background image

272

Appendix A

Creating a Vulnerable Web Application

To use some of the more advanced features of Metasploit and external tools 
such as Fast-Track and the Social-Engineer Toolkit (SET), you will need a 
vulnerable web application to test against. To create the database and tables, 
download and install SQL Server Management Studio Express from the link 
provided at 

http://www.nostarch.com/metasploit.htm

.

After the installation and a healthy reboot, do the following:

1.

Start the application by choosing 

Start

All Programs

Microsoft SQL 

Server 2005

SQL Server Management Studio Express

.

2.

When prompted for credentials, select 

SQL Server Authentication

 from 

the Authentication drop-down, and log in using the username 

sa

 and the 

password 

password1

.

3.

In Object Explorer, right-click 

Databases

 and select 

New Database

.

4.

For the Database name, enter 

WebApp

 and click 

OK

.

5.

Expand Databases and the WebApp database tree.

6.

Right-click 

Tables

 and select 

New Table

. Name your new table 

users

 with 

the column names and types shown in Figure A-3.

Figure A-3: 

Users

 table columns

7.

Save the 

users

 table, and then right-click it and select 

Open Table

.

8.

Populate the table with some sample data similar to that shown in 
Figure A-4, and then save your work.

Figure A-4: Populated 

users

 table

9.

Expand the Security tree under Object Explorer, and then expand Logins.

10. Right-click 

Logins

 in the User Properties window and select 

New Login

In the Login-New window, click 

Search

, enter 

ASPNET

, and then click 

Check Names

. The full username should automatically populate. Click 

OK

 to exit the user search.

11. Finally, while still in the User Properties window, select 

User Mapping

select the check box next to 

WebApp

, select the 

db_owner

 role member-

ship, and then click 

OK

.