DVWA là hệ thống lab dùng cho việc nghiên cứu các lỗi bảo mật thông dụng của ứng dụng web, trong bài hướng dẫn sau đây chúng ta sẽ cài đặt DVWA trên một máy Linux dùng Fedora 14. Ngoài việc cài đặt để hiểu rõ hơn về DVWA các bạn có thể tải về các bản dựng sản để thực hành trên máy ảo mà không cần phải cài đặt, hoặc cài đặt trên máy chạy hệ điều hành Windows (cài thêm bộ ứng dụng AppServer là được).
- What is Damn Vulnerable Web App (DVWA)?
- Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.
- Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
- Pre-Requisite Lab
- Fedora: Lesson 1: Installing Fedora 14
- Note: Only required if you don't already have a Fedora instance.
- Fedora: Lesson 1: Installing Fedora 14
- Lab Notes
- In this lab we will do the following:
- Install Apache Webserver
- Install Mysql Server
- Install PHP
- Install and Configure DVWA
- In this lab we will do the following:
- Legal Disclaimer
Bài lab chỉ dùng cho mục đích học tập.
Section 1. Configure Fedora14 Virtual Machine Settings |
- Open Your VMware Player
- Instructions:
- On Your Host Computer, Go To
- Start --> All Program --> VMWare --> VMWare Player
- Instructions:
- Edit BackTrack Virtual Machine Settings
- Instructions:
- Highlight fedora14
- Click Edit virtual machine settings
- Instructions:
- Edit Network Adapter
- Instructions:
- Highlight Network Adapter
- Select Bridged
- Click on the OK Button.
Section 2. Login to Fedora14 |
- Start Fedora14 VM Instance
- Instructions:
- Start Up VMWare Player
- Select Fedora14
- Play virtual machine
- Instructions:
- Login to Fedora14
- Instructions:
- Login: student
- Password: <whatever you set it to>.
- Instructions:
Section 3. Open Console Terminal and Retrieve IP Address |
- Start a Terminal Console
- Instructions:
- Applications --> Terminal
- Instructions:
- Switch user to root
- Instructions:
- su - root
- <Whatever you set the root password to>
- Instructions:
- Get IP Address
- Instructions:
- ifconfig -a
- Notes:
- As indicated below, my IP address is 192.168.1.116.
- Please record your IP address.
- Instructions:
Section 4. Install Apache httpd Server |
- Download httpd
- Instructions:
- yum install httpd.i686
- y
- Instructions:
- Start Apache
- Instructions:
- service httpd start
- This starts up the Apache Listening Daemon
- ps -eaf | grep httpd
- Check to make sure Apache is running.
- chkconfig --level 2345 httpd on
- Create Start up script for run levels 2, 3, 4 and 5.
- service httpd start
- Instructions:
- Configure Firewall
- Instructions:
- System --> Administration --> Firewall
- Instructions:
- Firewall Configuration Startup
- Instructions:
- Click the Close button
- Instructions:
- Authenticate
- Instructions:
- Supply the root password
- Click Authenticate
- Instructions:
- Turn On WWW
- Instructions:
- Click the WWW Check Box
- Click the Apply Button
- Instructions:
- Override Settings
- Instructions:
- Click Yes
- Instructions:
Section 5. Install mysql and mysql-server |
- Install mysql
- Instructions:
- yum install mysql.i686
- Continue to next step
- Instructions:
- Install mysql
- Instructions:
- y
- Instructions:
- Install mysql-server
- Instructions:
- yum install mysql-server
- y
- Instructions:
- Start Up mysqld
- Instructions:
- service mysqld start
- Instructions:
- Start Up mysqld
- Instructions:
- chkconfig --level 2345 mysqld on
- Creates the start up scripts for run level 2, 3, 4 and 5.
