2021-02-20 08:51:54 +00:00
id : dvwa-default-login
2022-03-03 17:36:18 +00:00
2021-02-20 08:51:54 +00:00
info :
name : DVWA Default Login
author : pdteam
severity : critical
2022-03-07 14:08:43 +00:00
description : Damn Vulnerable Web App (DVWA) is a test application for security professionals. The hard coded credentials are part of a security testing scenario.
2022-03-03 17:36:18 +00:00
reference :
- https://opensourcelibs.com/lib/dvwa
classification :
2022-03-03 20:46:01 +00:00
cwe-id : CWE-798
2023-04-28 08:11:21 +00:00
metadata :
max-request : 2
2023-10-14 11:27:55 +00:00
tags : dvwa,default-login
2021-02-20 08:51:54 +00:00
2023-04-27 04:28:59 +00:00
http :
2021-02-20 08:51:54 +00:00
- raw :
- |
GET /login.php HTTP/1.1
Host : {{Hostname}}
Accept-Language : en-GB,en-US;q=0.9,en;q=0.8
Connection : close
- |
POST /login.php HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
Cookie : PHPSESSID={{session}}; security=low
Connection : close
2021-10-08 16:42:54 +00:00
username={{username}}&password={{password}}&Login=Login&user_token={{token}}
payloads :
username :
- admin
password :
- password
attack : pitchfork
2021-02-20 08:51:54 +00:00
extractors :
- type : regex
name : token
group : 1
internal : true
part : body
regex :
- "hidden' name='user_token' value='([0-9a-z]+)'"
- type : kval
name : session
internal : true
part : body
kval :
- PHPSESSID
2022-10-07 21:27:25 +00:00
host-redirects : true
2021-02-20 08:51:54 +00:00
matchers :
- type : word
words :
- "You have logged in as 'admin'"
2023-10-20 11:41:13 +00:00
# digest: 490a00463044022045f5835991e9296cd7ed9bdca15bba2bb5a2c5f7f36071fa10441e2b91eddb5102205eb559de4798a34aa57c1816eef56160104d0ed92ce27f1a122ab3db664fddca:922c64590222798bb761d5b6d8e72950