SQL injection not showing errors using Docker version of build

[rjceledon]

Describe the bug Running the docker-compose up -d using the Docker package will build the app with no issues, however when going to SQL injection, it won't show any errors when inserting bad SQL request, no injection seems to be working for some reason

To Reproduce git clone https://github.com/digininja/DVWA cd DVWA docker-compose up -d

Steps to reproduce the behaviour:

1. Go to SQL Injection
2. Insert a ' symbol
3. No error is showed

Logs Logs are default to internal file descriptor and not accesible either root@b9c1d2f2ea71:/var/www/html# ls -l /var/log/apache2/ total 0 lrwxrwxrwx 1 www-data www-data 11 Nov 1 05:20 access.log -> /dev/stdout lrwxrwxrwx 1 www-data www-data 11 Nov 1 05:20 error.log -> /dev/stderr lrwxrwxrwx 1 www-data www-data 11 Nov 1 05:20 other_vhosts_access.log -> /dev/stdout

Expected behaviour MariaDB/MySQL errors should be showing when entering a bad SQL request

What have you done to help fix the issue yourself? I've tried to set up the php.ini file but docker image is using PHP 8.2 and no /etc/php folder exists root@b9c1d2f2ea71:/var/www/html# php -v PHP 8.2.12 (cli) (built: Nov 1 2023 05:52:10) (NTS) Copyright (c) The PHP Group Zend Engine v4.2.12, Copyright (c) Zend Technologies root@b9c1d2f2ea71:/var/www/html# ls /etc/php ls: cannot access '/etc/php': No such file or directory

Also tried modifying $_DVWA[ 'default_security_level' ] = 'impossible'; to low instead and /var/www/html/php.ini but any of those will make any difference

System (please complete the following information):

• OS: "Debian GNU/Linux 12 (bookworm)"
• Database and Version: mysql Ver 15.1 Distrib 10.11.5-MariaDB, for debian-linux-gnu (x86_64) using EditLine wrapper
• PHP Version PHP 8.2.12 (cli) (built: Nov 1 2023 05:52:10) (NTS)
• docker-compose version 1.29.2, build unknown

I'm not an expert on this, just trying to use Docker version for easiest access, and is not working.

Thanks for the help in advance!

[rjceledon]

You may want to close this Issue, I was able to show errors by changing Security Level from Impossible to Low, however changing file at /var/www/html/config/config.inc.php won't work for this even after stopping and starting containers, or restarting apache2 by service apache2 restart or apachectl restart.

Only changing it directly from the website itself http://localhost:4280/security.php would actually change the Security Level and update it in the below-left pane which wasn't the case before (when changing the config.inc.php file)

Thanks for everything tho! Great app

[digininja]

The app is working as expected, low, medium, and high are all returning errors for normal SQLi.

Changing the config file only changes the default security level when you don't have a cookie set, so once you've been to the site and a cookie has been set at a certain level, that is the level you will work at. Come to the site from a clean browser and you'll start with whatever default is set in the config file.