DVWA靶场部署

开始

Damn Vulnerable Web Application (DVWA)(译注：可以直译为：”该死的”不安全Web应用程序)，是一个编码差的、易受攻击的 PHP/MySQL Web应用程序。它的主要目的是帮助信息安全专业人员在合法的环境中，练习技能和测试工具，帮助 Web 开发人员更好地了解如何加强 Web 应用程序的安全性，并帮助学生和教师在可控的教学环境中了解和学习 Web 安全技术。

DVWA的目的是通过简单明了的界面来练习一些最常见的 Web 漏洞，所练习的漏洞具有不同的难度级别。请注意，此软件存在提示和无提示的漏洞。这是特意为止。我们鼓励您依靠自己的能力尝试并发现尽可能多的安全问题。

安装方式1（编译docker镜像）

注意通过此方式，需要更新docker软件包,或者docker compose命令换成docker-compose命令。并且编译的DVWA版本是最新的版本，当前为2.3版本

https://github.com/digininja/DVWA/

It is possible to run DVWA with containers.

Prerequisites: Docker and Docker Compose.

If you are using Docker Desktop, both of these should be already installed.
If you prefer Docker Engine on Linux, make sure to follow their installation guide.

We provide support for the latest Docker release as shown above.
If you are using Linux and the Docker package that came with your package manager, it will probably work too, but support will only be best-effort.

Upgrading Docker from the package manager version to upstream requires that you uninstall the old versions as seen in their manuals for Ubuntu, Fedora and others.
Your Docker data (containers, images, volumes, etc.) should not be affected, but in case you do run into a problem, make sure to tell Docker and use search engines in the mean time.

Then, to get started:

Run docker version and docker compose version to see if you have Docker and Docker Compose properly installed. You should be able to see the version of Docker in the output.

For example:

>>> docker version
Client:
 [...]
 Version:           23.0.5
 [...]

Server: Docker Desktop 4.19.0 (106363)
 Engine:
  [...]
  Version:          23.0.5
  [...]

>>> docker compose version
Docker Compose version v2.17.3

If you don’t see anything or get a command not found error, follow the prerequisites to setup Docker and Docker Compose.

Clone or download this repository and extract (see Download).
Open a terminal of your choice and change its working directory to DVWA.
docker compose up -d.

DVWA is now available at http://localhost:4280.

Notice that for running DVWA in containers, the web server is listening on port 4280 instead of the usual port of 80.
For more information on this decision, see I want to run DVWA on a different port.

需要使用 docker-compose编译镜像，主要用到文件目录下 Dockerfile和 compose.yml文件

Dockerfile




FROM docker.io/library/php:8-apache
WORKDIR /var/www/html

# https://www.php.net/manual/en/image.installation.php
RUN apt-get update \
 && apt-get install -y zlib1g-dev libpng-dev libjpeg-dev libfreetype6-dev \
 && rm -rf /var/lib/apt/lists/* \
 && docker-php-ext-configure gd --with-jpeg --with-freetype \
 # Use pdo_sqlite instead of pdo_mysql if you want to use sqlite
 && docker-php-ext-install gd mysqli pdo pdo_mysql

COPY --chown=www-data:www-data . .
COPY --chown=www-data:www-data config/config.inc.php.dist config/config.inc.php

compose.yml

volumes:
  dvwa:


networks:
  dvwa:


services:
  dvwa:
    build: .
    environment:
      - DB_SERVER=db
    depends_on:
      - db
    networks:
      - dvwa
    ports:
      - 4280:80
    restart: unless-stopped

  db:
    image: docker.io/library/mariadb:10
    environment:
      - MYSQL_ROOT_PASSWORD=dvwa
      - MYSQL_DATABASE=dvwa
      - MYSQL_USER=dvwa
      - MYSQL_PASSWORD=p@ssw0rd
    volumes:
      - dvwa:/var/lib/mysql
    networks:
      - dvwa
    restart: unless-stopped

docker-compose编译完成后会 php,mariadb,dvwa三个镜像,并且执行 docker-compose up -d后php会端口映射在4280端口，可以通过 http://127.0.0.1:4280访问

$ docker images   
REPOSITORY             TAG        IMAGE ID       CREATED       SIZE
dvwa-23_dvwa           latest     dab5ed4ddfb9   5 days ago    513MB
php                    8-apache   8bb6f2dcced5   12 days ago   503MB
mariadb                10         c8b77d250201   5 weeks ago   403MB