Strona główna > Hacking > Metasploitable 2 – DVWA – Damn Vulnerable Web App

Metasploitable 2 – DVWA – Damn Vulnerable Web App

Metasploitable 2 – DVWA – Damn Vulnerable Web App

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

Security environment:

serurity environment

security environment

Remote File Inclusion (RFI) is a type of vulnerability most often found on websites. It allows an attacker to include a remote file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation.


In PHP the main cause is due to the use of unvalidated external variables such as $_GET, $_POST, $_COOKIE with a filesystem function. Most notable are the include and require statements. Most of the vulnerabilities can be attributed to novice programmers not being familiar with all of the capabilities of the PHP programming language. The PHP language has an allow_url_fopen directive, and if enabled it allows filesystem functions to use a URL which allows them to retrieve data from remote locations. An attacker will alter a variable that is passed to one of these functions to cause it to include malicious code from a remote resource. To mitigate this vulnerability, all user input needs to be validated before being used.

More info

DVWA -Vulnerability: File Inclusion

To include a file edit the ?page=index.php in the URL to determine which file is included.
Remote file inclusion

Remote file inclusion


Kategorie:Hacking Tagi:
  1. Brak komentarzy.
  1. No trackbacks yet.


Wprowadź swoje dane lub kliknij jedną z tych ikon, aby się zalogować:


Komentujesz korzystając z konta Wyloguj /  Zmień )

Zdjęcie na Google

Komentujesz korzystając z konta Google. Wyloguj /  Zmień )

Zdjęcie z Twittera

Komentujesz korzystając z konta Twitter. Wyloguj /  Zmień )

Zdjęcie na Facebooku

Komentujesz korzystając z konta Facebook. Wyloguj /  Zmień )

Połączenie z %s

%d blogerów lubi to: