digininja / DVWA

Damn Vulnerable Web Application (DVWA)
GNU General Public License v3.0
10.36k stars 3.65k forks source link

dockerfile install error #577

Closed mortals-tx closed 1 year ago

mortals-tx commented 1 year ago

After installing using dockerfile, access error reported:

Warning: Undefined variable $DBMS_errorFunc in /var/www/html/dvwa/includes/dvwaPage.inc.php on line 517

Warning: Cannot modify header information - headers already sent by (output started at /var/www/html/dvwa/includes/dvwaPage.inc.php:517) in /var/www/html/dvwa/includes/dvwaPage.inc.php on line 548

mortals-tx commented 1 year ago

version:2.3

digininja commented 1 year ago

Two problems here. The first is that your system was failing to connect to the database, I've no idea why it would do that as all the database stuff is setup automatically and has worked for everyone else.

The second, the error that you've got, was a bug in the code when trying to show the error saying it couldn't connect to the database. I've fixed the bug, you may now get a sensible error when you try to access it, you may not.

mortals-tx commented 1 year ago

I have completely used your code without any changes, just the Docker Build and Docker Run

digininja commented 1 year ago

Can you try to build it all again with this new fix.

On Fri, 25 Aug 2023 at 16:13, eval @.***> wrote:

I have completely used your code without any changes, just the Docker Build and Docker Run

— Reply to this email directly, view it on GitHub https://github.com/digininja/DVWA/issues/577#issuecomment-1693522993, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA4SWLFL6RHBN2OEIXJRZLXXC6JRANCNFSM6AAAAAA36GO3AI . You are receiving this because you commented.Message ID: @.***>

mortals-tx commented 1 year ago

Download the source code again to execute?

digininja commented 1 year ago

Yes, pull the source again and the re-run the docker commands.

On Fri, 25 Aug 2023 at 16:19, eval @.***> wrote:

Download the source code again to execute?

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.Message ID: @.***>

mortals-tx commented 1 year ago

new error:Fatal error: Uncaught mysqli_sql_exception: Connection refused in /var/www/html/dvwa/includes/dvwaPage.inc.php:503 Stack trace: #0 /var/www/html/dvwa/includes/dvwaPage.inc.php(503): mysqli_connect('127.0.0.1', 'dvwa', Object(SensitiveParameterValue), '', '3306') #1 /var/www/html/login.php(8): dvwaDatabaseConnect() #2 {main} thrown in /var/www/html/dvwa/includes/dvwaPage.inc.php on line 503

digininja commented 1 year ago

Just checking, you are following the manual docker install instructions and accessing it on port 4280?

On Fri, 25 Aug 2023, 16:49 eval, @.***> wrote:

new error:Fatal error: Uncaught mysqli_sql_exception: Connection refused in /var/www/html/dvwa/includes/dvwaPage.inc.php:503 Stack trace: #0 /var/www/html/dvwa/includes/dvwaPage.inc.php(503): mysqli_connect('127.0.0.1', 'dvwa', Object(SensitiveParameterValue), '', '3306') #1 https://github.com/digininja/DVWA/issues/1 /var/www/html/login.php(8): dvwaDatabaseConnect() #2 https://github.com/digininja/DVWA/issues/2 {main} thrown in /var/www/html/dvwa/includes/dvwaPage.inc.php on line 503

— Reply to this email directly, view it on GitHub https://github.com/digininja/DVWA/issues/577#issuecomment-1693569839, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA4SWNFLXDREUXVYU232TDXXDCPTANCNFSM6AAAAAA36GO3AI . You are receiving this because you commented.Message ID: @.***>

digininja commented 1 year ago

I've found the problem, you need to run the setup first to create all the tables, then it should work.

@hoang-himself can you have a look at this and work out why either the database isn't being created, or why the config file is set to not require authentication which means it bypasses the login page and so misses the check that would send them to the setup page.

hoang-himself commented 1 year ago

new error:Fatal error: Uncaught mysqli_sql_exception: Connection refused in /var/www/html/dvwa/includes/dvwaPage.inc.php:503 Stack trace: #0 /var/www/html/dvwa/includes/dvwaPage.inc.php(503): mysqli_connect('127.0.0.1', 'dvwa', Object(SensitiveParameterValue), '', '3306') #1 /var/www/html/login.php(8): dvwaDatabaseConnect() #2 {main} thrown in /var/www/html/dvwa/includes/dvwaPage.inc.php on line 503

I have completely used your code without any changes, just the Docker Build and Docker Run

@mortals-tx This says a connection to the database at 127.0.0.1:3306 failed, and based on how you just used docker build and docker run, I assume that you didn't read the readme where it actually tells you to use docker compose.

I suggest that you take your time with the readme, otherwise keep us updated. Using an external database is possible, of course, but it is out of scope (https://github.com/digininja/DVWA/pull/550#issuecomment-1496604542).

hoang-himself commented 1 year ago

why either the database isn't being created

Because it is not being created

or why the config file is set to not require authentication which means it bypasses the login page and so misses the check that would send them to the setup page

IIRC this has been the behavior since I started using this project where the user just gets redirected to the login page.

https://github.com/digininja/DVWA/blob/16a21a8f925f1f754f605de3d75488bc04e2e560/index.php#L3-L6

https://github.com/digininja/DVWA/blob/16a21a8f925f1f754f605de3d75488bc04e2e560/dvwa/includes/dvwaPage.inc.php#L84-L90

digininja commented 1 year ago

Can you check that this is set to false in the config file you create, my guess is that it is set up true.

$_DVWA[ 'disable_authentication' ] = false;

On Sat, 26 Aug 2023, 16:21 Hoàng, @.***> wrote:

why either the database isn't being created

Because it is not being created

or why the config file is set to not require authentication which means it bypasses the login page and so misses the check that would send them to the setup page

IIRC this has been the behavior since I started using this project where the user just gets redirected to the login page.

https://github.com/digininja/DVWA/blob/16a21a8f925f1f754f605de3d75488bc04e2e560/index.php#L3-L6

https://github.com/digininja/DVWA/blob/16a21a8f925f1f754f605de3d75488bc04e2e560/dvwa/includes/dvwaPage.inc.php#L84-L90

— Reply to this email directly, view it on GitHub https://github.com/digininja/DVWA/issues/577#issuecomment-1694383864, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA4SWNZ7XUO23W2EQ7AKHDXXIH6TANCNFSM6AAAAAA36GO3AI . You are receiving this because you commented.Message ID: @.***>

hoang-himself commented 1 year ago

I didn't create any new config file, only reuse it.

https://github.com/digininja/DVWA/blob/16a21a8f925f1f754f605de3d75488bc04e2e560/Dockerfile#L13

https://github.com/digininja/DVWA/blob/16a21a8f925f1f754f605de3d75488bc04e2e560/config/config.inc.php.dist#L43

This can also be seen in the images uploaded to ghcr.

$ podman run --rm ghcr.io/digininja/dvwa:latest cat /var/www/html/config/config.inc.php
Trying to pull ghcr.io/digininja/dvwa:latest...
Getting image source signatures
Copying blob sha256:7d212700447af298b6d71a80267d7fbeec4b48e70a1fbb7d2fd7b286f0e9dd7a
Copying blob sha256:635676b59bff48bb8bf1480dd07a2ec477ac43d5d8f589b04a4b49600280dbf0
Copying blob sha256:8748b1b28b494d0c88f7ff96b5b0e31ae6f2db72cafa2a6f4e6f50f9359c2c26
Copying blob sha256:52d2b7f179e32b4cbd579ee3c4958027988f9a8274850ab0c7c24661e3adaac5
Copying blob sha256:08dbc2d7054ba7a357e67b9a5bbeb76074fa786bbeb65777f71fbbc4106e616d
Copying blob sha256:0885630aadbcb28ae6d814b992be1a8cdf6a59b5dbd64eaa970e4c5b008f7459
Copying blob sha256:8870ab32a8d38013ed62a0622cf491f879c3a17903682329daf7c31c272e09b6
Copying blob sha256:5044ddca62e6a110165e3cceb26f1cea80d7a3bb234e93cbfac5abb6444605d0
Copying blob sha256:23ddf7f6968faf66caa3d2ad09f9803ec5bd3e6b3551c9e303200e1ae2dcb909
Copying blob sha256:89c07fc5273eadf74c8c9e49f3eb8d37bd2387a197b02adb9b2a6c84a0cbcbf2
Copying blob sha256:7475029d0c03562accb3cb6e9c619550ff64e4928a6ca303becc5121995e5541
Copying blob sha256:3e2da362b34655611cb598255c5130d0697d01f885f6466c9d51f36868e5e389
Copying blob sha256:051f00ca3658d8d490c5ac003957ebb1a2cf76a5a941812179016e10c12e4ec3
Copying blob sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1
Copying blob sha256:31baf72437cbb688fcc22a26b42cc516fa94f5a41fd0e716da3ea8f602a443f7
Copying blob sha256:89639b7910f372daa3b685db721456b08d5f73799a5e11365bcbd8395f1e0652
Copying blob sha256:b4f66c875296a23b29f1f9e9c148ac62539298796fb62ec85d3a038557734a32
Copying config sha256:d4647c6917a19a90a46e4d7e1cab32e6c265d5921764f754c4e78b791d4bc191
Writing manifest to image destination
<?php

