Badstore: 1.2.3

  • Name: Badstore: 1.2.3
  • Date release: 24 Feb 2004

Please remember that VulnHub is a free community resource so we are unable to check the machines that are provided to us. Before you download, please read our FAQs sections dealing with the dangers of running unknown VMs and our suggestions for "protecting yourself and your network. If you understand the risks, please download!


(Size: 4.6 MB)

Welcome to is dedicated to helping you understand how hackers prey on Web application vulnerabilities, and to showing you how to reduce your exposure. Our Badstore demonstration software is designed to show you common hacking techniques.


v1.0 – Original version for 2004 RSA Show

v1.1 – Added:

  • More supported NICs.

  • Referrer checking for Supplier Upload.

  • badstore.old in /cgi-bin/

  • Select icons added to the /icons/ directory.

v1.2 – Version presented at CSI 2004


  • Full implementation of MySQL.

  • JavaScript Redirect in index.html.

  • JavaScript validation of a couple key fields.

  • My Account services, password reset and recovery.

  • Numerous cosmetic updates.

  • 'Scanbot Killer' directory structure to detect scanners.

  • favicon.ico.

  • Reset files and databases to original state without reboot.

  • Dynamic dates and times in databases.

  • Additional attack possibilities.

Source: BadStore_Manual.pdf

  • Filename: BadStore_123s.iso
  • File size: 4.6 MB
  • MD5: B0F3BA0C4BF1EC0D82170B0552E25B7E
  • SHA1: 6861B9DF1919D69EA198B1BEB509005D830890A8

  • Format: Disk Image (.ISO)
  • Operating System: Linux

  • DHCP service: Enabled
  • IP address: Automatically assign

  • Multiple Methods
  • Remote Vulnerability
  • Web Application