During my SQL Injection learning journey I needed a vulnerable web application for practice.

I created a WebApp vulnerable to SQL Injection for my personal use, The result was an extremely vulnerable web site which I could test some SQLi techniques against MySQL.

I must confess, I am not a programmer and I have never coded in PHP before, I thought it would be a good practice to develop a PHP based site from scratch in order to learn the basic of PHP and MySQL.

exploit.co.il Vulnerable Web app designed as a learning platform to test various SQL injection Techniques and it is a fully functional web site with a content management system based on fckeditor.

I thought some of you may find it useful so i decided to share it via a SourceForge project page i created for it at :


Read Me First

Please notice! this web app is extremely vulnerable to SQLi attack and its poorly coded and configured intentionally.

It is not recommended to use this WebApp as live site on the net neither set it up on your local machine with access to it from the web.

Please use it in your internal LAN only, Set it up in a virtual environment such as VMware or Virtual Box.

This is a fully functional web site with a content management system based on fckeditor.

I hope you will find this web app useful in your SQLi and web app security studies or demonstrations.

General Information

Visit the Vulnerable Web Site by browsing to its IP address

Admin interface can be found at: http://localhost/admin

Username: admin

Password: [email protected]

Database Name: exploit

Database contains 8 tables:

articles authors category downloads links members news videos I have only tested the web app for SQLi, but i am sure you will find some more interesting vulnerabilities

Please try to avoid using automated tools to find the vulnerabilities and try doing it manually

Feel free to discuss this web app by visiting http://exploit.co.il and commenting on the relevant post.

You can send solutions, videos and ideas to shai[at]exploit.co.il and i will post them on my blog.

Good Luck!

Source: http://exploit.co.il/projects/vuln-web-app/

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.

Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

Source: http://www.dvwa.co.uk/

Bobby: 1

TheXero 7 Dec 2011
TheXero's    ____        __    __         
            / __ )____  / /_  / /_  __  __
           / __  / __ \/ __ \/ __ \/ / / /
          / /_/ / /_/ / /_/ / /_/ / /_/ / 
         /_____/\____/_.___/_.___/\__, / v.1 
|Objective| There is a 'flag' in the administrator's personal folder. |
|         | Find it & read the contents of the file.                  |
|       OS| Windows XP Pro SP3 x86                                    |
|  Network| Static (Somewhere in                      |


p.s. The setup of this vulnerable machine uses 'AutoIT' to automate the various aspects of the installation.
If the timings during the installation are off, the setup will fail.
Try installing it again if it does fail, however if it keeps on failing - please get in touch.

Source: readme.txt

Welcome to Badstore.net

Badstore.net is dedicated to helping you understand how hackers prey on Web application vulnerabilities, and to showing you how to reduce your exposure. Our Badstore demonstration software is designed to show you common hacking techniques.

Source: http://www.badstore.net/

v1.0 – Original version for 2004 RSA Show

v1.1 – Added:

  • More supported NICs.

  • Referrer checking for Supplier Upload.

  • badstore.old in /cgi-bin/

  • Select icons added to the /icons/ directory.

v1.2 – Version presented at CSI 2004


  • Full implementation of MySQL.

  • JavaScript Redirect in index.html.

  • JavaScript validation of a couple key fields.

  • My Account services, password reset and recovery.

  • Numerous cosmetic updates.

  • 'Scanbot Killer' directory structure to detect scanners.

  • favicon.ico.

  • Reset files and databases to original state without reboot.

  • Dynamic dates and times in databases.

  • Additional attack possibilities.

Source: BadStore_Manual.pdf

VulnVoIP is based on a relatively old AsteriskNOW distribution and has a number of weaknesses. The aim is to locate VoIP users, crack their passwords and gain access to the Support account voicemail.

Just to keep things interesting this particular disto also suffers from a known exploit from which it is relatively easy to gain a root shell. Once you've found the easy way, can you get root using a different method?

I've created these basic VoIP hacking training exercises as I found very limited resources online. Hopefully VulnVoIP will help others learn the basic fundamentals of VoIP hacking in a safe environment.

  • Architecture: x86
  • Format: VMware (vmx & vmdk) compatibility with version 4 onwards
  • RAM: 512MB
  • Network: NAT
  • Extracted size: 1.68GB
  • Compressed (download size): 552MB - 7zip format - 7zip can be obtained from here
  • MD5 Hash of VulnVoIP.7z: 1411bc06403307d5ca2ecae47181972a

Source: http://www.rebootuser.com/?p=1069

"Created for Lars's students"

Source: e-mail

A flexible web app showing vulnerabilities such as cross site scripting, sql injections, and session management issues. Helpful to IT auditors honing web security skills and setting up 'capture the flag'.

Source: https://owasp.org/index.php/Category:OWASP_Vicnum_Project

A flexible web app showing vulnerabilities such as cross site scripting, sql injections, and session management issues. Helpful to IT auditors honing web security skills and setting up 'capture the flag'.

Source: https://owasp.org/index.php/Category:OWASP_Vicnum_Project


UltimateLAMP includes a long list of popular LAMP stack applications. For more information take a look a the UltimateLAMP products list.

With the success of this first product, research has already commenced in our next two products UltimateLAMJ (Open Source Java Based Applications) and UltimateLAMR (Open Source Ruby Applications).

Latest News

  • Oct 27 2006 - Information regarding Passwords.
  • Aug 14 2006 - And the winners are?
  • May 20 2006 - VMware Appliance Challenge Application.
  • May 15 2006 - Version 0.2 release of UltimateLAMP.
  • May 12 2006 - Initial Version 0.1 release of UltimateLAMP.

Source: http://web.archive.org/web/20080622080916/http://ultimatelamp.arabx.com.au/

Welcome, welcome! The time has come to select one courageous young hacker for the honor of representing District 12 in the 74th annual Hacker Games! And congratulations, for you have been selected as tribute!

Hacking games and CTF’s are a lot of fun; who doesn’t like pitting your skills against the gamemakers and having a free pass to break into things?

But watch out, as you will find out, some games are more dangerous than others. I have talked about counterattacks here before, and this system has implemented a number of aggressive anti-hacker measures.

In fact, this VM is downright evil. I am probably legally obligated to tell you that it will try to hack you. So if a calculator or message declaring your pwnedness pops up or shows up on your desktop, you asked for it. But don’t worry, it won’t steal your docs or rm you, it will just demonstrate compromise for the game.

To save precious bandwidth, this has been implemented in a minimal tinycore-based VM, and will require VirtualBox to run. But vbox is free – you can download it here: https://www.virtualbox.org/wiki/Downloads

Unfortunately, I didn’t have the time to add nearly all the things I wanted to, so there are really just a few challenges, a couple of counterhacks, and about 10 memes to conquer. Depending on your skill level, you could pwn (or be pwned) in just a few minutes or in a few hours. So hack it before it hacks you!

No sponsors are necessary, so don’t light yourself on fire. Simply download the evil VM here: TheHackerGames.zip, start it, and open up http://localhost:3000/ to begin. Now, you can totally cheat since you own the VM, but see if you can beat the challenges without cheating. Then you can go ahead and cheat, which should also be fun – you’re probably comfortable with many physical access attacks involving the hard disk, but this system doesn’t use a hard disk. So enjoy and remember…

May the odds be ever in your favor!

Source: http://www.scriptjunkie.us/2012/04/the-hacker-games/