Virtual Machines
single series all timeline

During my SQL Injection learning journey I needed a vulnerable web application for practice.

I created a WebApp vulnerable to SQL Injection for my personal use, The result was an extremely vulnerable web site which I could test some SQLi techniques against MySQL.

I must confess, I am not a programmer and I have never coded in PHP before, I thought it would be a good practice to develop a PHP based site from scratch in order to learn the basic of PHP and MySQL. Vulnerable Web app designed as a learning platform to test various SQL injection Techniques and it is a fully functional web site with a content management system based on fckeditor.

I thought some of you may find it useful so i decided to share it via a SourceForge project page i created for it at :

Read Me First

Please notice! this web app is extremely vulnerable to SQLi attack and its poorly coded and configured intentionally.

It is not recommended to use this WebApp as live site on the net neither set it up on your local machine with access to it from the web.

Please use it in your internal LAN only, Set it up in a virtual environment such as VMware or Virtual Box.

This is a fully functional web site with a content management system based on fckeditor.

I hope you will find this web app useful in your SQLi and web app security studies or demonstrations.

General Information

Visit the Vulnerable Web Site by browsing to its IP address

Admin interface can be found at: http://localhost/admin

Username: admin

Password: [email protected]

Database Name: exploit

Database contains 8 tables:

articles authors category downloads links members news videos I have only tested the web app for SQLi, but i am sure you will find some more interesting vulnerabilities

Please try to avoid using automated tools to find the vulnerabilities and try doing it manually

Feel free to discuss this web app by visiting and commenting on the relevant post.

You can send solutions, videos and ideas to shai[at] and i will post them on my blog.

Good Luck!



Welcome to is dedicated to helping you understand how hackers prey on Web application vulnerabilities, and to showing you how to reduce your exposure. Our Badstore demonstration software is designed to show you common hacking techniques.


v1.0 – Original version for 2004 RSA Show

v1.1 – Added:

  • More supported NICs.

  • Referrer checking for Supplier Upload.

  • badstore.old in /cgi-bin/

  • Select icons added to the /icons/ directory.

v1.2 – Version presented at CSI 2004


  • Full implementation of MySQL.

  • JavaScript Redirect in index.html.

  • JavaScript validation of a couple key fields.

  • My Account services, password reset and recovery.

  • Numerous cosmetic updates.

  • 'Scanbot Killer' directory structure to detect scanners.

  • favicon.ico.

  • Reset files and databases to original state without reboot.

  • Dynamic dates and times in databases.

  • Additional attack possibilities.

Source: BadStore_Manual.pdf


Welcome, welcome! The time has come to select one courageous young hacker for the honor of representing District 12 in the 74th annual Hacker Games! And congratulations, for you have been selected as tribute!

Hacking games and CTF’s are a lot of fun; who doesn’t like pitting your skills against the gamemakers and having a free pass to break into things?

But watch out, as you will find out, some games are more dangerous than others. I have talked about counterattacks here before, and this system has implemented a number of aggressive anti-hacker measures.

In fact, this VM is downright evil. I am probably legally obligated to tell you that it will try to hack you. So if a calculator or message declaring your pwnedness pops up or shows up on your desktop, you asked for it. But don’t worry, it won’t steal your docs or rm you, it will just demonstrate compromise for the game.

To save precious bandwidth, this has been implemented in a minimal tinycore-based VM, and will require VirtualBox to run. But vbox is free – you can download it here:

Unfortunately, I didn’t have the time to add nearly all the things I wanted to, so there are really just a few challenges, a couple of counterhacks, and about 10 memes to conquer. Depending on your skill level, you could pwn (or be pwned) in just a few minutes or in a few hours. So hack it before it hacks you!

No sponsors are necessary, so don’t light yourself on fire. Simply download the evil VM here:, start it, and open up http://localhost:3000/ to begin. Now, you can totally cheat since you own the VM, but see if you can beat the challenges without cheating. Then you can go ahead and cheat, which should also be fun – you’re probably comfortable with many physical access attacks involving the hard disk, but this system doesn’t use a hard disk. So enjoy and remember…

May the odds be ever in your favor!



Some of you may have noticed this new pWnOS forum section. I created pWnOS as a virtual machine and Grendel was nice enough to let me post about it here. Here's a bit of information on pWnOS.

It's a linux virtual machine intentionally configured with exploitable services to provide you with a path to r00t. :) Currently, the virtual machine NIC is configured in bridged networking, so it will obtain a normal IP address on the network you are connected to. You can easily change this to NAT or Host Only if you desire. A quick ping sweep will show the IP address of the virtual machine. scenario/storyline with this one. I wasn't really planning to release it like this, so maybe for version 2.0 I'll be more creative. :) I'm anxious to get feedback so let me know how it goes or if you have questions. Thanks and good luck!


-- Readme

Thanks for trying pWnOS 1.0. A few things to note before getting started. pWnOS is made using VMware Workstation and can be started by downloading VMware Server or Vmware player...both of which are free! Or VMware Workstation (Windows) or VMware Fusion (OS X), which are not free.

  1. If Vmware asks whether you copied or moved this virtual machine on first boot, click MOVED! Otherwise the network settings could get messed up.
  2. The virtual machine is currently setup to use bridged networking, but you may want to change this to NAT or Host Only...depending on your preferences.
  3. All necessary tools/exploits/whatever can be found at
  4. There are multiple paths to get shell access. I created a n00b path and a more advanced path. See if you can get both of them!

I would rate the difficulty of pWnOS approximately the same as De-Ice's level 2 disk...maybe a bit more difficult. See for information on the De-Ice penetration testing disks.

I hope you enjoy it! If you have any questions or feedback, email me at bond00(at)


Source: readme.txt