As APIs (Application Programming Interface) become ubiquitous, IT infrastructure moves to the cloud and big businesses push towards Infrastructure as Code (IaC), web app testing now forms a significant part of any thorough penetration test. Whilst there are some excellent resources available online, a great way to understand web app testing, and in turn get some experience working with SQL and PHP, is by setting up your own, vulnerable LAMP server.
LAMP stands for Linux (OS), Apache (server), MySQL (relational database management system), and PHP (object-oriented scripting language). In short, it's a Linux server capable of generating dynamic web pages that run PHP code and load data from a MySQL database. This type of setup is everywhere on the internet, including other flavours of XAMP, WAMP, and MAMP, depending on which host operating system is used. Furthermore, with injection, cross-site scripting (XSS), and deserialisation being in the OWASP top 10 there is always a need to be practising and understanding these attack vectors.
Setting up a Linux host machine
In my CTF tutorial I used an older version of Ubuntu as one of the attack vectors was the OS itself. However, with this build I've opted for a newer distro called Linux Mint. It can be downloaded from HERE.
Once downloaded, start your virtualisation software (I use VirtualBox) and add the iso file as an IDE controller. With this setting it emulates booting from a disc for the first time.
Once it boots for the first time you get a quick look at a familiar Windows-esque desktop before clicking the 'Install Linux Mint' disc icon.
After following some simple steps, the installer asks whether it can erase the (virtual disk) and install Linux Mint. Click 'Install Now'.
After setting the machine name and a user/password combination the installation requires a restart. At this point, it is also time to remove the iso from the Virtual Box machine settings or the boot/installation process will start over.
The final step before configuring the AMP part of our LAMP server is to update the repositories and upgrade the OS. Open a terminal window and type the following:
Now, for some reason I had a recurring issue with the dpkg process here. If you run into a similar issue try the following commands:
This will clear out the cache, update the package list to the latest, try to fix any installations that didn't finish, and then finally upgrade the distro.
Installing Apache
Next, we're going to install the Apache HTTP server.
Once this is installed and running, if you navigate to http://127.0.0.1 or http://localhost in the Firefox browser you should see this page:
Installing MySQL
Now we have our Apache server running, we can install a MySQL database. In the terminal type:
You should be prompted to set a password for the database, but if you are not you can issue the following command within the MySQL service.
In this case, I set the 'NEWPASSWORD' as P@SSWORD123 to make it vulnerable - but in a real-life setting you need to use a much stronger password.
Installing PHP
PHP in the final foundation for our LAMP server before we can start installing web apps. The latest version of of PHP is 7.3, but we need an older version (5.6) to make sure our vulnerable software will work properly. As Linux Mint defaults to the latest in its repositories we will need to edit the repository list in order to install and older version of PHP.
Press enter to install the repository, then update the repositories using the following command:
Now, we can go ahead and install PHP 5.6:
We can check that the installation has been successful:
Everything looks good so far and we can see that the PHP version displayed is 5.6. We can now make a quick page to check that it is set up correctly on the Apache server. Issue the following command to change to the Apache directory:
Next, using a text editor we can create a file called phpinfo.php:
Then, type in the following:
Exit and save. Now, if you navigate to http://127.0.0.1/phpinfo.php it should display the PHP info in the browser.
The LAMP server is now up and running, but we need to install some web apps for it to be useful for practising on.
Installing DVWA (Damn Vulnerable Web App)
The DVWA is exactly as named. It's a PHP/MySQL web app that has many different vulnerabilities and is aimed at educating students and professionals alike in understanding the different attack vectors possible. It can be downloaded from HERE.
Once the file has downloaded, we can change directories to Downloads, unzip the file, move it to our Apache directory, and then change to the Apache directory so we can continue with the setup.
Next, open the config.inc.php.dist file using a a text editor.
Change the password to match our P@SSWORD123 from the MySQL setup.
Make sure to save the file as config.inc.php by removing the dist from the end of the file name. Then, reload the Apache service.
Now, if we navigate to http://127.0.0.1/dvwa/ we should see the Database Setup page.
As you can see, there are a number of items highlighted in red that will need resolving before we can go ahead with the database set up.
PHP function allow_url_include: Disabled
To set this we need to change directory to our PHP folder and open the php.ini file in order to edit it.
Once the file is open in a text editor, hold Ctrl+w and search for allow_url_include. Modify the value to On from Off.
