How to install OWASP Mutillidae II and Damn Vulnerable Web Application (DVWA) in Kali Linux

OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiasts. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP. With dozens of vulns and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, corporate web sec training courses, and as an "assess the assessor" target for vulnerability assessment software.

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

Preparation

MySQL 5.7 has changed the security model: now login to MySQL under root requires sudo (the password can still be empty). With these settings, OWASP Mutillidae II and Damn Vulnerable Web Application (DVWA) will not work.

To access MySQL / MariaDB database as an ordinary user without using sudo privileges, go to the MySQL command prompt

sudo systemctl start mysql
sudo mysql

and run the following commands:

use mysql;
update user set plugin='' where User='root';
flush privileges;
exit

Then restart the MySQL service:

sudo systemctl restart mysql.service

If you see empty pages when you open the browser, it means that you also need to switch from PHP 7.0 to PHP 7.2, as described in the article ‘Troubleshooting: Kali Linux web server shows blank pages’.

How to install OWASP Mutillidae II in Kali Linux

Create a file upd_mutillidae.sh:

gedit upd_mutillidae.sh

and copy-paste the script into the created file:

#!/bin/bash  
 
sudo apt update
sudo apt install php-xml php-fpm libapache2-mod-php php-mysql php-xml php-gd php-imap php-mysql php-gettext php-curl -y
sudo a2enmod proxy_fcgi setenvif
sudo systemctl restart apache2
sudo a2enconf php7.2-fpm
sudo systemctl reload apache2
sudo systemctl restart apache2.service
sudo service php7.2-fpm restart
sudo systemctl restart mysql
 
cd /tmp
temp="$(curl -sL -A 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36' https://sourceforge.net/projects/mutillidae/files/mutillidae-project/)"
if [ $? -ne '0' ]; then
    exit 1
fi
   
wget -O "mutillidae.zip" `echo "${temp}" | grep -o -E 'https://[A-Za-z0-9./-]{7,}[.]zip/download' | head -n 1`
unzip mutillidae.zip
 
if [ -d "/var/www/html/mutillidae.backup" ]; then
    sudo rm -rf /var/www/html/mutillidae.backup
fi
 
if [ -d "/var/www/html/mutillidae" ]; then
    sudo mv /var/www/html/mutillidae /var/www/html/mutillidae.backup
fi
 
sudo mkdir /var/www/html/mutillidae
sudo mv mutillidae*/* /var/www/html/mutillidae/
  
sudo chown -R www-data:www-data /var/www/html/mutillidae/
  
sudo rm -rf mutillidae*
  
cd

Run the script:

sudo bash upd_mutillidae.sh

After the installation is completed, OWASP Mutillidae II is available at http://localhost/mutillidae/.

The first time you will see:

Click «setup/reset the DB» and wait for the database populating. Next in the popup just click on ‘ОК’:

Now you are ready to learn how to hack web sites:

In addition, you can use the above script for updating OWASP Mutillidae II after release of a new version.

The script started all necessary services. Before you can get access to Mutillidae you need to start the services again every time after system restart:

sudo systemctl start php7.2-fpm.service
sudo systemctl start apache2.service
sudo systemctl start mysql

How to install Damn Vulnerable Web Application (DVWA) in Kali Linux

Create a file upd_dvwa.sh:

gedit upd_dvwa.sh

and save the script into the created file:

#!/bin/bash
 
sudo apt-get update
sudo apt-get install php php-mysql php-gd -y
 
sudo sed -i 's/allow_url_include = Off/allow_url_include = On/' /etc/php/7.2/apache2/php.ini
 
sudo systemctl restart apache2
sudo systemctl restart mysql
 
cd /tmp
 
git clone https://github.com/ethicalhack3r/DVWA.git
 
if [ -d "/var/www/html/dvwa.backup" ]; then
    sudo rm -rf /var/www/html/dvwa.backup
fi
 
if [ -d "/var/www/html/dvwa" ]; then
    sudo mv /var/www/html/dvwa /var/www/html/dvwa.backup
fi
 
sudo mkdir /var/www/html/dvwa
sudo mv DVWA*/* /var/www/html/dvwa/
 
sudo chown -R www-data:www-data /var/www/html/dvwa/
 
sudo rm -rf DVWA*
 
sudo mv /var/www/html/dvwa/config/config.inc.php.dist /var/www/html/dvwa/config/config.inc.php
sudo sed -i 's/p@ssw0rd//' /var/www/html/dvwa/config/config.inc.php
 
cd

Run the script:

sudo bash upd_dvwa.sh

Now DVWA installation is available at http://localhost/dvwa/

Inside DVWA go to Setup / Reset DB and click on the 'Create / Reset Database' button.

You also can use the above script for updating DVWA after release of a new version.

After reboot Kali Linux, before you can reach DVWA, do not forget to start Apache and MySQL services.

If you have changed MySQL password (there is no password by default), tune the corresponding files:

  • /var/www/html/mutillidae/classes/MySQLHandler.php (for Mutillidae)
  • /var/www/html/dvwa/config/config.inc.php (for DVWA)

Recommended for you:

8 Comments to How to install OWASP Mutillidae II and Damn Vulnerable Web Application (DVWA) in Kali Linux

  1. Alex Alex says:

    The guide and scripts are updated, they work again.

  2. Ahmed Fathy says:

    your awsome guys

  3. Alex Alex says:

    The scripts was updated in connection with the transition of Kali Linux to PHP 7.2.

  4. Anonymous says:

    Nice article 🙂

  5. mike says:

    I have followed all steps, however when I go to the initial webpages instead of mutillidae/dvwa setup pages appearing, there is simply a blank screen.  I was wondering if you had any advice on where to start troubleshoot?

  6. Anonymous says:

    I followed all the steps but after clicking on setup/Reset the db, I am not getting the popup of successful setup. My db is getting set and I am seeing nothing on the index page. Please help.

Leave a Reply

Your email address will not be published.