In this I am going to use a software application used in website security testing/teaching called Damn Vulnerable Web App (DVWA) which I read it is a dynamic website (the content of each page is pulled out of a MySQL database using the server side scripting language PHP) with deliberately open vulnerabilities to teach web developers/students about the threats to web applications.
Exercise 1: Installing XAMPP
I am going to install the local web server XAMPP on my server VM. But before I do that I removed the network adapter of the client VM and added a new network adapter making sure that it used the VMXNET3 adapter type. However after creating this new network adapter (and starting up then logging into the Server VM) I could not log into my client with the CLASSROOM\Administrator account. I tried restarting the VMs and reverting all my VMs to the ‘Final snapshot’ snapshot. However I still could not log into the client with this account. So I decided to log into the client VM using the local admin account CLIENT\Admin and re-adding the client VM to the classroom.local domain.
To do this on the client I went to File Explorer-‘Computer’ tab-System Properties
Then I selected “Change” button in the dialog window that appeared. And then ticked on the Workgroup radio button and wrote in the name “workgroup” clicked “OK” and a window appears asking for the client to be restarted which I did.
Then when I logged back into the client VM with the CLIENT\Administrator account I went back to the Computer Name/Domain Changes window and selected the ‘Domain’ radiobutton and wrote in the name ‘classroom.local’ (as you can see in the below screenshot) and then clicked “ok”.
When the restart window appeared I selected to restart the Client VM and I found I could then log in with the account CLASSROOM\Administrator account. So now I have set up my client VM so I can log in with the classroom.local account I can install XAMPP on the server VM. I am familiar with using XAMPP from my WEB601 class.
I logged into the server VM with the account CLASSROOM\Administrator and then in Server Manager I went to Tools->Services.
Then I right clicked on World Wide Web Publishing Service and selected ‘Properties’
In the resulting dialog box I disabled World Wide Web Publishing Service (by selecting Disabled from the drop-down box for Startup type) and stopped the service (by selecting the ‘Stop’ button. Then clicked ‘Ok’
Then I went to the Change User Account Control settings from the start menu. I then changed the UAC setting so I am never notified about changes to my server.
Then in the c:\GTSLABS folder I clicked on the xampp installer file.
A warning dialog box about the User Account Control appeared and I clicked “ok”.
I then went through the installation process and unticked the XAMPP components FileZilla FTP Server, Mercury Mail Server, Tomcat.
I then went through the rest of the installation process (keeping the default installation folder), and then when the XAMPP Control Panel appeared I started the Apache and MySQL servers and I know these services are now running because Apache and MySQL are highlighted green.
I could see that Apache uses port 80, and 443 whereas MySQL uses port 3306
Exercise 2: Installing DVWA
I will now PHP and MySQL files of the DVWA on the XAMPP server so I can access the DVWA from the client.
I will then configure the Windows Firewall allowing the hosts in my virtual network access the XAMPP server.
I extracted all the contents of the DVWA-1.0.8 folder from inside my c:\GTSLABS folder to the selected of c:\xampp\htdocs.
Then in the c:\xampp\htdocs folder I renamed the ‘DVWA-1.0.8’ folder to be named ‘DVWA’.
Then I opened the config.inc.php file inside the c:\xamp\htdocs\dvwa\config folder.
When a message appeared asking me to choose a app to open this file I selected Notepad.
And I found the line setting the default password of the DVWA to p@ssw0rd.
And I deleted the password so there is now no password in order to access the DVWA.
I now have to create a new firewall inbound rule to allow hosts in the network to access the DVWA.
To do this I went to Windows Firewall with Advanced Security->Inbound Rules and clicked to add a new rule. I specified to set the rule on a port (as the below screenshot shows)
The port numbers I am going to let through the Windows Firewall are the Apache and MySQL ports 80, 443, and 3306. This will allow the client VM to be able to access the web files stored in the htdocs folder (the folder which by default contains the web folders in xampp) in xampp, which in this case is the DVWS files.
