-
-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable login page #53
Comments
If that is the problem then all you need to do is to log in manually in a Robin
|
Thank you for response digininja, However jsql was just an example, I don't think I can tell it to use cookie and there are many more tools that I'd like to try. While workaround with cookie is good idea, this doesn't solve issue. Does anyone knows how to disable login functionality ? |
Any tools worth using will allow you to pass extra parameters, usually On 13 January 2016 at 14:38, TeefHennessy notifications@github.com wrote:
|
@TeefHennessy Any 'good' tool would allow you to set a cookie value (or add a custom header field). All you need to put in is the session ID from the cookie in the request (after being logged in). I don't think I know of a single tool that doesn't support cookies in a request... |
Alright, thanks everyone for help |
As @g0tmi1k stated, jSQL accepts also cookies. In older version there is a dedicated field for cookie and since jSQL v0.74 cookies are merged in the Header field (e.g Cookie:key=value). What is usually done when cookie is required is that you log in manually into the application with your browser and debugger (F12 in Firefox), and you read the header string similar to PHPSESSID=eb...9d, it's your current active user's session ID. Then you copy this full key=value in the cookie field of your security tool in order to connect to the application as the current active user. e.g in jSQL v0.74 : Cookie:PHPSESSID=eb...9d |
Most easy is probably change line https://github.com/ethicalhack3r/DVWA/blob/master/login.php#L35 to |
to me makes more sense to change https://github.com/ethicalhack3r/DVWA/blob/7ab2e557135d4658b000517f4e49b00b3027812b/index.php#L6 |
You realise you've dug up a 3 year old issue? To me it makes more sense to learn how to use the tools correctly. Why dumb down your learning environments when you could instead increase your own skills. |
why make assumpions without any context? :) |
In which case, unless they are very good tools at something specific,
I'd still drop them in favour of something that can handle cookies or
authentication.
…On Thu, 17 Jan 2019 at 13:33, Matteo Malvica ***@***.***> wrote:
why make assumpions without any context? :)
I needed a quick way to disable the login page since I have adopted DVWA to banchmark automated vulnerability scanners that lack any HTTP/POST authentication mechanism.
Hence, I left this comment for anyone else having a similar need that I am having right now.
hth
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
|
appreciate your inputs :) thank you |
@Avanzo thank you man |
guys, after you did this: also you need to go to function dvwaPageStartup( $pActions ) { to function dvwaPageStartup( $pActions ) { and if( dvwaIsLoggedIn() ) { change few lines. |
I found some strange behavior using vulnz modifications. I got good responses with: At index.php (line 6) At dvwa/includes/dvwaPage.inc.php (function dvwaPageStartup), comment out the first block:
Cheers |
Man use docker. Vulnz/dvwa and modify maybe one line of host |
Thank you, I am using a modified dvwa docker image (arco/dvwa) and it works exactly I want. |
更改文件:\DVWA\dvwa\includes\dvwaPage.inc.php 更改代码: dvwaIsLoggedIn 函数 原始函数定义: function dvwaIsLoggedIn() { 更改后函数定义: function dvwaIsLoggedIn() { it works! |
This works
|
I built in a feature to do this ages ago, just set `disable_authentication`
in the config file to disable authentication, you don't need to change any
code.
…On Sat, 16 Mar 2024, 22:11 Omniwot, ***@***.***> wrote:
This works
I found some strange behavior using vulnz modifications. I got good
responses with:
At index.php (line 6) dvwaPageStartup( array( 'unauthenticated', 'phpids'
) );
At dvwa/includes/dvwaPage.inc.php (function dvwaPageStartup), comment out
the first block:
// if( in_array( 'authenticated', $pActions ) ) {
// if( !dvwaIsLoggedIn()) {
// dvwaRedirect( DVWA_WEB_PAGE_TO_ROOT . 'login.php' );
// }
// }
Cheers
—
Reply to this email directly, view it on GitHub
<#53 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAA4SWIKTRUFQMICTO2OC43YYS7RTAVCNFSM4BYLSZCKU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TEMBQGIYTKNJSGMYQ>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Hi everyone !
First of all, thanks for creating this great learning tool :) I've been playing with it for some time and had good time.
I'd like to use DVWA to learn some tools too. I'm able to access DVWA (which is installed on VM machine) externally, that is from other VM machines and for manual learning it works fine. However when I try to use for example some SQLi tools (jsql for example) and I'm targeting SQLI module I get response that it's not possible although security is set to low. I'm guessing the problem may be first login page - correct me if I'm wrong.
Is there a way to disable logging in requirement to make all labs "public" ?
Thanks in advance :)
The text was updated successfully, but these errors were encountered: