s4n7h0 / xvwa Goto Github PK
View Code? Open in Web Editor NEWXVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security.
License: GNU General Public License v3.0
XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security.
License: GNU General Public License v3.0
Hi .. facing issue
whenever i login and enter admin admin , i get redirected to http://localhost/var/www/html/xvwa/login.php ??
The requested URL /var/www/html/xvwa/login.php was not found on this server.
Apache/2.4.18 (Ubuntu) Server at 192.168.56.102 Port 80
pwd : /var/www/html/xvwa/
ls : login.php exist
Thank you
I've used the auto setup "xvwa-setup.sh" and it runs successfully when I enter localhost/xvwa an empty page appears with a black bar at the top while the xvwa word appears at the left inside the bar, while mysql and apache is running not stopped
mysql_connect, mysql_fetch_array(), mysql_select_db() and other MySQL PHP functions are used which doesn't work with updated version of PHP. I had to replace it with mysqli_connect and similarly for others.
Also this error is common with new version of PHP
PHP Notice: Undefined variable: input in C:\xvwa\vulnerabilities\xpath\home.php on line 35
Code needs to be updated to run with PHP 7.0.x
Eg : PHP Fatal error: Uncaught Error: Call to undefined function mysql_select_db()
Code needs to be updated for PHP 7.2.4!!
It throw out errors in all attack pages.
SQLI: https://i.imgur.com/JMmX6DG.png
SQLI (Blind): https://i.imgur.com/AhjJw4X.png
OS Command Injection: https://i.imgur.com/5Etu6I1.png
XPATH Injection: https://i.imgur.com/nNMrEBJ.png
Formula Injection: https://i.imgur.com/XNjNWj1.png
Unrestricted File Upload: https://i.imgur.com/8EvGm9y.png
XSS - Reflected: https://i.imgur.com/XesCddI.png
SSRF / XSPA: https://i.imgur.com/vVqNrRu.png
File Inclusion: https://i.imgur.com/5t8m0Pc.png
Session Flaws: https://i.imgur.com/LA91x6w.png
I think it's enough to see that XVWA i broken ATM.
Please fix it as fast as you can!
He bajado la ISO, pero tengo muchos problemas.
Vulnerabilidades como las de el ssrf no funcionan.
Espero puedan corregir eso.
there should be some details
Hi everyone,
I am currently facing the same issue as others have stated here: I only see a blank page with the black header after I setup XVWA and try to reach the website. My system is a custom-built linux using yocto, including apache, php, mysql and proftpd. Sadly I am not able to run the setup script since the commands won't work. I followed the steps the script is doing manually.
The my.cnf has the following lines:
[client]
#password = password
...
[mysqld]
user = root
...
The XVWA config is:
<?php
$XVWA_WEBROOT = "";
$host = "localhost";
$dbname = 'xvwa';
$user = "root";
$pass = "";
$conn = new mysqli($host,$user,$pass,$dbname);
$conn1 = new PDO("mysql:host=$host;dbname=$dbname", $user, $pass);
$conn1->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
?>
I have created a database named xvwa and SQL Server is running:
/etc/init.d/mysqld status
SUCCESS! MySQL running (1335)
Do you have any suggestion what to try to get it running? Any help is appreciated!
i have seen the code of the "Unrestricted File Upload ",but i can't upload a image
i have a test of dvwa ,that's ok
pls help me ,and give me the answer,thank u!
After successfuly visiting locally xvwa, I tried to login so I can setup the database and start using it.
Yet though, clicking login (after entering the details, tried with all of them: admin, xvwa, and user),
all I get is a blank (white) page with url: http://localhost/xvwa/login.php.
Is it a local problem? (Note that I am using UniServer Zero XI 11.8.1)
Hey, I built a bootable live iso of xvwa, I know you have mentioned this before but I dont see one on here so I thought if you'd like to contact me to take a look you may wanna take a look. its built on a minimal ubuntu server 14.04.x and easy to throw in a vm and just run and then navigate to 192.x.x.x./wvwa or whatever and good to go !
System: Windows 10 Professional
Webserver: XAMPP (Apache, MySQL, PHP)
Screenshot: https://i.imgur.com/HoUFh6F.png
config.php is correct. (User: "root", Password: "")
Hey @s4n7h0, it would be interesting if there were more command injection scenarios (i.e blind command injections, HTTP Headers command injections, code injections etc).
Many php files seems to be wrongly linked including the login.php . idk if this happens just in my case but I tried manually changing 'include' paths on files like e.g. header.php, setup/home.php. Since header.php has bad 'include' links, the rest of the document never loads completely, showing up an almost blank page.
Obviously, correcting the bad links solved the part of the issue, but there are many of them that I think it's kind of annoying for the end user to manually find and edit wrong coding.
My os: Ubuntu - yakkety
i'm success in installation process but when i try to open localhost/xvwa, it only show blank page. Is there any dependency of bootstrap maybe?
unbutu14.04 mysql apache2 php5.5.9
and it can't work correctly
only see xvwa on the top of left
okey
php5-mysql need install
I install xvwa on a local network under Windows 10 when I runhttp://localhost:8080/xvwa-master/setup/ I have the following error message
Warning: include(G:\serveur\root\xvwa-master../xvwa/config.php): failed to open stream: No such file or directory in G:\serveur\root\xvwa-master\header.php on line 18
Warning: include(): Failed opening 'G:\serveur\root\xvwa-master../xvwa/config.php' for inclusion (include_path='.;C:\php\pear') in G:\serveur\root\xvwa-master\header.php on line 18
Hi Team ,
i am trying to install the application on virtualbox running ubuntu , LAMP stack installed , phpmyadmin also installed .. database created
however every time i try to access the page all i get blank screen
http://192.168.56.103/xvwa/setup/
drwxrwxrwx 9 root root 4096 May 28 17:48 xvwa
setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); ?>file_uploads = On
allow_url_fopen = on
allow_url_include = on
can anyone suggest what went wrong , thank you
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.