How to install OWASP Mutillidae II and Damn Vulnerable Web Application (DVWA) in Kali Linux
OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiasts. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP. With dozens of vulns and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, corporate web sec training courses, and as an "assess the assessor" target for vulnerability assessment software.
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
MySQL 5.7 has changed the security model: now login to MySQL under root requires sudo (the password can still be empty). With these settings, OWASP Mutillidae II and Damn Vulnerable Web Application (DVWA) will not work.
To access MySQL / MariaDB database as an ordinary user without using sudo privileges, go to the MySQL command prompt
sudo systemctl start mysql sudo mysql
and run the following commands:
use mysql; update user set plugin='' where User='root'; flush privileges; exit
Then restart the MySQL service:
sudo systemctl restart mysql.service
If you see empty pages when you open the browser, it means that you also need to switch from PHP 7.2 to PHP 7.3, as described in the article ‘Troubleshooting: Kali Linux web server shows blank pages’.
How to install OWASP Mutillidae II in Kali Linux
Create a file upd_mutillidae.sh:
and copy-paste the script into the created file:
#!/bin/bash sudo apt update sudo apt install php-xml php-fpm libapache2-mod-php php-mysql php-xml php-gd php-imap php-mysql php-gettext php-curl -y sudo a2enmod proxy_fcgi setenvif sudo systemctl restart apache2 sudo a2enconf php7.3-fpm sudo systemctl reload apache2 sudo systemctl restart apache2.service sudo service php7.3-fpm restart sudo systemctl restart mysql cd /tmp git clone https://github.com/webpwnized/mutillidae if [ $? -ne '0' ]; then exit 1 fi if [ -d "/var/www/html/mutillidae.backup" ]; then sudo rm -rf /var/www/html/mutillidae.backup fi if [ -d "/var/www/html/mutillidae" ]; then sudo mv /var/www/html/mutillidae /var/www/html/mutillidae.backup fi sudo mkdir /var/www/html/mutillidae sudo mv mutillidae*/* /var/www/html/mutillidae/ sudo chown -R www-data:www-data /var/www/html/mutillidae/ sudo rm -rf mutillidae* cd
Run the script:
sudo bash upd_mutillidae.sh
After the installation is completed, OWASP Mutillidae II is available at http://localhost/mutillidae/.
The first time you will see:
Click «setup/reset the DB» and wait for the database populating. Next in the popup just click on ‘ОК’:
Now you are ready to learn how to hack web sites:
In addition, you can use the above script for updating OWASP Mutillidae II after release of a new version.
The script started all necessary services. Before you can get access to Mutillidae you need to start the services again every time after system restart:
sudo systemctl start php7.3-fpm.service sudo systemctl start apache2.service sudo systemctl start mysql
How to install Damn Vulnerable Web Application (DVWA) in Kali Linux
Create a file upd_dvwa.sh:
and save the script into the created file:
#!/bin/bash sudo apt update sudo apt install php php-mysql php-gd -y sudo sed -i 's/allow_url_include = Off/allow_url_include = On/' /etc/php/7.3/apache2/php.ini sudo systemctl restart apache2 sudo systemctl restart mysql cd /tmp git clone https://github.com/ethicalhack3r/DVWA.git if [ -d "/var/www/html/dvwa.backup" ]; then sudo rm -rf /var/www/html/dvwa.backup fi if [ -d "/var/www/html/dvwa" ]; then sudo mv /var/www/html/dvwa /var/www/html/dvwa.backup fi sudo mkdir /var/www/html/dvwa sudo mv DVWA*/* /var/www/html/dvwa/ sudo chown -R www-data:www-data /var/www/html/dvwa/ sudo rm -rf DVWA* sudo mv /var/www/html/dvwa/config/config.inc.php.dist /var/www/html/dvwa/config/config.inc.php sudo sed -i 's/p@ssw0rd//' /var/www/html/dvwa/config/config.inc.php cd
Run the script:
sudo bash upd_dvwa.sh
Now DVWA installation is available at http://localhost/dvwa/
Inside DVWA go to Setup / Reset DB and click on the 'Create / Reset Database' button.
You also can use the above script for updating DVWA after release of a new version.
After reboot Kali Linux, before you can reach DVWA, do not forget to start Apache and MySQL services.
If you have changed MySQL password (there is no password by default), tune the corresponding files:
- /var/www/html/mutillidae/classes/MySQLHandler.php (for Mutillidae)
- /var/www/html/dvwa/config/config.inc.php (for DVWA)
- How to upgrade OWASP Mutillidae II to the latest release in Samurai Web Testing Framework or Web Security Dojo (SOLVED) (79.3%)
- How to upgrade Damn Vulnerable Web Application (DVWA) to the latest release in Samurai Web Testing Framework or Web Security Dojo (SOLVED) (69.6%)
- Hacking websites training in Windows (69.6%)
- Kali Linux Rolling post install tips (51.2%)
- How to install and run VLC, Google Chrome, and Chromium on Kali Linux (51.2%)
- How to run Armitage in Arch Linux and BlackArch (RANDOM - 50%)