To ensure that these ports were allowing inbound traffic to the DVWS I made sure that ‘Allow the connection’ was set
I also made sure that this firewall inbound rule was applied to the domain (all computers connected to the classroom.local domain), private, and public networks because the DVWS is supposed to simulate a vulnerable website, but even so it must still be open to hosts outside of the classroom.local network and so I must open these ports to the public network as well.
I gave the firewall rule the name XAMPP.
So now I have a new inbound firewall rule called XAMPP
I opened up a Run dialog and wrote in the URL ‘http://server/dvwa’
The login page of the DVWA appeared except no database has been set up. To set the MySQL database up I clicked on the ‘here’ link.
I then had to add the http://server website to my list of trusted websites in Internet Explorer.
After doing so I was able to create a database by clicking on the ‘Create/Reset Database’ button, and as you can see in the below screenshot a MySQL database with users, and guestbook table has been created and filled.
I then logged into the DVWA website with the username ‘admin’ and the password ‘password’
In the DVWA Security webpage I changed the vulnerability of the DVWA to ‘low’ which I submitted. This will make it easier for me to simulate an attack on the DVWA web application.
Exercise 3: Exploiting a command execution vulnerability
I will now use the DVWA command execution vulnerability to make the server hosting the DVWA to perform a random command.
I clicked on the ‘Command Execution’ button in the DVWA website.
Then I typed in the name ‘server’ to the IP address box and submitted this in order to get the DVWA command execution to ping the server VM it is running on. I noted that the approximate size of the packets is 32 bytes.
Then I wrote ‘-l 800 server’ into the IP address box and submitted this command and I noticed that the packets were substantially larger than when I just typed ‘server’ into the IP address box. The packets for the ‘-l 800 server’ command were 800 bytes.
I then typed in ‘/?’ and this displayed a list of possible commands I can enter into the IP address box in the DVWS command execution page. These commands are also commands I can perform in the Command Processor. Many of the commands were regarding the ping syntax extensions for example ping -t which will not just ping four times but will continue to to ping the host until you stop it by typing Cntrl+C buttons.
Then I entered the command ‘server | dir’ this showed the contents of the exec directory inside the c:\XAMPP\htdocs\dvwa\vulnerabilities folder. The reason why these files were shown is because the command execution page I am working on currently is the index.php file of the c:\XAMPP\htdics\dvwa\vulnerabilites folder of the server and so when I write in dir it shows the folders of the in the server around this web file.
Exercise 4: Exploiting a SQL injection vulnerability
Having worked with PHP and MySQL in WEB602 this will be an interesting task to see how at risk web applications are to SQL injection.
I clicked on the ‘SQL Injection’ button in DVWS.
Into the UserID text input box I submitted the number ‘2’, and a single user record from the user MySQL database appeared that of the user Gordon Brown who has the UserID of 2.
When I submitted the word ‘hello’ into the UserID textbox no data from the database was returned, as the below screenshot shows.
When I submitted a single quote symbol a error message appeared stating “You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ””’ at line 1″. This tells us that the DVWS application is working by submitting a SELECT database query and the value entered into the UserID box is the condition that SQL is searching for a match for in the database.
When I submitted ” 1′ or ‘1’=’1″ into the UserID all of the users in the user table (including the admin account) were displayed with their first and last names visible.
Exercise 5: Exploiting a Cross site scripting vulnerability
I will now make the DVWS website perform a script that is not part of the PHP script it was originally built with.
I clicked on the ‘XSS Reflected’ button
I then typed my name into the ‘What is your name’ text input box and submitted my name. The test displayed was ‘Hello alex’; I am now making the DVWM application do something it was not created to do, display hello message to me when I am not even listed in the users table.
Then I submitted the following text:
And a Message from the webpage popped up, again I am adding this code to the DVWS application which is causing this web application to perform an action it was not built to do, in this case display a hello world message box.
I have now finished this lab. I have found it an interesting lab, especially seeing what a SQL injection can do to a website and how you can also use Cross Site Scripting Vulnerability to make a website do something it was not built to do in its original code.
I will now revert my VMs.