- mysqladmin -u root password dvwaPASSWORD
- Sets the mysql root password to "dvwaPASSWORD"
- chkconfig --level 2345 mysqld on
- Instructions:
- Login to mysql and create dvwa database
- Instructions:
- mysql -uroot -p
- dvwaPASSWORD
- create database dvwa;
- quit
- Instructions:
Section 6. Install PHP |
- Install PHP
- Instructions:
- yum install php.i686
- y
- Instructions:
- Install php-mysql
- Instructions:
- yum install php-mysql
- y
- Instructions:
- Install php-pear
- Instructions:
- yum install php-pear php-pear-DB
- y
- Instructions:
Section 7. Install wget |
- Install wget
- Instructions:
- yum install wget
- y
- Instructions:
Section 8. Install Damn Vulnerable Web App (DVWA) |
- Download DVWA
- Note(FYI):
- DVWA-1.0.7.zip is an older version. ComputerSecurityStudent provides this zip file, since it is no longer available at google source.
- The most recent version can be found at http://www.dvwa.co.uk/
- Instructions:
- cd /var/www/html
- wget http://www.computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson1/DVWA-1.0.7.zip
- Grab the DVWA-1.0.7 application.
- Remember to down the zip file from computersecuritystudent and not googlecode.
- ls -l | grep DVWA
- Confirm DVWA-1.0.7.zip was downloaded
- Note(FYI):
- Unzip Package
- Instructions:
- unzip DVWA-1.0.7.zip
- Instructions:
- Remove Zip File
- Instructions:
- ls -lrta
- rm DVWA-1.0.7.zip
- y
- Instructions:
- Configure config.inc.php
- Instructions:
- cd /var/www/html/dvwa/config
- This is the configuration directory for DVWA.
- cp config.inc.php config.inc.php.BKP
- Make Backup copy
- chmod 000 config.inc.php.BKP
- Remove Permissions to the Backup Copy
- vi config.inc.php
- This is the configuration file for DVWA that handles the database communication from the Web App.
- cd /var/www/html/dvwa/config
- Instructions:
- Configure config.inc.php
- Instructions:
- Arrow down to the line that contains db_password
- Arrow right and place your cursor on the second single quote
- Press "i"
- This puts the vi editor into INSERT mode.
- Type "dvwaPASSWORD"
- Press <Esc>
- This takes the vi editor out of INSERT mode.
- Type ":wq!"
- This save the config.inc.php file.
- Instructions:
- Restart Apache
- Instructions:
- service httpd restart
- Restart Apache
- ps -eaf | grep -v grep | grep httpd
- Make sure Apache is running.
- service httpd restart
- Instructions:
- Start up a Web Browser
- Instructions:
- Applications --> Internet --> Firefox
- Notes:
- At this point, you can start up a web browser on any computer on your network (Windows, Mac, Whatever you want).
- Instructions:
- DVWA Database setup
- Instructions:
- http://192.168.1.116/dvwa/setup.php
- Replace 192.168.1.116 with the IP Address obtained from Section 3, Step 3.
- Click the Create / Reset Database button
- http://192.168.1.116/dvwa/setup.php
- Instructions:
- DVWA Creation Messages
- Instructions:
- You should see the below database created, data inserted, and setup successful messages.
- Click on Logout
- Instructions:
- Login to DVWA
- Instructions:
- Username: admin
- Password: password
- Instructions:
- Welcome to DVWA
- Informational (FYI):
- Click Here for subsequent lessons.
- Informational (FYI):
Section 9. Proof of Lab |
- Proof of Lab
- Instructions:
- echo "select user,password from dvwa.users;" | mysql -uroot -pdvwaPASSWORD
- date
- echo "An Toàn Thông Tin"
- Replace the string "Your Name" with your actual name.
- e.g., echo "EDU VN"
- Proof of Lab Instructions:
- Do a PrtScn
- Paste into a word document
- Email to AnToanThongTin.Edu.VN@Gmail.Com
- Instructions:
0 nhận xét:
Đăng nhận xét