Web Application Lab Setup on Windows

Hello friends! Today we are going to show you how you can set up a vulnerable web application server in a Windows system using Xampp. Here we will be configuring the most popular web applications (DVWA, bwapp, SQLI, Mutillidae). So, let’s do that.

Table of Content

Requirement

  • Web application
  • Xampp Server Installation in Windows
  • DVWA
  • bWAPP
  • Sqli
  • Mutillidae

Requirement-Xampp server (Windows-X64)

Web Application

A web application is a computer program that utilizes web browsers and web technology to perform tasks over the Internet. Web apps can be built for a wider use which can be used by anyone; from an enterprise to an entity for a variety of reasons. Frequently used Web applications can include webmail.

Xampp Server Installation

XAMPP stand for Apache + MariaDB + PHP + Perl

XAMPP is a free and open-source cross-platform web server solution stack package developed by Apache Friends, consisting mainly of the Apache HTTP Server, MariaDB database, and interpreters for scripts written in the PHP and Perl programming languages. Since most actual web server deployments use the same components as XAMPP, it makes transitioning from a local test server to a live server possible. (read more from Wikipedia)

Download from here

Once the installation is done, we need to start the service of Mysql and Apache service in Xampp server.

DVWA

DVWA is a web application that is damn sensitive to PHP / MySQL. The main objectives are to provide security professionals with assistance to test their skills and resources in a legal environment, enable web developers to better understand the processes of protecting web applications and assist teachers/students to teach/learn protection in the classroom.

Download from here

Once the dvwa is installed completely then we will navigate to C:/Xampp/htdocs/dvwa/config.inc.php.dist to change the username and password for the database.

Open the configuration file to set the Username and Password.

Here, you can notice that the default username is root and password is password which we will modify.

Now here you may notice that we have set the password “blank” for user “root”. Now save these settings and quit.

Rename the file as “config.inc.php” after making above changes and save it.

Now we need to open the DVWA application in our localhost to create the database.

Now click on create database and database is created.

Now click on login and you are done with the setup.

For login, we will use the DVWA username which is admin and password which is DVWA password by default.

 

Bwapp

Now let’s set up a new lab which is BWAPP.

BWAPP is a free, open-source and intentionally unreliable web application, or a web buggy program. It helps security enthusiasts, designers and students discover Web bugs and stop them from doing so. BWAPP plans for positive penetration tests and cyber ethics initiatives.

Download it from here.

Now navigate to “C:/Xampp/htdoc/bwapp/admin” folder to change the default username and password for the database.

Now you can see that the default username is root and password is bug which we will modify.

 

Now here the username is root and password we have set blank. Now save the settings and quit.

Now let’s open “bwapp/install.php” in the localhost and click on “here” to complete the installation.

Now the installation is complete.

When you will login as bee:bug; you will get the portal to test your penetration testing skill

Here you can click on bugs and all bugs will be displayed to you which are there in bwapp web application.

SQLI

SQLi: A facility that provides a robust testing environment for those involved in SQL injection acquisition and enhancement. Let’s start. First, we will download the SQLI lab through GitHub.

Now we will navigate to C:/htdocs/sqlilabs/sqli-connections to edit the setup-db.php.

 

Now here we will set the password “blank” and save the changes and then quit.

Now browse this web application from through this URL: localhost/sqli and click on Setup/reset Databases for labs.

Now the sqli lab is ready to use. Now a page will open up in your browser which is an indication that we can access different kinds of Sqli challenges

Now you can see that we have opened lesson 1. So, we have successfully set Sqli labs for practice.

Mutillidae

OWASP Mutillidae is an open-source web application that is intentionally vulnerable and actively aims at web security. It’s a laboratory for those involved in SQL injection acquisition and development, which offers a full test environment. This internet hacking framework is simple to use and is designed for labs, safety lovers, schools, CTFs and vulnerability assessments.

First, we will navigate to “C:/Xampp/htdocs/mutillidae/includes” to edit the “database-config.php” as shown below.

Here we can see that password is set mutillidae which we will replace with blank.

You can view that we have set the password “blank”. Now save the settings and quit.

Now you can see the page where you need to click on opt out tap.

