272

Appendix A

Creating a Vulnerable Web Application

To use some of the more advanced features of Metasploit and external tools 
such as Fast-Track and the Social-Engineer Toolkit (SET), you will need a 
vulnerable web application to test against. To create the database and tables, 
download and install SQL Server Management Studio Express from the link 
provided at 

http://www.nostarch.com/metasploit.htm

.

After the installation and a healthy reboot, do the following:

1.

Start the application by choosing 

Start

All Programs

Microsoft SQL 

Server 2005

SQL Server Management Studio Express

.

2.

When prompted for credentials, select 

SQL Server Authentication

 from 

the Authentication drop-down, and log in using the username 

sa

 and the 

password 

password1

.

3.

In Object Explorer, right-click 

Databases

 and select 

New Database

.

4.

For the Database name, enter 

WebApp

 and click 

OK

.

5.

Expand Databases and the WebApp database tree.

6.

Right-click 

Tables

 and select 

New Table

. Name your new table 

users

 with 

the column names and types shown in Figure A-3.

Figure A-3: 

Users

 table columns

7.

Save the 

users

 table, and then right-click it and select 

Open Table

.

8.

Populate the table with some sample data similar to that shown in 
Figure A-4, and then save your work.

Figure A-4: Populated 

users

 table

9.

Expand the Security tree under Object Explorer, and then expand Logins.

10. Right-click 

Logins

 in the User Properties window and select 

New Login

. 

In the Login-New window, click 

Search

, enter 

ASPNET

, and then click 

Check Names

. The full username should automatically populate. Click 

OK

 to exit the user search.

11. Finally, while still in the User Properties window, select 

User Mapping

, 

select the check box next to 

WebApp

, select the 

db_owner

 role member-

ship, and then click 

OK

.