Can't "create/reset db" // login.php is blank #114

Open
Akrozia opened this Issue Nov 28, 2016 · 14 comments

Projects

None yet

3 participants

@Akrozia
Akrozia commented Nov 28, 2016

Hi,

I've installed DVWA v1.9 on Debian 8.
This Debian is actually a virtual machine running on proxmox version 4.2-17.
I can't Create / Reset Database on http://localhost:8888/dvwa/setup.php, just got reddirected to http://localhost:8888/dvwa/setup.php# (who's blank ...)
I've try to go to http://localhost:8888/dvwa/login.php but you know... It's blank too.

So, here's what I've already done :

Setup.php showing me this :

Setup Check
Operating system: *nix
Backend database: MySQL
PHP version: 5.6.24-0+deb8u1

Web Server SERVER_NAME: localhost

PHP function display_errors: Disabled
PHP function safe_mode: Disabled
PHP function allow_url_include: Enabled
PHP function allow_url_fopen: Enabled
PHP function magic_quotes_gpc: Disabled
PHP module php-gd: Installed

reCAPTCHA key: xxxxxxxxxxxxxxxxx

Writable folder /var/www/html/dvwa/hackable/uploads/: Yes)
Writable file /var/www/html/dvwa/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt: Yes

My php version :

root@dvwa:/var/www/html# php -v
PHP 5.6.24-0+deb8u1 (cli) (built: Jul 26 2016 08:17:07)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
    with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2016, by Zend Technologies

Working with mariadb :

root@dvwa:/var/www/html# apt-cache show mariadb-server
Package: mariadb-server
Source: mariadb-10.0
Version: 10.0.27-0+deb8u1
Installed-Size: 73
Maintainer: Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>
Architecture: all
Depends: mariadb-server-10.0 (>= 10.0.27-0+deb8u1)

And here's my apache2 version :

root@dvwa:/var/www/html# apt-cache show apache2
Package: apache2
Version: 2.4.10-10+deb8u7
Installed-Size: 526
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Architecture: amd64
Replaces: apache2.2-common, libapache2-mod-macro (<< 1:2.4.6-1~)
Provides: httpd, httpd-cgi
Depends: lsb-base, procps, perl, mime-support, apache2-bin (= 2.4.10-10+deb8u7), apache2-utils (>= 2.4), apache2-data (= 2.4.10-10+deb8u7)
Pre-Depends: dpkg (>= 1.17.14)

Already done :

chmod -R 755 dvwa
chmod g+w dvwa/hackable/uploads/
chmod g+w dvwa/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt

Some more informations :

root@dvwa:/var/www/html# curl localhost/dvwa/login.php
root@dvwa:/var/www/html#
root@dvwa:/var/www/html# ls /var/www/html/dvwa/
about.php     dvwa         index.php         php.ini       vulnerabilities
CHANGELOG.md  external     instructions.php  README.md
config        favicon.ico  login.php         robots.txt
COPYING.txt   hackable     logout.php        security.php
docs          ids_log.php  phpinfo.php       setup.php

I haven't any clue or idea on what's going on.
Seems like I'm not alone to have these troubles.
I can give you more information if needed, hope you can help me ! Thanks !

@digininja
Contributor
@Akrozia
Akrozia commented Nov 28, 2016

Hi digininja,
Here's my appache log file (for today) :

[Mon Nov 28 11:07:09.201038 2016] [core:error] [pid 616] [client 10.1.1.254:35236] AH00135: Invalid method in request \x1b\x1b
[Mon Nov 28 21:09:43.030365 2016] [:error] [pid 619] [client 10.1.1.254:46172] script '/var/www/html/dvwa/settings.php' not found or unable to stat
[Mon Nov 28 21:09:46.216680 2016] [:error] [pid 619] [client 10.1.1.254:46172] script '/var/www/html/dvwa/setings.php' not found or unable to stat
[Mon Nov 28 21:11:24.749542 2016] [mpm_prefork:notice] [pid 558] AH00169: caught SIGTERM, shutting down
[Mon Nov 28 21:11:27.220305 2016] [mpm_prefork:notice] [pid 3860] AH00163: Apache/2.4.10 (Debian) configured -- resuming normal operations
[Mon Nov 28 21:11:27.220414 2016] [core:notice] [pid 3860] AH00094: Command line: '/usr/sbin/apache2'
[Mon Nov 28 21:13:15.914136 2016] [:error] [pid 3865] [client 10.1.1.254:46196] script '/var/www/html/dvwa/dvwa/index.php' not found or unable to stat
[Mon Nov 28 21:13:52.020354 2016] [mpm_prefork:notice] [pid 3860] AH00169: caught SIGTERM, shutting down
[Mon Nov 28 21:13:53.692063 2016] [mpm_prefork:notice] [pid 3917] AH00163: Apache/2.4.10 (Debian) configured -- resuming normal operations
[Mon Nov 28 21:13:53.692163 2016] [core:notice] [pid 3917] AH00094: Command line: '/usr/sbin/apache2'
[Mon Nov 28 21:19:17.953302 2016] [:error] [pid 3928] [client 10.1.1.254:46240] script '/var/www/html/dvwa/setings.php' not found or unable to stat
[Mon Nov 28 21:55:45.239886 2016] [mpm_prefork:notice] [pid 3917] AH00169: caught SIGTERM, shutting down
[Mon Nov 28 21:55:52.533098 2016] [mpm_prefork:notice] [pid 7772] AH00163: Apache/2.4.10 (Debian) configured -- resuming normal operations
[Mon Nov 28 21:55:52.533232 2016] [core:notice] [pid 7772] AH00094: Command line: '/usr/sbin/apache2'
@digininja
Contributor
@Akrozia
Akrozia commented Nov 28, 2016

