## https://sploitus.com/exploit?id=27887232-9A9A-5E48-80EA-169E1B8C9BB7
# Web Application Security Testing โ DVWA Lab
End-to-end web app penetration test on DVWA (SQLi): report, evidence, and scripts.
## Contents
- `pentest-report.pdf` โ final professional PDF report
- `pentest-report.md` โ editable markdown report template
- `screenshots/` โ proof images (manual SQLi, sqlmap output, scans)
## Summary
This repository contains an educational Vulnerability Assessment & Penetration Test (VAPT) of the Damn Vulnerable Web Application (DVWA) performed in a controlled lab. The assessment demonstrates reconnaissance, scanning, SQL Injection exploitation (manual + automated), evidence capture, and recommendations.
## How to reproduce (lab)
> **NOTE:** Only run this in an isolated lab environment (VMs you own).
1. Setup:
- Attacker: Kali Linux
- Target: DVWA running in a local VM (host-only or NAT)
2. Recon:
- `sudo nmap -sS -sV -p- -T4 -oA scans/_full`
- `nikto -h http://192.168.204.149 -output nikto_reports/192.168.204.149_nikto.txt`
3. Directory/enum:
- `gobuster dir -u http://192.168.204.149 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt`
4. Manual SQLi:
- Login to DVWA (default `admin`/`password`), set Security = Low.
- Visit `/dvwa/vulnerabilities/sqli/` and test payload: `' OR '1'='1`
5. Automated SQLi:
- `./scripts/sqlmap_commands.sh `
6. Capture evidence: save screenshots into `screenshots/` and raw outputs into `scans/`.
## Key findings (short)
- **SQL Injection (High)** โ `/dvwa/vulnerabilities/sqli/` allowed data retrieval. See `screenshots/dvwa_sqli_manual.png`.
- Other informational findings from Nikto and Gobuster โ see raw outputs in `scans/` and `nikto_reports/`.
## Disclaimer
This repository is for **educational purposes only**. Do NOT use the tools, scripts, or techniques contained here against systems you do not own or have explicit permission to test.
## Author / Contact
Logesh โ cybersecurity enthusiast
logeswaran4000@gmail.com
+91 7397519594