How to install OWASP Mutillidae II and Damn Vulnerable Web Application (DVWA) in Kali Linux
OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiasts. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP. With dozens of vulns and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, corporate web sec training courses, and as an "assess the assessor" target for vulnerability assessment software.
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
Preparation
MySQL 5.7 has changed the security model: now login to MySQL under root requires sudo (the password can still be empty). With these settings, OWASP Mutillidae II and Damn Vulnerable Web Application (DVWA) will not work.
To access MySQL / MariaDB database as an ordinary user without using sudo privileges, go to the MySQL command prompt
sudo systemctl start mysql sudo mysql
and run the following commands:
use mysql; ALTER USER 'root'@'localhost' IDENTIFIED BY ''; flush privileges; exit
Then restart the MySQL service:
sudo systemctl restart mysql.service
If you see empty pages when you open the browser, it means that you also need to switch from PHP 7.2 to PHP 7.3, as described in the article ‘Troubleshooting: Kali Linux web server shows blank pages’.
How to install OWASP Mutillidae II in Kali Linux
Create a mutillidae database, to do this, connect with the DBMS:
sudo mysql
And run the following query:
CREATE DATABASE mutillidae;
Create a file upd_mutillidae.sh:
gedit upd_mutillidae.sh
and copy-paste the script into the created file:
#!/bin/bash sudo apt update sudo apt install php-xml php-fpm libapache2-mod-php php-mysql php-gd php-imap php-curl php-mbstring mariadb-server -y sudo a2enmod proxy_fcgi setenvif sudo systemctl restart apache2 sudo a2enconf php8.2-fpm sudo systemctl reload apache2 sudo systemctl restart apache2.service sudo systemctl restart php8.2-fpm sudo systemctl restart mysql cd /tmp git clone https://github.com/webpwnized/mutillidae if [ $? -ne '0' ]; then exit 1 fi if [ -d "/var/www/html/mutillidae.backup" ]; then sudo rm -rf /var/www/html/mutillidae.backup fi if [ -d "/var/www/html/mutillidae" ]; then sudo mv /var/www/html/mutillidae /var/www/html/mutillidae.backup fi sudo mkdir /var/www/html/mutillidae sudo mv mutillidae*/* /var/www/html/mutillidae/ sudo sed -i "s/'DB_PASSWORD', 'mutillidae'/'DB_PASSWORD', ''/" /var/www/html/mutillidae/includes/database-config.inc sudo chown -R www-data:www-data /var/www/html/mutillidae/ sudo rm -rf mutillidae* cd # It needs “Lightweight Directory Access Protocol (LDAP)” and “PHPLDAPAdmin” but I don't know how to set them up yet # sudo apt install slapd # sudo systemctl start slapd.service
Run the script:
sudo bash upd_mutillidae.sh
After the installation is completed, OWASP Mutillidae II is available at http://localhost/mutillidae/.
The first time you will see:
Click «setup/reset the DB» and wait for the database populating. Next in the popup just click on ‘ОК’:
To initialize the database follow the link: http://localhost/mutillidae/set-up-database.php
Now you are ready to learn how to hack web sites:
In addition, you can use the above script for updating OWASP Mutillidae II after release of a new version.
The script started all necessary services. Before you can get access to Mutillidae you need to start the services again every time after system restart:
sudo systemctl start php8.2-fpm.service sudo systemctl start apache2.service sudo systemctl start mysql
How to install Damn Vulnerable Web Application (DVWA) in Kali Linux
Create a dvwa database, to do this, connect with the DBMS:
sudo mysql
And run the following query:
CREATE DATABASE dvwa;
Create a file upd_dvwa.sh:
gedit upd_dvwa.sh
and save the script into the created file:
#!/bin/bash sudo apt update sudo apt install php php-mysql php-gd mariadb-server -y # Deprecated as of PHP 7.4.0. # sudo sed -i 's/allow_url_include = Off/allow_url_include = On/' /etc/php/8.1/apache2/php.ini sudo systemctl restart apache2 sudo systemctl restart mysql cd /tmp git clone https://github.com/ethicalhack3r/DVWA if [ -d "/var/www/html/dvwa.backup" ]; then sudo rm -rf /var/www/html/dvwa.backup fi if [ -d "/var/www/html/dvwa" ]; then sudo mv /var/www/html/dvwa /var/www/html/dvwa.backup fi sudo mkdir /var/www/html/dvwa sudo mv DVWA*/* /var/www/html/dvwa/ sudo chown -R www-data:www-data /var/www/html/dvwa/ sudo rm -rf DVWA* sudo mv /var/www/html/dvwa/config/config.inc.php.dist /var/www/html/dvwa/config/config.inc.php sudo sed -i 's/p@ssw0rd//' /var/www/html/dvwa/config/config.inc.php sudo sed -i "s/'db_user' ]/'db_user' ] = 'root'; \/\//" /var/www/html/dvwa/config/config.inc.php cd
Run the script:
sudo bash upd_dvwa.sh
Now DVWA installation is available at http://localhost/dvwa/
Inside DVWA go to Setup / Reset DB and click on the 'Create / Reset Database' button.
You also can use the above script for updating DVWA after release of a new version.
After reboot Kali Linux, before you can reach DVWA, do not forget to start Apache and MySQL services.