 

Now we will open this our local browser by the following URL: localhost/mutillidae where we will find an option of reset database. Just click on it to reset the database. So, In this way, we can setup our vulnerable web application lab for penetration testing.

Now you will be redirected to a page which will ask you to click ok to proceed. Here you need to click on OK and you are done with the configuration of the Mutillidae lab.

We have successfully set all the web applications in Xampp server in Windows.

Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information SecurityContact here

Web Application Pentest Lab setup Using Docker

For web application penetration practice, we all look for vulnerable applications like DVWA and attempt to configure vulnerable practice environments. As we all know, it’s time consuming activity and it takes a lot of effort, but this can be done in a couple of minutes with the help of the docker.

In this post you will learn how to configure vulnerable web applications (DVWA, BWAPP & etc) with the help of docker.

Table of Content

  • Requirement
  • Objective
  • Web application
  • DVWA
  • Mutillidae
  • bWAPP
  • Another Method

Requirement-Ubuntu 18.0

Objective:

Configure web application server on docker

Web Application

A web application is a computer program that utilizes web browsers and web technology to perform tasks over the Internet. Web apps can be built for a wider uses which can be used by anyone; from an enterprise to an entity for a variety of reasons. Frequently used Web applications can include webmail.

Docker

Docker is a third-party tool developed to create an isolated environment to execute any application. These applications are run using containers. These containers are unique because they bring together all the dependencies of an application into a single package and deploy it.  Now, to work with docker you will need to install docker-engine in your host.

Run following the command to install docker:

Then execute the following command to start and enable the service of docker:

And we have installed docker version 18.09.7 in our local machine.

Configure DVWA on Docker

Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled classroom environment.

The aim of DVWA is to practice some of the most common web vulnerabilities, with various levels of difficulty, with a simple straightforward interface. Please note, there are both documented and undocumented vulnerabilities with this software. This is intentional. You are encouraged to try and discover as many issues as possible.

To install and configure DVWA through docker is quite simple then manual approach, you can search for its docker image directly by typing following command on the terminal.

Here you can observe that it has shown the docker image for dvwa as per given rating and even you can search for the same over the internet. You will obtain the same output as shown below.

Now we can directly pull the package by executing the following command:

And then to start docker service for dvwa; enter below command in your terminal.

Good! We have successfully configured the dvwa lab in ubuntu as we can see that we are welcomed by the login page.

Enter the following URL and click on Create/Reset Database.

Once the database will get create you can login into application to access the web console.

And we have our DVWA application ready for use, thus we can see it required very less effort.

Configure Mutillidae on Docker

OWASP Mutillidae is a free open source purposely vulnerable web application providing an enthusiastic goal for web security. It’s a laboratory which provides a complete test environment for those who are interested in SQL injection acquisition or improvement. This is an easy-to-use Web hacking environment designed for laboratories, security lovers, classrooms, CTFs, and vulnerability assessment targets, and has dozens of vulnerabilities and tips to help the user.

Similarly, we can run mutillidae using docker without wasting much time in manual configuration. Repeat the same step as done before, first pull the package and then use the docker to start mutillidae over a specific port.

This time we had chosen port 1137 to launch the mutillidae application. Thus, we will open this our local browser by the following URL: localhost:1337 where we will find an option of reset database. Just click on it to reset the database.

Configure WebGoat on Docker

WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons.

This program is a demonstration of common server-side application flaws. The exercises are intended to be used by people to learn about application security and penetration testing techniques.

Similarly, we can run WebGoat using docker without wasting much time in manual configuration. Repeat the same step as done before, first pull the package and then use the docker to start WebGoat over a specific port.

To access the webgoat application run following URL in the web browser.

Configure bWAPP on Docker

A buggy web application that is purposely unsafe. Enthusiasts of security, system engineers, developers can find out about Web vulnerabilities and prevent them.

Repeat the same approach and execute following command to pull its docker image.

then use the docker to start WebGoat over a specific port.

Now go to your browser and open bWAPP installation file by the following command and click on here as shown in the image below

Now you will get a login page of bWAPP where we will use the default username which is bee and default password which is bug and you are logged in in bWAPP.

