SYWorks Vulnerable Web Applications Compilation For Penetration Testing Installation Guide This document provides installation guide on how to create your own penetration testing environment with the pre-installed vulnerable web applications provided by SYWorks. Updated : 15 Sep 2015
1 Table of Contents 1 Introduction... 3 2 Installing XAMPP... 5 3 Installing Java... 10 4 Extracting The Package... 11 5 Running XAMPP Modules... 15 6 Starting The Web Page... 20 6.1 PHP Information... 23 6.2 System Information... 24 6.3 Funs with Uploading... 25 6.4 MySQL Server... 29 6.5 Tomcat Server... 32 6.6 b374k Web Shell... 35 6.7 WAVSEP 1.2... 38 6.8 ZAP Proxy Test Web App... 40 7 Content Management System (CMS)... 42 7.1 Joomla CMS... 43 7.2 Wordpress CMS... 51 8 Vulnerable Web Applications (Apache Server Based)... 59 8.1 bwapp An Extremely buggy web app... 60 8.2 NOWASP Mutillidae II Web Pen Test Practice Application... 62 8.3 DVWA Damn Vulnerable Web Application... 64 8.4 OWASP Bricks (Tuivai)... 66 8.5 BTS PenTesting Lab... 68 8.6 Peruggia 1.2... 70 8.7 SQL Injections Labs... 72 8.8 The Magical Code Injection Rainbow! MCIR... 74 8.9 WackoPicko.com... 76 8.10 OWASP WebGoat PHP Version... 78 9 Vulnerable Web Applications (Tomcat Server)... 80 9.1 OWASP WebGoat 5.4... 81 9.2 OWASP WebGoat 6.0.1... 82 9.3 BodgeIt Store 1.4.0... 84 9.4 InsecureWebApp 1.0... 86 1
2 9.5 Java Vulnerable Lab 0.2... 88 10 FTP Server Training... 90 2
3 1 Introduction Thank you for downloaded the SYWorks Vulnerable Web Applications Compilation for Penetration Testing. The objective for this compilation is to include some of the vulnerable web applications that are available on open source and to add it to a single penetrating testing environment with the help of XAMPP in Windows operating environment. Apart from these vulnerable web applications, I have also included several outdated version of WordPress and Joomla with some vulnerable plugins for testing. The reason for having multiple versions in one testing environment is that, some of the time, we may have faced problem when needed certain version of the CMS but either couldn t find or too troublesome to install just for the testing. The versions I have included in the package are mostly vulnerable version. I have also included some FTP accounts with different password complexity and access rights for various testing. Future release may include Email services using Mercury that is readily available in XAMPP and also add some Wireless Penetration Testing training. So far, included in the package are Vulnerable Web Applications (Apache Server) Joomla Content Management System (CMS) Wordpress Content Management System (CMS) bwapp An Extremely buggy web app! NOWASP Mutillidae II Web Pen Test Practice Application DVWA Damn Vulnerable Web Application OWASP Bricks (Tuivai) OWASP WebGoat PHP Version Peruggia 1.2 SQL Injections Labs The Magical Code Injection Rainbow! MCIR WackoPicko.com b374k Shell 3.2 BTS PenTesting Lab Vulnerable Web Applications (Tomcat Server) OWASP WebGoat 5.4 OWASP WebGoat 6.0.1 BodgeIt Store 1.4.0 InsecureWebApp 1.0 WAVSEP 1.2 The Web Application Vulnerability Scanner Evaluation Project ZAP Proxy Test Web App Java Vulnerable Lab 0.2 3
4 Do take note that web applications that are running on Tomcat Server required Java to be installed and XAMPP running with Administration rights. All these vulnerability web applications should be run on a Virtual Machine and do not attempt to run it live as these are web applications with multiple vulnerabilities. Do take note also that these training images are provided AS IS and I do not bear any responsibility with respect to application failure or damages caused by using it. Everything included in the package is SOLELY FOR EDUCATION AND TRAINING PURPOSES ONLY. In order to use this package, you will need to install XAMPP (https://www.apachefriends.org/index.html) first. Look at Installing XAMPP in next chapter for detail. Please help to support my fan page at https://www.facebook.com/syworks 4
5 2 Installing XAMPP Once you have downloaded XAMPP from ApacheFriends.Org, you can start installing by running the download installation file. Click on Next to continue. 5
6 Check all components (default) and click Next to continue Leave the folder as C:\xampp (default) and click Next to continue 6
7 You can uncheck Learn more about Bitnami and click on Next to continue Once everything is set, click on Next to begin with the installation. 7
8 Once installation is complete, uncheck Do you want to start the Control Panel now and click on Finish. 8
9 Windows Firewall will prompt that httpd.exe (Apache HTTP Server) is requesting to communicate, click on Allow access to allow it to pass through. Note: Tomcat server required Java to be installed, so you are required to install Java if you have not done so. Look at next chapter on how to install Java and if you have already had Java installed, you can proceed to Chapter 4 on extracting the package. 9
10 3 Installing Java Simply download Java from https://www.java.com/en/download/chrome.jsp and follow through the instruction. 10
11 4 Extracting The Package Once you have downloaded the Penetesting compilation package from https://sourceforge.net/u/syworks51/profile/, proceed to extract the compressed file. Within the compressed file, it contain xampp folder with other sub folders and required file in it. Simply copy and replace your existing XAMPP folder in c:\xampp Copy the xampp folder from the package. Replace the xampp folder 11
12 Windows will alert that the folder already exist, simply click on Yes to continue. 12
13 Another alert will pop up, check on Do this for all current items and click on Yes button 13
14 Check on Do this for the next XXX conflicts and click on Copy and Replace to continue. Note : Once everything is copied and replaced, it is advisable to restart you computer. 14
15 5 Running XAMPP Modules To start up the XAMPP application, click on Start and look for XAMPP. Right click on XAMPP Control Panel and select Run as administrator 15
16 Click on Config to configure the XAMPP. Check on Apache, MySQL, FileZilla and Tomcat and click on Save 16
17 Now click on Start for Apache, MySQL, FieZilla and Tomcat 17
18 If this is the first time you run all these modules, Windows Firewall will raise alert. Simply click on Allow access as shown below. These services are enabling MySQL Server (Port 3306), FileZilla Server (Port 21) and Tomcat Server (Port 8080 and others). 18
19 After all modules are started, you can proceed on opening your browser to load SYWorks Vulnerable Web Applications page by typing http://localhost on local machine or http://x.x.x.x if you are running from another machine. 19
20 6 Starting The Web Page On your web browser, simply type http://localhost on local machine or http://10.10.1.100 (example) if you are running from another machine. 20
21 Click on the collapsible bar to expand the section. 21
22 Click on any of the URL shortcut to explore on the page. 22
23 6.1 PHP Information 23
24 6.2 System Information 24
25 6.3 Funs with Uploading This page allow you to upload files of various file type for testing. All files will be stored in C:\xampp\htdocs\uploads\ folder. Depending on the file type, it will be saved on sub folder doc, exe and media 25
26 Click on Browse to select a file and Upload to to upload the file 26
27 Click Go Directory to navigate to the upload directory. 27
28 File are stored in C:\xampp\htdocs\uploads\exe for any executable file 28
29 6.4 MySQL Server Click on MySQL Server (PhpMyAdmin) to view data in SQL Server. By default, the login password is root and no password 29
30 Note: You will need to change setting in C:\xampp\apache\conf\extra\httpd xampp.conf in order to view MySQL server on a remote machine as shown below. 30
31 31
32 6.5 Tomcat Server Click on TomCat Server to view or configure any Tomcat application By default, the login password is tomcat and password tomcat 32
33 Click on Manager App to add new or remove existing web application. 33
34 34
35 6.6 b374k Web Shell 35
36 36
37 37
38 6.7 WAVSEP 1.2 38
39 39
40 6.8 ZAP Proxy Test Web App 40
41 41
42 7 Content Management System (CMS) Various outdated version of Wordpress and Joomla CMS were included in the package and among them were mostly vulnerable version with some other vulnerable plugins installed. (Will add more vulnerable plugins and also may consider other CMS). 42
43 7.1 Joomla CMS Below are the login credential and role (as username) of all the available Joomla CMS for this server admin / admin (Super User) superuser / superuser (Super User) administrator / administrator (Administrator) manager / manager (Manager) shopsupplier / shopsupplier (Shop Supplier) editor / editor (Editor) author / author (Author) publisher / publisher (Publisher) customer / customer (Customer) registered / registered (Registered) public / public (Public) guest / guest (Guest) allgroup / allgroup (All Users Role) 43
44 Joomla Version 2.5.2 44
45 Joomla Version 2.5.8 45
46 Joomla Version 2.5.13 46
47 Joomla Version 3.0.2 47
48 Joomla Version 3.1.2 48
49 Joomla Version 3.2.5 49
50 Joomla Version 3.3.3 50
51 7.2 Wordpress CMS Depending on the PHP version that you are using, you will most likely encounter error in lower version such as 2.0 and 2.5 when loading the web application. Below are the login credential and role of all the available Wordpress CMS that is pre created on this package. admin / admin (Administrator) administrator / administrator (Administrator) editor / editor (Editor) author / author (Author) subscriber / subscriber (Subscriber) contributor / contributor (Contributor) 51
52 Wordpress Version 2.0 52
53 Wordpress Version 2.5 53
54 Wordpress Version 3.0 54
55 Wordpress Version 3.5 55
56 Wordpress Version 4.0 56
57 Wordpress Version 4.5 57
58 Wordpress Version 4.5 (Vulnerable Plugin example) There are more and will add more into it. 58
59 8 Vulnerable Web Applications (Apache Server Based) s 59
60 8.1 bwapp An Extremely buggy web app 60
61 61
62 8.2 NOWASP Mutillidae II Web Pen Test Practice Application 62
63 63
64 8.3 DVWA Damn Vulnerable Web Application 64
65 65
66 8.4 OWASP Bricks (Tuivai) 66
67 67
68 8.5 BTS PenTesting Lab 68
69 69
70 8.6 Peruggia 1.2 70
71 71
72 8.7 SQL Injections Labs 72
73 73
74 8.8 The Magical Code Injection Rainbow! MCIR 74
75 75
76 8.9 WackoPicko.com 76
77 77
78 8.10 OWASP WebGoat PHP Version 78
79 79
80 9 Vulnerable Web Applications (Tomcat Server) In order to run a Tomcat s web application, you will need to install Java and have XAMPP running in Administrator privilege. s 80
81 9.1 OWASP WebGoat 5.4 81
82 9.2 OWASP WebGoat 6.0.1 82
83 83
84 9.3 BodgeIt Store 1.4.0 84
85 85
86 9.4 InsecureWebApp 1.0 86
87 87
88 9.5 Java Vulnerable Lab 0.2 88
89 89
90 10 FTP Server Training 90