Disable login page

[TeefHennessy]

Hi everyone !

First of all, thanks for creating this great learning tool :) I've been playing with it for some time and had good time.

I'd like to use DVWA to learn some tools too. I'm able to access DVWA (which is installed on VM machine) externally, that is from other VM machines and for manual learning it works fine. However when I try to use for example some SQLi tools (jsql for example) and I'm targeting SQLI module I get response that it's not possible although security is set to low. I'm guessing the problem may be first login page - correct me if I'm wrong.

Is there a way to disable logging in requirement to make all labs "public" ?

Thanks in advance :)

[digininja]

If that is the problem then all you need to do is to log in manually in a browser and take to cookie and tell whatever tool you are using to send that with the requests. I don't know jsql but sqlmap works like that.

Robin On 12 Jan 2016 06:15, "TeefHennessy" notifications@github.com wrote:

Hi everyone !

First of all, thanks for creating this great learning tool :) I've been playing with it for some time and had good time

I'd like to use DVWA to learn some tools too I'm able to access DVWA (which is installed on VM machine) externally, that is from other VM machines and for manual learning it works fine However when I try to use for example some SQLi tools (jsql for example) and I'm targeting SQLI module I get response that it's not possible although security is set to low I'm guessing the problem may be first login page - correct me if I'm wrong

Is there a way to disable logging in requirement to make all labs "public" ?

Thanks in advance :)

— Reply to this email directly or view it on GitHub https://github.com/RandomStorm/DVWA/issues/53.

[TeefHennessy]

Thank you for response digininja,

However jsql was just an example, I don't think I can tell it to use cookie and there are many more tools that I'd like to try. While workaround with cookie is good idea, this doesn't solve issue.

Does anyone knows how to disable login functionality ?

[digininja]

Any tools worth using will allow you to pass extra parameters, usually cookies, along with them. If they don't then why not have a look at the code and learn how to add the feature.

On 13 January 2016 at 14:38, TeefHennessy notifications@github.com wrote:

Thank you for response digininja,

However jsql was just an example, I don't think I can tell it to use cookie and there are many more tools that I'd like to try. While workaround with cookie is good idea, this doesn't solve issue.

Does anyone knows how to disable login functionality ?

— Reply to this email directly or view it on GitHub https://github.com/RandomStorm/DVWA/issues/53#issuecomment-171310556.

[g0tmi1k]

@TeefHennessy There is no simple way of disabling the login. You would need to dig about in the code and edit a few lines.

Any 'good' tool would allow you to set a cookie value (or add a custom header field). All you need to put in is the session ID from the cookie in the request (after being logged in). I don't think I know of a single tool that doesn't support cookies in a request... ....and for the record, jSQL does support it (need to press the arrow down on the right hand side):

[TeefHennessy]

Alright, thanks everyone for help

[ron190]

As @g0tmi1k stated, jSQL accepts also cookies. In older version there is a dedicated field for cookie and since jSQL v0.74 cookies are merged in the Header field (e.g Cookie:key=value).

What is usually done when cookie is required is that you log in manually into the application with your browser and debugger (F12 in Firefox), and you read the header string similar to PHPSESSID=eb...9d, it's your current active user's session ID.

Then you copy this full key=value in the cookie field of your security tool in order to connect to the application as the current active user. e.g in jSQL v0.74 : Cookie:PHPSESSID=eb...9d

[adamziaja]

Most easy is probably change line https://github.com/ethicalhack3r/DVWA/blob/master/login.php#L35 to if( ( $result && mysql_num_rows( $result ) == 1 ) || true ) {

[uf0o]

to me makes more sense to change https://github.com/ethicalhack3r/DVWA/blob/7ab2e557135d4658b000517f4e49b00b3027812b/index.php#L6 to dvwaPageStartup( array( 'unauthenticated', 'phpids' ) );

[digininja]

You realise you've dug up a 3 year old issue?

To me it makes more sense to learn how to use the tools correctly. Why dumb down your learning environments when you could instead increase your own skills.

[uf0o]

why make assumpions without any context? :) I needed a quick way to disable the login page since I have adopted DVWA to banchmark automated vulnerability scanners that lack any HTTP/POST authentication mechanism. Hence, I left this comment for anyone else having a similar need that I am having right now. hth

[digininja]

In which case, unless they are very good tools at something specific, I'd still drop them in favour of something that can handle cookies or authentication.