Enter the credential bee:bug and get access of the web console.

Now you can start working on bWAPP.

Another Method

We can use PentestLab Management Script because this script uses docker and hosts alias to make web apps available on localhost” and it can pull the following applications.

  • bWAPP
  • WebGoat 7.1
  • WebGoat 8.0
  • Damn Vulnerable Web App
  • Mutillidae II
  • OWASP Juice Shop
  • WPScan Vulnerable WordPress
  • OpenDNS Security Ninjas
  • Altoro Mutual

Install and configure PentestLab Management Script

To checklist of a web application, use list option along with the script.

To start the web application, just write the name of web application after executable script as shown here.

Execute the following URL to browse the web application.

Conclusion:

Vulnerable web application lab set-up using docker is very easy and fast as compared to other approaches. A pen-tester can easily set up his/her own vulnerable lab using docker in a very short period of time.

Hope you liked this technique to web application configuration.

Happy Hacking!!

Author: Kavish Tyagi is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

Web Shells Penetration Testing

This post will describe the various PHP web Shell uploading technique to take unauthorized access of the webserver by injecting a malicious piece of code that are written in PHP.

Table of Content

  • Introduction of PHP Web shells
  • Inbuilt Kali’s web shells
    • simple backdoor.php
    • qsd-php backdoor web shell
    • php-reverse-shell.php
  • Using MSF venom
  • Weevely php web shell
  • PHP_bash web shell

Requirements

Attacker: Kali Linux

Target: Web for Pentester, DVWA

Introduction of PHP Web Shells

Web shells are the scripts which are coded in many languages like PHP, Python, ASP, Perl and so on which further use as backdoor for illegitimate access in any server by uploading it on a web server.

The attacker can then directly perform the read and write operation once the backdoor is uploaded to a destination, you can edit any file of delete the server file. Today we are going to explore all kinds of php web shells what-so-ever are available in Kali Linux and so on. So, let’s get started.

Kali Linux has inbuilt PHP Scripts for utilizing them as a backdoor to assist Pen-testing work. They are stored inside /usr/share/webshells/php and a pen-tester can directory make use of them without wasting time in writing PHP code for the malicious script.

  • simple backdoor.php
  • qsd-php backdoor web shell
  • php-reverse-shell.php

Simplebackdoor.php shell

Simple-backdoor.php is a kind of web shell that can generate a remote code execution once injected in the web server and script made by “John Troon”. It is already accessible in Kali in the/usr/share/web shells/php folder as shown in the pic below and after that, we will run ls -al command to check the permissions given to the files.

Now you must discover a way to upload a shell in your application. As we have to do all this Web for Pentesters, so we will first try to upload here simple backdoor php shell which is already available in kali and click on send the file to upload the shell.

As you can see, we have successfully uploaded the malicious php file and received the hyperlink for the uploaded file.

Thus, we try to access simple-backdoor.php and obtain the following output. As we can observe that here “cmd=cat+/etc/passwd” is a clear indication for Remote code execution.

 

So, let’s try and run cat+/etc/passwd to retrieve all the passwords of the server.

As a result, we have extracted all records of passwd file, hence we can execute any command such as ls, cp and so on therefore we can obtain web shell by exploiting REC.

 

qsd-php backdoor shell

An exploit of a web shell generally considered as a backdoor that enables an attacker to access and control a server remotely and the qsd-php backdoor shell is a kind of backdoor which provides a platform for executing system command and the wonderful script made by “Daniel Berliner”.

As you can see, we have uploaded the qsd-php-backdoor.php file successfully.

Then try accessing qsd-php-backdoor.php as you did in the previous step and you will find something as shown in the image below. Here you can perform directory traversal and you can also access the Web Server directory directly by entering the command and clicking on the go button.

As you can observe we have accessed the current directory directly without executing any system command.

We can also execute arbitrary system command since this backdoor provides a platform to execute the shell command such cat/etc/passwd, ls -al and much more. We can also run two commands simultaneously and see the result.

As you can see that we have got the result successfully.

