SQL injection not showing errors using Docker version of build

Question

SQL injection not showing errors using Docker version of build

rjceledon opened this issue a year ago · 2 comments

Describe the bug
Running the docker-compose up -d using the Docker package will build the app with no issues, however when going to SQL injection, it won't show any errors when inserting bad SQL request, no injection seems to be working for some reason

To Reproduce
git clone https://github.com/digininja/DVWA
cd DVWA
docker-compose up -d

Steps to reproduce the behaviour:

Go to SQL Injection
Insert a ' symbol
No error is showed

Logs
Logs are default to internal file descriptor and not accesible either
root@b9c1d2f2ea71:/var/www/html# ls -l /var/log/apache2/
total 0
lrwxrwxrwx 1 www-data www-data 11 Nov 1 05:20 access.log -> /dev/stdout
lrwxrwxrwx 1 www-data www-data 11 Nov 1 05:20 error.log -> /dev/stderr
lrwxrwxrwx 1 www-data www-data 11 Nov 1 05:20 other_vhosts_access.log -> /dev/stdout

Expected behaviour
MariaDB/MySQL errors should be showing when entering a bad SQL request

What have you done to help fix the issue yourself?
I've tried to set up the php.ini file but docker image is using PHP 8.2 and no /etc/php folder exists
root@b9c1d2f2ea71:/var/www/html# php -v
PHP 8.2.12 (cli) (built: Nov 1 2023 05:52:10) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.2.12, Copyright (c) Zend Technologies
root@b9c1d2f2ea71:/var/www/html# ls /etc/php
ls: cannot access '/etc/php': No such file or directory

Also tried modifying $_DVWA[ 'default_security_level' ] = 'impossible'; to low instead and /var/www/html/php.ini but any of those will make any difference

System (please complete the following information):

OS: "Debian GNU/Linux 12 (bookworm)"
Database and Version: mysql Ver 15.1 Distrib 10.11.5-MariaDB, for debian-linux-gnu (x86_64) using EditLine wrapper
PHP Version PHP 8.2.12 (cli) (built: Nov 1 2023 05:52:10) (NTS)
docker-compose version 1.29.2, build unknown

I'm not an expert on this, just trying to use Docker version for easiest access, and is not working.

Thanks for the help in advance!

Answer 1 · 2023-11-10T00:28:20.000Z

You may want to close this Issue, I was able to show errors by changing Security Level from Impossible to Low, however changing file at /var/www/html/config/config.inc.php won't work for this even after stopping and starting containers, or restarting apache2 by service apache2 restart or apachectl restart.

Only changing it directly from the website itself http://localhost:4280/security.php would actually change the Security Level and update it in the below-left pane which wasn't the case before (when changing the config.inc.php file)

Thanks for everything tho! Great app

Answer 2 · 2023-11-10T09:02:52.000Z

The app is working as expected, low, medium, and high are all returning errors for normal SQLi.

Changing the config file only changes the default security level when you don't have a cookie set, so once you've been to the site and a cookie has been set at a certain level, that is the level you will work at. Come to the site from a clean browser and you'll start with whatever default is set in the config file.