How to install OWASP Mutillidae II and Damn Vulnerable Web Application (DVWA) in Kali Linux

OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiasts. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP. With dozens of vulns and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, corporate web sec training courses, and as an "assess the assessor" target for vulnerability assessment software.

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

Preparation

MySQL 5.7 has changed the security model: now login to MySQL under root requires sudo (the password can still be empty). With these settings, OWASP Mutillidae II and Damn Vulnerable Web Application (DVWA) will not work.

To access MySQL / MariaDB database as an ordinary user without using sudo privileges, go to the MySQL command prompt

sudo systemctl start mysql
sudo mysql

and run the following commands:

use mysql;
update user set plugin='' where User='root';
flush privileges;
exit

Then restart the MySQL service:

sudo systemctl restart mysql.service

If you see empty pages when you open the browser, it means that you also need to switch from PHP 7.2 to PHP 7.3, as described in the article ‘Troubleshooting: Kali Linux web server shows blank pages’.

How to install OWASP Mutillidae II in Kali Linux

Create a file upd_mutillidae.sh:

gedit upd_mutillidae.sh

and copy-paste the script into the created file:

#!/bin/bash
 
sudo apt update
sudo apt install php-xml php-fpm libapache2-mod-php php-mysql php-xml php-gd php-imap php-mysql php-gettext php-curl -y
sudo a2enmod proxy_fcgi setenvif
sudo systemctl restart apache2
sudo a2enconf php7.3-fpm
sudo systemctl reload apache2
sudo systemctl restart apache2.service
sudo service php7.3-fpm restart
sudo systemctl restart mysql
  
cd /tmp
git clone https://github.com/webpwnized/mutillidae
if [ $? -ne '0' ]; then
    exit 1
fi
  
if [ -d "/var/www/html/mutillidae.backup" ]; then
    sudo rm -rf /var/www/html/mutillidae.backup
fi
  
if [ -d "/var/www/html/mutillidae" ]; then
    sudo mv /var/www/html/mutillidae /var/www/html/mutillidae.backup
fi
  
sudo mkdir /var/www/html/mutillidae
sudo mv mutillidae*/* /var/www/html/mutillidae/
   
sudo chown -R www-data:www-data /var/www/html/mutillidae/
   
sudo rm -rf mutillidae*
   
cd

Run the script:

sudo bash upd_mutillidae.sh

After the installation is completed, OWASP Mutillidae II is available at http://localhost/mutillidae/.

The first time you will see:

Click «setup/reset the DB» and wait for the database populating. Next in the popup just click on ‘ОК’:

Now you are ready to learn how to hack web sites:

In addition, you can use the above script for updating OWASP Mutillidae II after release of a new version.

The script started all necessary services. Before you can get access to Mutillidae you need to start the services again every time after system restart:

sudo systemctl start php7.3-fpm.service
sudo systemctl start apache2.service
sudo systemctl start mysql

How to install Damn Vulnerable Web Application (DVWA) in Kali Linux

Create a file upd_dvwa.sh:

gedit upd_dvwa.sh

and save the script into the created file:

#!/bin/bash
 
sudo apt update
sudo apt install php php-mysql php-gd -y
 
sudo sed -i 's/allow_url_include = Off/allow_url_include = On/' /etc/php/7.3/apache2/php.ini
 
sudo systemctl restart apache2
sudo systemctl restart mysql
 
cd /tmp
 
git clone https://github.com/ethicalhack3r/DVWA.git
 
if [ -d "/var/www/html/dvwa.backup" ]; then
    sudo rm -rf /var/www/html/dvwa.backup
fi
 
if [ -d "/var/www/html/dvwa" ]; then
    sudo mv /var/www/html/dvwa /var/www/html/dvwa.backup
fi
 
sudo mkdir /var/www/html/dvwa
sudo mv DVWA*/* /var/www/html/dvwa/
 
sudo chown -R www-data:www-data /var/www/html/dvwa/
 
sudo rm -rf DVWA*
 
sudo mv /var/www/html/dvwa/config/config.inc.php.dist /var/www/html/dvwa/config/config.inc.php
sudo sed -i 's/p@ssw0rd//' /var/www/html/dvwa/config/config.inc.php
 
cd

Run the script:

sudo bash upd_dvwa.sh

Now DVWA installation is available at http://localhost/dvwa/

Inside DVWA go to Setup / Reset DB and click on the 'Create / Reset Database' button.

You also can use the above script for updating DVWA after release of a new version.

After reboot Kali Linux, before you can reach DVWA, do not forget to start Apache and MySQL services.

If you have changed MySQL password (there is no password by default), tune the corresponding files:

  • /var/www/html/mutillidae/classes/MySQLHandler.php (for Mutillidae)
  • /var/www/html/dvwa/config/config.inc.php (for DVWA)

Last Updated on

Recommended for you:

11 Comments to How to install OWASP Mutillidae II and Damn Vulnerable Web Application (DVWA) in Kali Linux

  1. Alex Alex says:

    The guide and scripts are updated, they work again.

  2. Ahmed Fathy says:

    your awsome guys

  3. Alex Alex says:

    The scripts was updated in connection with the transition of Kali Linux to PHP 7.2.

  4. Anonymous says:

    Nice article 🙂

  5. mike says:

    I have followed all steps, however when I go to the initial webpages instead of mutillidae/dvwa setup pages appearing, there is simply a blank screen.  I was wondering if you had any advice on where to start troubleshoot?

  6. Anonymous says:

    I followed all the steps but after clicking on setup/Reset the db, I am not getting the popup of successful setup. My db is getting set and I am seeing nothing on the index page. Please help.

  7. Del says:

    I can no longer login to mysql after running the initial mysql cmds removing the plugin.

  8. Blooder says:

    HOW TO LOGIN INTO MYSQL AFTER MUTILIDAE INSTALATION:

    After you do all the steps of the tutorial to install mutillidae, the password to login into mysql will change.

    In order to reset the database to start using mutillidae, it asks you to change the password for the root user. The new password will be 'mutillidae'.

    You can only login into mysql using this querry:

    mysql -u root -p 

    Then, mysql will ask you to enter the password. Just insert 'mutillidae'.

    I spent two entire days to solve this problem. 

    So this may be useful for someone.

     

  9. whocares says:

    Remember to write in the top of the article when it was written…last updated..we live in 2019…should be common sense. 

     

    Thanks a lot. 

Leave a Reply

Your email address will not be published.