# If you are having problems connecting to the MySQL database and all of the variables below are correct
# try changing the 'db_server' variable from localhost to 127.0.0.1. Fixes a problem due to sockets.
#   Thanks to @digininja for the fix.

# Database management system to use
$DBMS = 'MySQL';
#$DBMS = 'PGSQL'; // Currently disabled

# Database variables
#   WARNING: The database specified under db_database WILL BE ENTIRELY DELETED during setup.
#   Please use a database dedicated to DVWA.
#
# If you are using MariaDB then you cannot use root, you must use create a dedicated DVWA user.
#   See README.md for more information on this.
$_DVWA = array();
$_DVWA[ 'db_server' ]   = getenv('DB_SERVER') ?: '127.0.0.1';
$_DVWA[ 'db_database' ] = 'dvwa';
$_DVWA[ 'db_user' ]     = 'dvwa';
$_DVWA[ 'db_password' ] = 'p@ssw0rd';
$_DVWA[ 'db_port']      = '3306';

# ReCAPTCHA settings
#   Used for the 'Insecure CAPTCHA' module
#   You'll need to generate your own keys at: https://www.google.com/recaptcha/admin
$_DVWA[ 'recaptcha_public_key' ]  = '';
$_DVWA[ 'recaptcha_private_key' ] = '';

# Default security level
#   Default value for the security level with each session.
#   The default is 'impossible'. You may wish to set this to either 'low', 'medium', 'high' or impossible'.
$_DVWA[ 'default_security_level' ] = 'impossible';

# Default locale
#   Default locale for the help page shown with each session.
#   The default is 'en'. You may wish to set this to either 'en' or 'zh'.
$_DVWA[ 'default_locale' ] = 'en';

# Disable authentication
#   Some tools don't like working with authentication and passing cookies around
#   so this setting lets you turn off authentication.
$_DVWA[ 'disable_authentication' ] = false;

define ('MYSQL', 'mysql');
define ('SQLITE', 'sqlite');

# SQLi DB Backend
#   Use this to switch the backend database used in the SQLi and Blind SQLi labs.
#   This does not affect the backend for any other services, just these two labs.
#   If you do not understand what this means, do not change it.
$_DVWA['SQLI_DB'] = MYSQL;
#$_DVWA['SQLI_DB'] = SQLITE;
#$_DVWA['SQLITE_DB'] = 'sqli.db';

?>

I will try this in XAMPP later.

hoang-himself commented 1 year ago

it bypasses the login page and so misses the check that would send them to the setup page.

Reproducible with XAMPP on Windows 11.

digininja commented 1 year ago

It should only do that with the auth bypass flag set.

I'll have to give it a try and see what happens.

On Sat, 26 Aug 2023, 18:18 Hoàng, @.***> wrote:

it bypasses the login page and so misses the check that would send them to the setup page.

Reproducible with XAMPP on Windows 11.

