272
Appendix A
Creating a Vulnerable Web Application
To use some of the more advanced features of Metasploit and external tools
such as Fast-Track and the Social-Engineer Toolkit (SET), you will need a
vulnerable web application to test against. To create the database and tables,
download and install SQL Server Management Studio Express from the link
provided at
http://www.nostarch.com/metasploit.htm
.
After the installation and a healthy reboot, do the following:
1.
Start the application by choosing
Start
All Programs
Microsoft SQL
Server 2005
SQL Server Management Studio Express
.
2.
When prompted for credentials, select
SQL Server Authentication
from
the Authentication drop-down, and log in using the username
sa
and the
password
password1
.
3.
In Object Explorer, right-click
Databases
and select
New Database
.
4.
For the Database name, enter
WebApp
and click
OK
.
5.
Expand Databases and the WebApp database tree.
6.
Right-click
Tables
and select
New Table
. Name your new table
users
with
the column names and types shown in Figure A-3.
Figure A-3:
Users
table columns
7.
Save the
users
table, and then right-click it and select
Open Table
.
8.
Populate the table with some sample data similar to that shown in
Figure A-4, and then save your work.
Figure A-4: Populated
users
table
9.
Expand the Security tree under Object Explorer, and then expand Logins.
10. Right-click
Logins
in the User Properties window and select
New Login
.
In the Login-New window, click
Search
, enter
ASPNET
, and then click
Check Names
. The full username should automatically populate. Click
OK
to exit the user search.
11. Finally, while still in the User Properties window, select
User Mapping
,
select the check box next to
WebApp
, select the
db_owner
role member-
ship, and then click
OK
.