Save the change and reload the Apache service:
PHP module php-gd: Missing
This is easily installed with the following command and then again reload the Apache service.
reCAPTCHA key: Missing
We can navigate to https://www.google.com/recaptcha/ to generate our own keys for the Insecure CAPTCHA module. You will have to log in with a valid Google account. I have a separate account set up for this for security reasons. Once you're logged in, click on the Get reCAPTCHA button.
We can then register the site and generate some keys. Note the domains in the image below.
We're then taken to a page that displays a site key and a secret key.
Open the config file in the DVWA folder.
Then, we can add the keys to their corresponding lines in the ReCAPTCHA Settings.
Save the changes and then reload the Apache service.
Writable folder /var/www/html/DVWA-master/hackable/uploads/:No
This folder just needs the permissions to be set in a way that allows other users to read and write to it - thus making it more vulnerable.
Writable file /var/www/html/dvwa/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt: No
As before, we need to set the permissions for this file.
Once this step is complete, the Database Setup page should display everything in green. Click Create/Reset Database at the bottom of the page and DVWA will connect to MySQL and create the relevant database. We will then be presented with the login screen. The default credentials are username: admin, password: password
Installing OWASP Mutillidae
Mutillidae is another highly vulnerable web app from the OWASP organisation. This web app also explicitly covers the OWASP 2007, 2010, 2013 and 2017 with at least one example of each vulnerability. It can be downloaded from HERE.
Once downloaded, we can change to the Downloads directory, unzip the file and move it to our Apache directory.
Next, we need to set up the password in MySQLHandler.php file which will allow Mutillidae to connect to the database.
Scroll down the file until you find static public $mMySQLDatabasePassword = “”; and enter the database password (in our case P@SSWORD123) between the speech marks. Save the changes and exit the file.
Next, we are going to modify the Apache directory config so that index.php is loaded first. Hash out the current line and add in a new one making sure that index.php is first.
Save the changes and exit the document.
We're also going to add to add php5.6-Simplexml to allow the server to retrieve and manipulate XML data (another OWASP top 10 vulnerability).
Reload the Apache service and then navigate to http://127.0.0.1/mutillidae-master in the web browser. Click setup/reset the DB and it should display a pop-up box saying No PHP or MySQL errors were detected when resetting the database.
If you do run into any errors, the home page has some step by step instructions to rectify them.
We should now be looking at the page below:
Note the warning advising us that PHP Curl is not installed on the server. This can be quickly rectified by using the following command:
We should then be greeted with a page showing no errors, ready to use.
Installing Sqli-Labs
Sqli-labs is a series of lessons focussed purely on SQL attacks. It can be downloaded from HERE.
Change to the Downloads directory, unzip the downloaded file and move it to the Apache directory.
Then, we need to add our MySQL password to the database config file.
If we then navigate to http://127.0.0.1/sqli-labs-master in a browser, the following page should be displayed:
Click the Setup/Reset Database for labs link and the database will be generated.
As you can see, the lessons offered are fairly extensive:
Installing bWAPP (Buggy Web App)
The final piece of software we are going to add (although go ahead and add more to yours as and when you see fit) is bWAPP (Buggy Web App) - you can download it from HERE. bWAPP has over 100 vulnerabilities, including the OWASP top 10.
Once downloaded, change to the Downloads directory, unzip the bWAPP file, and move it to the Apache directory.
Then, we need to edit the database settings that will allow it to connect to our SQL database.
Add our database password in the correct space.
Save and exit. Then, to the bwapp directory and change the permissions for the passwords, images, and documents directories. Again, allowing all users read, write, and execute privileges makes the app vulnerable.
After modifying the directory permissions, open a browser and navigate to http://127.0.0.1/bwapp/bWAPP/install.php then click the button to install. You should then see the login page. The default credentials are bee:bug
Summary
In this tutorial we have:
Installed Linux Mint
Installed Apache
Installed MySQL and set up a database
Installed an old version of PHP by using additional repositories
Installed DVWA and used Google reCAPTCHA
Modified directory and file permissions
Installed Mutillidae 2
Modified config files
Installed SQLi-Labs
Installed bWAPP
What we now have is machine that contains hours of web app testing material. Once you've completed the labs on here you could either add more from this list, or add this machine to a network and try to exploit the apps remotely. Please remember not to expose this machine to the web as you know how vulnerable it is!
Comments