PHP-reverse shell

Now its turn to move towards our next php web shell which is php-reverse-shell.php which will open an outbound TCP connection from the webserver to a host and script made by “pentestmonkey”. A shell will be attached to the TCP connection (reverse TCP connection). You can run interactive programs such as telnet, ssh etc with this script. It is different from the other Web shells script, through which you can send a single command and then return the output.

For this, we need to open this script through nano

Here we need to give the LISTEN_IP (Kali Linux) where we want the connection and LISTEN_PORT number can be set any.

 Now we need to upload this web shell in order to get the reverse connection. So, we will upload the malicious file and on the other hand start netcat listener inside a new terminal.

We can see that it is uploaded successfully.

Now as soon as you will execute the uploaded file and If all went well, then, the webserver should have thrown back a reverse shell to your netcat listener. And you can verify that we have got the shell successfully.

PHP Backdoor using MSFvenom 

We can also generate a php web shell with the help of msfvenom. We, therefore, write use msfvenom following command for generating malicious php code in raw format.

Then copy the code and save it by the name of meter.php

Now we will upload this malicious shell in DVWA lab to get the reverse connection. Now you can see the “meter.php successfully uploaded” message from the screenshot, meaning that our php backdoor is effectively uploaded.

In order to execute the shell, we will open the URL of DVWA.

Simultaneously we will start multi handler where we will get the meterpreter shell and we will run the following commands where we need to specify the lhost and lport to get the reverse connection.

As soon as you will explore the uploaded path and execute the backdoor, it will give you a meterpreter session.

Weevely Shell

Weevely is a stealthy PHP internet shell which simulates the link to Telnet and is designed for remote server administration and penetration testing. It can be used as a stealth backdoor a web shell to manage legit web accounts, it is an essential tool for web application post-exploitation. We can generate a PHP backdoor protected with the password.

Open the terminal and type weevely to generate a php backdoor and also set a password as in our case we have taken “raj123” and save this web shell as weevely.php

Now upload this web shell at the target location as in our case we have uploaded it at Web for pen testers and we will open the URL in the browser to execute the web shell.

Type the following instruction to initiate the webserver attack and put a copied URL into the Weevely command using password raj123 and you can see that we have got the victim shell through weevely. We can verify this by id command.

You can also check all the functionality of weevely through help command.

PHPbash shell

Phpbash is an internet shell that is autonomous, semi-interactive. We are going to download it from GitHub and then we will go inside the directory phpbash and execute ls -al command to check the available files.

So inside phpbash, we found a php script named “phpbash.php”, upload this script at your target location.

Now we will upload this web shell in DVWA lab and we can see the message that it is uploaded successfully.

Going ahead; we will open the URL to execute the shell.

Here our phpbash malicious file is executed and given the web shell. The benefit of the phpbash is that it doesn’t require any type of listener such as netcat because it has inbuilt bash shell that you can observe from the given image.

As a result, we have bash shell of www-data and we can execute system command directly through this platform.

So, this way we have explored and performed numerous ways to get the web shell through php web shells; which you can find under this single article.

Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information SecurityContact here

Configure Web Application Penetration Testing Lab

As you know that we have already shown you how to configure web server. Now it’s time to move on to the next step which is the configuration of Web Application in Ubuntu 18. So today we will be learning how can we configure the 5 famous web applications (DVWA, bwapp, XVWA, SQLI, Mutillidae) in our web server for Web Penetration Testing. So, let’s do that.

Table of Content

  • Requirement
  • Web application
  • DVWA
  • bWAPP
  • XVWA
  • Sqli
  • Mutillidae

Requirement-Ubuntu 18.0

Web Application

A web application is a computer program that utilizes web browsers and web technology to perform tasks over the Internet. Web apps can be built for a wider uses which can be used by anyone; from an enterprise to an entity for a variety of reasons. Frequently used Web applications can include webmail.

DVWA

Let’s start You should download and configure this web application only within the html directory for all web applications in the browser through localhost. Go to your Ubuntu terminal and move inside html directory by running the following command and then download dvwa lab from the given link.

After the installation we will go inside the dvwa and there we will find a config folder, now we will move inside the config folder and there we will run the ls command to view all available folder, now, here you will see a config.inc.php.dist file. Now as you can see, we have moved config.inc.php.dist file to config.inc.php

Now open the config file using nano; where you will find that db user is root and db password is password.