— Reply to this email directly, view it on GitHub https://github.com/digininja/DVWA/issues/577#issuecomment-1694414837, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA4SWMAA7NS26KNNZJWGKLXXIVVFANCNFSM6AAAAAA36GO3AI . You are receiving this because you commented.Message ID: @.***>

mortals-tx commented 1 year ago

new error:Fatal error: Uncaught mysqli_sql_exception: Connection refused in /var/www/html/dvwa/includes/dvwaPage.inc.php:503 Stack trace: #0 /var/www/html/dvwa/includes/dvwaPage.inc.php(503): mysqli_connect('127.0.0.1', 'dvwa', Object(SensitiveParameterValue), '', '3306') #1 /var/www/html/login.php(8): dvwaDatabaseConnect() #2 {main} thrown in /var/www/html/dvwa/includes/dvwaPage.inc.php on line 503

I have completely used your code without any changes, just the Docker Build and Docker Run

@mortals-tx This says a connection to the database at 127.0.0.1:3306 failed, and based on how you just used docker build and docker run, I assume that you didn't read the readme where it actually tells you to use docker compose.

I suggest that you take your time with the readme, otherwise keep us updated. Using an external database is possible, of course, but it is out of scope (#550 (comment)).

yes,docker-compose is working.

digininja commented 1 year ago

I think I might have worked out some of what is going on.

For a short while, I had accidentally checked in a copy of the config file which had disable auth set to true. While that was the case, I created the DVWA images on my box which means my version had the flag set to true in my base image.

Running docker compose found the old images and just ran those, it didn't update them.

@hoang-himself Is there a way to have the image updated every time it is started? If not, I'm guessing the image will be frozen at the point it was created and so users won't get any updates.

hoang-himself commented 1 year ago

@digininja since there is a workflow to build and push images to ghcr now, I am considering making Compose always download the latest image from ghcr. This will make sure that everyone uses the same image, thus provides the same behavior in usage and debugging.

Of course we can make Compose always build an image from local, but I guess that's for debugging only.

See pull_policy: always and build.

digininja commented 1 year ago

Having it download the latest would be best, it would help diagnose problems and stop people running four month old versions like I was.

Adding instructions on how to do it all by hand would be good, just for completeness.

On Sun, 27 Aug 2023, 12:25 Hoàng, @.***> wrote:

@digininja https://github.com/digininja since there is a workflow to build and push images to ghcr now, I am considering making Compose always download the latest image from ghcr. This will make sure that everyone uses the same image, thus provides the same behavior in usage and debugging.

Of course we can make Compose always build an image from local, but I guess that's for debugging only.

See pull_policy https://github.com/compose-spec/compose-spec/blob/master/05-services.md#pull_policy: always and build.

— Reply to this email directly, view it on GitHub https://github.com/digininja/DVWA/issues/577#issuecomment-1694641843, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA4SWNSTMUVFZVKKJ5GU33XXMVDTANCNFSM6AAAAAA36GO3AI . You are receiving this because you were mentioned.Message ID: @.***>

hoang-himself commented 1 year ago

I'm not sure what you mean by do it all by hand, but #580 should handle it.

digininja commented 1 year ago

"do it by hand" build your own image from the downloaded files rather than trust the image from GitHub.

The compose you wrote will build from the downloaded files but won't rebuild if the files have changed. Add the commands to either remove the image so it can be rebuilt or show how to update the existing image.

On Sun, 27 Aug 2023, 17:00 Hoàng, @.***> wrote:

I'm not sure what you mean by do it all by hand, but #580 https://github.com/digininja/DVWA/pull/580 should handle it.

— Reply to this email directly, view it on GitHub https://github.com/digininja/DVWA/issues/577#issuecomment-1694702493, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA4SWJE3K6PJEDUPJQXIFDXXNVKRANCNFSM6AAAAAA36GO3AI . You are receiving this because you were mentioned.Message ID: @.***>

hoang-himself commented 1 year ago

580 should do what you want. I have added comments in the compose file and updated the readme.

https://github.com/digininja/DVWA/pull/580/files#diff-3493e6b5ddf34891e572f911db893efd9e46af828e011ea778a7c1eb64763588R13-R14

https://github.com/digininja/DVWA/pull/580/files#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5R134-R142