache web server changes slightly. As stated earlier tho, a .htaccess file in the root directory for the server does not yeild any effect.

Also, I found this in the .conf file.

# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.

Does this mean I need to specificaly name the dvwa folder in order for it to show?

Edited by Saelani
Link to comment
Share on other sites

WOW This is rediculous. So it turns out in C:/xampp/htdocs/dvwa there is a .htaccess file. In this .htaccess file you will find:

# Limit access to localhost
<Limit GET POST PUT>
order deny,allow
deny from all
allow from 127.0.0.1
</Limit>

I think I just found the problem... Thanks for your help digip!

It turns out the issue was so simple it went under the radar. Boy do I feel stupid for not checking for that sooner.

Thanksa gain digip! I really appreciate all the effort you put in to help me out! I owe ya :)

Link to comment
Share on other sites

  • 9 months later...

Hello, I recently bought Josh Pauli's book "The Basics of Web Hacking". I have successfully installed BackTrack 5 r3 and now I'm trying to install DVWA. I have copied the script given by The Unl33t team (Travis Phillips), saved it as "DVWA_install.sh" and ran the command line "sh DVWA_install.sh". After execution the following link opens in firefox "http://127.0.0.1/login.php". Instead of the login page opening, I get the ever so popular 404 Not Found error.

Has the DVWA installation script changed in the meantime?

Link to comment
Share on other sites

Hello, I recently bought Josh Pauli's book "The Basics of Web Hacking". I have successfully installed BackTrack 5 r3 and now I'm trying to install DVWA. I have copied the script given by The Unl33t team (Travis Phillips), saved it as "DVWA_install.sh" and ran the command line "sh DVWA_install.sh". After execution the following link opens in firefox "http://127.0.0.1/login.php". Instead of the login page opening, I get the ever so popular 404 Not Found error.

Has the DVWA installation script changed in the meantime?

Check the path DVWA is installed in. It may be in http://127.0.0.1/DVWA/login.php or just http://127.0.0.1/DVWA/
Link to comment
Share on other sites

Thank you, digip. I noticed the link to download DVWA in the script I used was not correct. I can now access the login page, but I cannot login with username = admin, password = password. According to the script as well as other websites this should be the login criteria, but something is not quite right.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...