Here you need to make the changes and give access to the Ubuntu user as in our case we have written raj as db user and as our ubuntu password is 123 so we have written 123 as db password.

Now we will try to open dvwa lab in the browser by the following URL and click on Create/Reset Database

Good! We have successfully configured the dvwa lab in ubuntu 18 as we can see that we are welcomed by the login page.

For login, we will use the dvwa username which is admin and password which is dvwa password by default.

bWAPP

A buggy web application that is purposely unsafe. Enthusiasts of security, system engineers, developers can find out about Web vulnerabilities and prevent them.

bWAPP prepares you for successful tests and penetration testing. Now we will configure bWAPP lab in Ubuntu 18. First, we will download bWAPP and then we will move inside the Downloads folder and then unzip the bWAPP file by the following command-

Now we will move bWAPP into var/www/html by the following command-

Now we will edit the config file; so, move inside the config file by the following command and where you can see that db username is root and db password is bug b default.

Now we will make some changes and will set our ubuntu user raj in place of root and set password 123 in place of bug. Save it and then exit the config file.

Now go to your browser and open bWAPP installation file by the following command and click on here as shown in the image below

Now you will get a login page of bWAPP where we will use the default username which is bee and default password which is bug and you are logged in in bWAPP.

Now you can start working on bWAPP.

When you will login as bee:bug; you will get the portal to test your penetration testing skill.

XVWA

XVWA is poorly coded written in PHP/MYSQL web application that helps security lovers learn security from applications. This application is not advisable online because it is Vulnerable to extremes as the name also suggests. This application should be hosted in a controlled and safe environment where you can improve your skills with the tool of your choice. So, let’s start-

First, we will download XVWA from GitHub; so, go to ubuntu terminal and open the following link to download XVWA lab inside html directory by the following link-

Once it is downloaded, we will open the config file of xvwa by the following command

Now we can see that the username of xvwa is root and password is left blank.

Now we will remove the root user from here and we will be using the ubuntu username and password here which is raj:123

Afterwards, we will save the file and exit.

Now browse web application through URL-localhost/xvwa and we can see that we are successfully logged in-

SQLI Labs

A laboratory that offers a complete test environment for those interested in acquiring or improving SQL injection skills. Let’s start. First, we will download SQLI lab inside html directory by the following link-

 Once the download is done, we will move sqli labs into the /var/www/html directory and rename it to sqli. Then go inside the sqli directory where we will find /sqli-connections directory. Here we will run ls command to check the files and we can see that here is file by the name of db-creds.inc

we need to make some changes in the config file by the following command-

As we can see that username is given root and password is left blank which we need to modify.

Now here we will set the username and password as raj:123 Now save the file and exit.

Now browse this web application from through this URL: localhost/sqli and click on Setup/reset Databases for labs.

Now the sqli lab is ready to use.

Now a page will open up in your browser which is an indication that we can access different kinds of Sqli challenges

Click on lesson 1 and start the Sqli challenge.

Mutillidae

OWASP Mutillidae is a free open source purposely vulnerable web application providing an enthusiastic goal for web security. It’s a laboratory which provides a complete test environment for those who are interested in SQL injection acquisition or improvement. This is an easy-to-use Web hacking environment designed for laboratories, security lovers, classrooms, CTFs, and vulnerability assessment targets, and has dozens of vulnerabilities and tips to help the user.

So, let’s start by downloading by the clicking on the following link given below-

After the downloading, go inside the Mutillidae directory and where you will find a directory /includes, go inside this directory.

Inside this directory, we will find database-config.inc file which we need to open by nano command as shown in the image below.

Now here you will find that username is root and password is Mutillidae, by default and which we need to change.

Now we will use our ubuntu username and password which is raj:123. Save the changes and then exit

Now we will open this our local browser by the following URL: localhost/mutillidae where we will find an option of reset database. Just click on it to reset the database.

Now you will be redirected to a page which will ask you to click ok to proceed. Here you need to click on ok and you are done with the configuration of the Mutillidae lab.

So, In this way, we can setup our vulnerable web application lab for penetration testing.

Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information SecurityContact here