Vulnerable Web applications Generator
Status quo
- There are two important modules which play the essential role in deploying vulnerable web apps.
- unfilter module scraps the sites and finds the keywords to be replaced by parameters.
- expand module learn the sites and try to rearrange the elements to let child modules insert their payloads within it.
- Python3 is currently not supported!
--file
option works, but it still needs some developing. Example command:./VWGen.py --file="$VWGen_HOME/examples/2016_ais3_web3/sample.py"
Feature
--file
option makes share web challenges easily. All you need to do is provide a custom script, which defines how vulnerabilities would be made or be triggered, and each one can just load that script to spawn the same vulnerable web applications immediately.
There is a examples/ directory in the root folder, and I will put some sample scripts in it. Now, we have so many scripts!
Install
sudo apt-get install -y libcurl4-gnutls-dev libcurl4-nss-dev libcurl4-openssl-dev
to makepycurl
happy.- Pull fundamental images that we gonna use with VWGen:
docker pull richarvey/nginx-php-fpm:php5
docker pull richarvey/nginx-php-fpm:php7
docker pull mysql:5
docker pull phpmyadmin/phpmyadmin:4.6.5.1-1
docker pull node:7
- Install lxml:
apt-get install python-lxml
. - Clone the repo: git clone https://github.com/qazbnm456/VWGen.git
- Install packages:
- Through
pip
pip install -r requirements.txt
- Through
pipenv
pip install pipenv
pipenv install
pipenv shell
orpipenv shell --fancy
- Through
- Type
./VWGen.py --help
to test if it works or checks below for more instructions.
Instruction
Usage: VWGen.py [options]
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-c, --console enter console mode
--backend=BACKEND configure the backend (Default: php)
--theme=THEME configure the theme (Default: startbootstrap-
agency-1.0.6)
--expose=EXPOSE_PORT configure the port of the host for container binding
(Default: 80)
--database=DBMS, --db=DBMS
configure the dbms for container linking
--modules=LIST list of modules to load (Default: +unfilter)
--color set terminal color
-v, --verbose set verbosity level
Under development:
Following options are still in development!
--file=FILENAME specify the file that VWGen will gonna operate on
In Brief
Which types of vulnerabilities will be generated would depend on the modules you set while you start VWGen, and following are some screenshots of VWGen:
./VWGen.py -c
– Enter console mode.
./VWGen.py
– Start VWGen with some default arguments.
./VWGen.py --module="+sqli" --database="MySQL"
– Start VWGen with MySQL based SQL Injection.
./VWGen.py --module="+exec"
– Start VWGen with command injection vulnerability.
Copyright 2016 Boik (lobsiinvok@tdohacker.org)
Source: https://github.com/qazbnm456/
Source
https://securityonline.info/vwgen-vulnerable-web-applications-generator/