Index exist, settings doesn't (trying to access to setup.php...).
As above, here's my dvwa folder (in /var/www/html/)

root@dvwa:/var/www/html# ls /var/www/html/dvwa/
about.php     dvwa         index.php         php.ini       vulnerabilities
CHANGELOG.md  external     instructions.php  README.md
config        favicon.ico  login.php         robots.txt
COPYING.txt   hackable     logout.php        security.php
docs          ids_log.php  phpinfo.php       setup.php
@digininja
Contributor
@Akrozia
Akrozia commented Nov 28, 2016

Seems like index isn't here.

root@dvwa:~# ls /var/www/html/dvwa/dvwa/
css  images  includes  js

Still dunno what to do, moving index.php here ?

@digininja
Contributor
@Akrozia
Akrozia commented Nov 28, 2016 edited

So, I tried to acced to http://localhost:8080/dvwa/ redirected to http://localhost:8080/dvwa/login.php
And at the same time, after clearing log and restarting apache2 ....

root@dvwa:~# tailf /var/log/apache2/error.log
[Tue Nov 29 00:33:08.840137 2016] [mpm_prefork:notice] [pid 7772] AH00169: caught SIGTERM, shutting down
[Tue Nov 29 00:33:10.142394 2016] [mpm_prefork:notice] [pid 8227] AH00163: Apache/2.4.10 (Debian) configured -- resuming normal operations
[Tue Nov 29 00:33:10.145347 2016] [core:notice] [pid 8227] AH00094: Command line: '/usr/sbin/apache2'

Nothing, no error.
Same log file after Create/Reset Database.

I can access to my database :

root@dvwa:~# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 32
Server version: 10.0.27-MariaDB-0+deb8u1 (Debian)

Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> use dvwa;
Database changed
MariaDB [dvwa]>exit

How can I check mariadb extensions for php ?

@digininja
Contributor
@Akrozia
Akrozia commented Nov 29, 2016

Here's my phpinfo page :

phpinfo.zip

@digininja
Contributor
@Akrozia
Akrozia commented Nov 29, 2016 edited

DVWA Database is actually empty, cause I can't Create/Reset Database.
Actually the server is running on kvm, I must make a ssh tunnel to access to dvwa (ssh -L 8888:10.1.1.8:80).

I've already deleted dvwa folders and import it again (from zip), modifying only what I need, still isn't working.
Browsing didn't make any error log.

Yeah, it's local database with only 1 user on the kvm (root), mariadb haven't password.

I'll try to install it from live cd this evening. I'll give you feedback if working in this way (or another).
Anyway, thanks you digininja for your time and your help. :)

@digininja
Contributor
@prmdsngh
prmdsngh commented Dec 3, 2016

here are the some fix u can do

At the bottom, we see that a couple of folders need to be made writable by the web server. Let’s do:

chgrp www-data dvwa/hackable/uploads/
chmod g+w dvwa/hackable/uploads/
chgrp www-data dvwa/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt
chmod g+w dvwa/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt

Install the php-gd image manipulation module for PHP5:
    a simple apt-get install php7.0-gd won’t work here. We’ll need to add a repository first:
    while still in su mode, nano /etc/apt/sources.list
    at the very end of the file, add the line deb [](http://repo.kali.org/kali kali-rolling main non-free contrib )and save the file
    **```

apt-get update
apt-get install php7.0-gd

    Enable allow_url_include:
       **`gedit /etc/php5/apache2/php.ini`**
        change the allow_url_include from Off to On
    You can create a reCAPCHA key and add it to config.inc.php if you want.
    service apache2 restart to make the configuration changes live.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment