Exploit KB Vulnerable Web App

Please notice! this web app is extremely vulnerable to SQLi attack and its poorly coded and configured intentionally.

It is not recommended to use this WebApp as live site on the net neither set it up on your local machine with access to it from the web.

Please use it in your internal LAN only, Set it up in a virtual environment such as VMware or Virtual Box.

This is a fully functional web site with a content management system based on fckeditor.

I hope you will find this web app useful in your SQLi and web app security studies or demonstrations.

Visit the Vulnerable Web Site by browsing to its IP address

Admin interface can be found at: http://localhost/admin

Username: admin

Password: P@ssw0rd

Database Name: exploit

Database contains 8 tables:

articles
authors
category
downloads
links
members
news
videos

I have only tested the web app for SQLi, but i am sure you will find some more interesting vulnerabilities

Please try to avoid using automated tools to find the vulnerabilities and try doing it manually

Feel free to discuss this web app by visiting http://exploit.co.il and commenting on the relevant post.

You can send solutions, videos and ideas to shai[at]exploit.co.il and i will post them on my blog.

Good Luck!

Requirements:

Linux (Any linux distribution will do the job)
Apache Web server
PHP
MySQL

Windows users can use WAMP Server

http://www.wampserver.com/en/
or XAMPP
http://www.apachefriends.org/en/index.html

Installation:

1. Extract the tar.gz file to your web root directory

2. Set up a new database either using CLI or phpMyAdmin and import the “exploit.sql” database

3. You will need to edit the database connection string which is located in a file named

“config.php” in your web root folder and “config.php” in webroot/admin/ folder
Edit this config file with your sql server address,user name,password and database name.
Thats all, Now just browse to “localhost” or 127.0.0.1 to see the web site.

Extract the exploit-wa.tar.gz archive:

root@BlackBox:/var/www$ tar -xzvf exploit-wa.tar.gz

Configure Database Paramaters:

root@BlackBox:/var/www$ nano config.php
root@BlackBox:/var/www$ nano admin/config.php

Create The Database:

root@BlackBox:~# mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or g.
Your MySQL connection id is 1662
Server version: 5.1.41-3ubuntu12.6 (Ubuntu)

Type "help;" or "h" for help. Type "c" to clear the current input statement.

mysql> CREATE DATABASE exploit;
Query OK, 1 row affected (0.00 sec)

Import Database content:

root@BlackBox:/var/www/database$ mysql -u root -p exploit < exploit.sql

Fixing FCKEditor upload path:

root@BlackBox:~# cd /var/www/admin/fckeditor/editor/filemanager/connectors/php/
root@BlackBox:/var/www/admin/fckeditor/editor/filemanager/connectors/php# nano config.php

Setting Permissions:
If you are experiencing problems with the admin interface (fckeditor) you will need to fix the folders permissions.
The easiest and fastest way to do it (making the app even more vulnerable) is by typing:

root@BlackBox:/var/www$ chmod 777 -R admin/

1. Get WAMP Server:

http://www.wampserver.com/en/download.php

2. WAMP Installation

Click the “Next” button

Click the Install button

Choose your favorite browser

Click the “Open” button

Click the “Next” button

Click the “Finish” button

3. Allow WAMP Apache server in windows firewall by clicking the “Unblock” button

4. Check WAMP Installation by browsing to “localhost” or 127.0.0.1

5. By Default WAMP MySQL Username is: “root” and password is blank

lets configure mysql password:

C:\>cd C:\wamp\bin\mysql\mysql5.1.36\bin

C:\wamp\bin\mysql\mysql5.1.36in>mysqladmin.exe -u root password qwe123

6. Also PhpMyAdmin interface does not require username and password to login, lets fix that by editing the phpmyadmin “config.inc.php” file

C:\>cd C:\wamp\apps\phpmyadmin3.2.0.1

C:\wamp\apps\phpmyadmin3.2.0.1>edit config.inc.php

Change the “[auth_type]” value to “http” and save the changes.

7. Now browse to http://localhost/phpmyadmin/

You will be prompt for a username and password

Just enter “root” as the username and your mysql password you created.

8. Create a database named “exploit” and click the “Create” button

9. Extract “exploit-wa.tar.gz” to “C:\wamp\www” you will be prompted to overwrite wamp default index page allow the file overwrite.

10. In PhpMyAdmin Choose The “exploit” database and click on import

click on the “Choose File” button, browse to wamp web root folder and select the “exploit.sql” file which is located in the database folder, and click on the “Go” button to execute the import process.