On Thu, 17 Jan 2019 at 13:33, Matteo Malvica notifications@github.com wrote:

why make assumpions without any context? :) I needed a quick way to disable the login page since I have adopted DVWA to banchmark automated vulnerability scanners that lack any HTTP/POST authentication mechanism. Hence, I left this comment for anyone else having a similar need that I am having right now. hth

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[uf0o]

appreciate your inputs :) thank you

[vulnz]

@avanzo thank you man

[vulnz]

guys, after you did this: dvwaPageStartup( array( 'unauthenticated', 'phpids' ) ); at DVWA/index.php

also you need to go to dvwaPage.inc.php

function dvwaPageStartup( $pActions ) { if( in_array( 'unauthenticated', $pActions ) ) { if( dvwaIsLoggedIn()) {

to

function dvwaPageStartup( $pActions ) { if( in_array( 'authenticated', $pActions ) ) { if( !dvwaIsLoggedIn()) {

and

if( dvwaIsLoggedIn() ) {
to if( !dvwaIsLoggedIn() ) {

change few lines. Here is example of mine that work. And after make mv index.php instruction.php - replace it. Easy and sexy.

[davidvilla]

I found some strange behavior using vulnz modifications. I got good responses with:

At index.php (line 6) dvwaPageStartup( array( 'unauthenticated', 'phpids' ) );

At dvwa/includes/dvwaPage.inc.php (function dvwaPageStartup), comment out the first block:

//      if( in_array( 'authenticated', $pActions ) ) {
//              if( !dvwaIsLoggedIn()) {
//                      dvwaRedirect( DVWA_WEB_PAGE_TO_ROOT . 'login.php' );
//              }
//      }

Cheers

[vulnz]

Man use docker. Vulnz/dvwa and modify maybe one line of host

[davidvilla]

Thank you, I am using a modified dvwa docker image (arco/dvwa) and it works exactly I want.

[zyyae]

更改文件：\DVWA\dvwa\includes\dvwaPage.inc.php

更改代码: dvwaIsLoggedIn 函数

原始函数定义：

function dvwaIsLoggedIn() { $dvwaSession =& dvwaSessionGrab(); return isset( $dvwaSession[ 'username' ] ); }

更改后函数定义：

function dvwaIsLoggedIn() { $dvwaSession =& dvwaSessionGrab(); $dvwaSession[ 'username' ]='admin'; return isset( $dvwaSession[ 'username' ] ); }

it works!

[Omniwot]

This works

I found some strange behavior using vulnz modifications. I got good responses with:

At index.php (line 6) dvwaPageStartup( array( 'unauthenticated', 'phpids' ) );

At dvwa/includes/dvwaPage.inc.php (function dvwaPageStartup), comment out the first block:

//      if( in_array( 'authenticated', $pActions ) ) {
//              if( !dvwaIsLoggedIn()) {
//                      dvwaRedirect( DVWA_WEB_PAGE_TO_ROOT . 'login.php' );
//              }
//      }

Cheers

[digininja]

I built in a feature to do this ages ago, just set disable_authentication in the config file to disable authentication, you don't need to change any code.

On Sat, 16 Mar 2024, 22:11 Omniwot, @.***> wrote:

This works

I found some strange behavior using vulnz modifications. I got good responses with:

At index.php (line 6) dvwaPageStartup( array( 'unauthenticated', 'phpids' ) );

At dvwa/includes/dvwaPage.inc.php (function dvwaPageStartup), comment out the first block:

// if( in_array( 'authenticated', $pActions ) ) { // if( !dvwaIsLoggedIn()) { // dvwaRedirect( DVWA_WEB_PAGE_TO_ROOT . 'login.php' ); // } // }

Cheers

— Reply to this email directly, view it on GitHub https://github.com/digininja/DVWA/issues/53#issuecomment-2002155231, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA4SWIKTRUFQMICTO2OC43YYS7RTAVCNFSM4BYLSZCKU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TEMBQGIYTKNJSGMYQ . You are receiving this because you commented.Message ID: @.***>