diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..bf21088 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +*~ +mysql diff --git a/Dockerfile b/Dockerfile index a7dff69..547ceee 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,7 +10,6 @@ RUN apt-get update && \ echo mysql-server-5.5 mysql-server/root_password_again password vulnerables | debconf-set-selections && \ DEBIAN_FRONTEND=noninteractive apt-get install -y \ apache2 \ - mysql-server \ php5 \ php5-mysql \ php-pear \ @@ -19,13 +18,17 @@ RUN apt-get update && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* -COPY php.ini /etc/php5/apache2/php.ini -COPY dvwa /var/www/html +RUN ln -sf /proc/self/fd/1 /var/log/apache2/access.log && \ + ln -sf /proc/self/fd/2 /var/log/apache2/error.log + +COPY conf/php.ini /etc/php5/apache2/php.ini +COPY conf/000-default.conf /etc/apache2/sites-available/000-default.conf RUN chown www-data:www-data -R /var/www/html && \ rm /var/www/html/index.html EXPOSE 80 +VOLUME ["/var/www/html"] + +CMD ["/usr/sbin/apache2ctl", "-D", "FOREGROUND"] -COPY main.sh / -ENTRYPOINT ["/main.sh"] diff --git a/README.md b/README.md index 779dfcb..258e2d6 100644 --- a/README.md +++ b/README.md @@ -10,16 +10,25 @@ The aim of DVWA is to practice some of the most common web vulnerability, with v ## Run this image -To run this image you need [docker](http://docker.com) installed. Just run the command: +To run this image you need [docker](http://docker.com) 17.09CE and [docker-compose](https://docs.docker.com/compose/install/) installed. Just run the command: - docker run --rm -it -p 80:80 vulnerables/web-dvwa + docker-compose up --build And wait until it download the image and start it, after that you can see the image running in your local machine: -![setup](https://github.com/opsxcq/docker-vulnerable-dvwa/blob/master/setup.png?raw=tru) +![setup](https://github.com/opsxcq/docker-vulnerable-dvwa/blob/master/img/setup.png?raw=tru) Just click on the ```Create / Reset database``` button and it will generate any aditional configuration needed. +To stop the stack, run: + + docker-compose down + +If you stop the containers unexpectedly (e.g., `Ctrl-C`) and you find Apache refusing to start, rebuild or run: + + docker-compose rm + docker-compose up + ## Login with default credentials To login you can use the following credentials: @@ -31,7 +40,7 @@ To login you can use the following credentials: The default dificulty level is the ```impossible``` level, you can change it in ```DVWA Security``` item in the left menu. -![dificulty](https://github.com/opsxcq/docker-vulnerable-dvwa/blob/master/setup-dificulty.png?raw=tru) +![dificulty](https://github.com/opsxcq/docker-vulnerable-dvwa/blob/master/img/setup-dificulty.png?raw=tru) ## Hack and have fun ! @@ -40,7 +49,7 @@ In the id field, add this query: %' and 1=0 union select null, concat(user,':',password) from users # -![sqli](https://github.com/opsxcq/docker-vulnerable-dvwa/blob/master/sqli.png?raw=true) +![sqli](https://github.com/opsxcq/docker-vulnerable-dvwa/blob/master/img/sqli.png?raw=true) There are several other ways and other vulnerabilities do exploit, go ahead, have fun ! diff --git a/conf/000-default.conf b/conf/000-default.conf new file mode 100644 index 0000000..6f36332 --- /dev/null +++ b/conf/000-default.conf @@ -0,0 +1,30 @@ + + # The ServerName directive sets the request scheme, hostname and port that + # the server uses to identify itself. This is used when creating + # redirection URLs. In the context of virtual hosts, the ServerName + # specifies what hostname must appear in the request's Host: header to + # match this virtual host. For the default virtual host (this file) this + # value is not decisive as it is used as a last resort host regardless. + # However, you must set it for any further virtual host explicitly. + #ServerName www.example.com + + ServerAdmin webmaster@localhost + DocumentRoot /var/www/html + + # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, + # error, crit, alert, emerg. + # It is also possible to configure the loglevel for particular + # modules, e.g. + #LogLevel info ssl:warn + + ErrorLog /dev/stderr + CustomLog /dev/sdtout common + # For most configuration files from conf-available/, which are + # enabled or disabled at a global level, it is possible to + # include a line for only one particular virtual host. For example the + # following line enables the CGI configuration for this host only + # after it has been globally disabled with "a2disconf". + #Include conf-available/serve-cgi-bin.conf + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/php.ini b/conf/php.ini similarity index 100% rename from php.ini rename to conf/php.ini diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..3086872 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,21 @@ +version: '3' +services: + + dvwa: + build: + context: . + ports: + - 80:80 + volumes: + - ./dvwa:/var/www/html + + dvwa_db: + image: library/mysql + environment: + MYSQL_ROOT_PASSWORD: vulnerables + MYSQL_DATABASE: dvwa + MYSQL_USER: dvwa_db_user + MYSQL_PASSWORD: changeme + volumes: + - ./mysql:/var/lib/mysql + diff --git a/dvwa/config/config.inc.php b/dvwa/config/config.inc.php index a740e10..345fe37 100644 --- a/dvwa/config/config.inc.php +++ b/dvwa/config/config.inc.php @@ -12,7 +12,7 @@ # WARNING: The database specified under db_database WILL BE ENTIRELY DELETED during setup. # Please use a database dedicated to DVWA. $_DVWA = array(); -$_DVWA[ 'db_server' ] = '127.0.0.1'; +$_DVWA[ 'db_server' ] = 'dvwa_db'; $_DVWA[ 'db_database' ] = 'dvwa'; $_DVWA[ 'db_user' ] = 'root'; $_DVWA[ 'db_password' ] = 'vulnerables'; diff --git a/setup-dificulty.png b/img/setup-dificulty.png similarity index 100% rename from setup-dificulty.png rename to img/setup-dificulty.png diff --git a/setup.png b/img/setup.png similarity index 100% rename from setup.png rename to img/setup.png diff --git a/sqli.png b/img/sqli.png similarity index 100% rename from sqli.png rename to img/sqli.png diff --git a/main.sh b/main.sh deleted file mode 100755 index 1bcf6ed..0000000 --- a/main.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash - -echo '[+] Starting mysql...' -service mysql start - -echo '[+] Starting apache' -service apache2 start - -while true -do - tail -f /var/log/apache2/*.log - exit 0 -done