If you have changed MySQL password (there is no password by default), tune the corresponding files:
- /var/www/html/mutillidae/classes/MySQLHandler.php (for Mutillidae)
- /var/www/html/dvwa/config/config.inc.php (for DVWA)
See also How to protect web server on Kali Linux from unauthorized access.
Related articles:
- How to upgrade OWASP Mutillidae II to the latest release in Samurai Web Testing Framework or Web Security Dojo (SOLVED) (82.9%)
- Kali Linux 2022.3 released: test lab and new tools added (67.2%)
- How to upgrade Damn Vulnerable Web Application (DVWA) to the latest release in Samurai Web Testing Framework or Web Security Dojo (SOLVED) (66.4%)
- Hacking websites training in Windows (66.4%)
- Kali Linux Rolling post install tips (50.8%)
- How to change the desktop environment in Kali Linux without reinstalling the operating system (RANDOM - 50.8%)
The guide and scripts are updated, they work again.
your awsome guys
The scripts was updated in connection with the transition of Kali Linux to PHP 7.2.
Nice article 🙂
I have followed all steps, however when I go to the initial webpages instead of mutillidae/dvwa setup pages appearing, there is simply a blank screen. I was wondering if you had any advice on where to start troubleshoot?
Hello!
Right now I repeated steps on the fresh Kali Linux installation. It is working! Did you see the link in the article: ‘Troubleshooting: Kali Linux web server shows blank pages’.
I suppose you missed this step.
Please check errors in the log file:
I'm getting the same thing with blank page for mutillidae…the error showing in my error.log is:
8] PHP Fatal error: Uncaught Error: Call to undefined function simplexml_load_file() in /var/www/html/mutillidae/owasp-esapi-php/src/reference/DefaultSecurityConfiguration.php:136\nStack trace:\n#0 /var/www/html/mutillidae/owasp-esapi-php/src/reference/DefaultSecurityConfiguration.php(116): DefaultSecurityConfiguration->_loadConfiguration('/var/www/html/m…')\n#1 /var/www/html/mutillidae/owasp-esapi-php/src/ESAPI.php(362): DefaultSecurityConfiguration->__construct('/var/www/html/m…')\n#2 /var/www/html/mutillidae/owasp-esapi-php/src/ESAPI.php(66): ESAPI::getSecurityConfiguration('/var/www/html/m…')\n#3 /var/www/html/mutillidae/index.php(157): ESAPI->__construct('/var/www/html/m…')\n#4 {main}\n thrown in /var/www/html/mutillidae/owasp-esapi-php/src/reference/DefaultSecurityConfiguration.php on line 136
Did you use my scripts in the installation process?
HI ALex,
I am also getting the same issue,my php version is php 7.4. I have followed the same steps which you have given, please help me on this.
PHP Fatal error: Uncaught Error: Call to undefined function simplexml_load_file() in /var/www/html/mutillidae/owasp-esapi-php/src/reference/DefaultSecurityConfiguration.php:136\n
Thanks
Ramesh D
Again, did you use my scripts during the installation process? The reason of the error is absence of ‘php-xml’ package. BUT: my script installs this package.
I followed all the steps but after clicking on setup/Reset the db, I am not getting the popup of successful setup. My db is getting set and I am seeing nothing on the index page. Please help.
Did you see the link in the article: ‘Troubleshooting: Kali Linux web server shows blank pages’.
I suppose you missed this step.
I can no longer login to mysql after running the initial mysql cmds removing the plugin.
HOW TO LOGIN INTO MYSQL AFTER MUTILIDAE INSTALATION:
After you do all the steps of the tutorial to install mutillidae, the password to login into mysql will change.
In order to reset the database to start using mutillidae, it asks you to change the password for the root user. The new password will be 'mutillidae'.
You can only login into mysql using this querry:
mysql -u root -p
Then, mysql will ask you to enter the password. Just insert 'mutillidae'.
I spent two entire days to solve this problem.
So this may be useful for someone.
Remember to write in the top of the article when it was written…last updated..we live in 2019…should be common sense.
Thanks a lot.
Folks who are getting blank page is mostly because of DB is not set properly, check the following
1. Do you have same username and password on Config file and Database
2. Do you have permission set up for the user-created for Mutillidae and DVWA
3. Do you have correct directory permission for Mutillidae and DVWA
Scripts are checked and updated on April 30, 2020 – everything works fine!
Hey Alex, I am launchig the mutillidae using a diffrent IP address but when i launch the mutillidae on browser im getting
i gave the child permissions too.
I changed the .htacess file and gave access to my IP .
still its the same.
this is my .htacess file code
what am i doing wrong. Any help is much appreciated
Hello! Directives Allow,Deny is deprecated with Apache 2.2. Nowadays there is Apache 2.4.* on Kali Linux.
Please pay attention, that in your error 149.165.157.203 is mentioned, it is not local IP. If you use hostname to access your web server please check you DNS settings.
By the way, you misspelled name of .htaccess file (not .htacess).
Did you enable .htaccess support on your web server? It is disabled by default.
Please with Apache 2.4.* use any of the following notation in .htaccess (to allow access for a single IP or network ranges). “Require ip” can be used multiple times.
By the way, please keep in mind, that settings in parent directories (including access control) can affect child directories.
nice and direct article
Scripts and commands have been checked and fixed, as of August 31, 2020 everything is working fine in the latest Kali Linux.
Updated due to the transition of Kali Linux to PHP 8.1.
Thanks You very much!
You're amazing!
Updated due to the transition of Kali Linux to PHP 8.2.