SQL-Injection Testbed on OS X

I’ve done some SQL-Injection vulnerability / penetration testing before of sites I’ve been responsible for but I wanted a testbed which I knew to have issues that I could probe.

The folks at SQLInjection.net have great stuff and a simulation environment but the set-up for that environment doesn’t give instructions for set-up on OS X, and I run on OS X so had to do some extra steps to get it all to fly.

Install PHP for OS X using XAMPP

First we need Apache PHP running on the Mac, I used XAMPP for OS X 5.6.24, you should be fine with whatever is the latest version.

Visit Apache Friends and download the installer:

Screen Shot 2016-11-11 at 13.22.42.png

Once downloaded (file xampp-osx-5.6.24-1-installer.dmg) fire up the installer dmg and then select the XAMPP icon to start the install.

Screen Shot 2016-11-11 at 13.41.41.png

The install wizard will start

Screen Shot 2016-11-11 at 13.43.05.png

Click Next>

Screen Shot 2016-11-11 at 13.43.29.png

Leave the defaults and click Next> again

Screen Shot 2016-11-11 at 13.44.01.png

Then Next> yet again – nearly there

Screen Shot 2016-11-11 at 13.45.00.png

Uncheck the “Learn more about Bitnami for XAMPP” (unless you want to learn more!) and click Next>

Screen Shot 2016-11-11 at 13.46.03.png

Then finally Next> to start the install.

Screen Shot 2016-11-11 at 13.46.25.png

Wait for the install to complete.

Screen Shot 2016-11-11 at 13.48.44.png

Uncheck the “Launch XAMPP” and click Finish.

Now we need to configure XAMPP and check all is well.

Fire up the Launchpad (normally F4 unless you’ve customised your keyboard), find and open “XAMPP (other)”,

Screen Shot 2016-11-11 at 13.54.03.png

Open it and run “manager-osx”

Screen Shot 2016-11-11 at 13.54.09.png

You’ll probably need to authenticate before getting to the app

Screen Shot 2016-11-11 at 13.56.20.png

Select the “Manage Servers” tab

Screen Shot 2016-11-11 at 13.57.03.png

Make sure the “Apache Web Server” is running – if it’s not select it and click “Start”, you don’t need to start MySQL or ProFTPD.

Now we can check XAMPP is working correctly by pointing a browser at localhost and you should see the “Welcome to XAMPP” page.

Screen Shot 2016-11-11 at 14.00.39.png

Great – all is well. The last thing to do before grabbing the SQL Injection Simulator is to stop the server so back to the “manager-osx” “Manage Servers” tab and and click “Stop All” and wait for all to stop.

Screen Shot 2016-11-11 at 14.02.41.png

Installing sqlinjection.net’s SQL Injection Simulator

First we need to grab the zip file that contains the simulator.

Go to http://www.sqlinjection.net/simulation/ and click “Download Now”, you should get a file sqlinjection_simulation.zip in Downloads.

Now we need to drop the simulator into our PHP environment.

Start up a Terminal and navigate to the PHP web server in XAMPP:

> cd /Applications/XAMPP/xamppfiles/htdocs

The contents of the zip file need to be placed here, but first we need to remove the files the XAMPP installer put here (or move them elsewhere if you want to keep them – no need really):

> sudo rm -rf /Applications/XAMPP/xamppfiles/htdocs/*

Now copy the zip file from Downloads:

> sudo cp ~/Downloads/sqlinjection_simulation.zip /Applications/XAMPP/xamppfiles/htdocs

And then unzip it:

> sudo unzip sqlinjection_simulation.zip

OK – We’re nearly there but we need to make sure that the owner of the files in the simulator is correct.

The file /Applications/XAMPP/xamppfiles/etc/httpd.conf specifies the user that PHP runs as, check it is “daemon” with:
> cat /Applications/XAMPP/xamppfiles/etc/httpd.conf | grep -A 5 User/Group

Which should give you:

# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User daemon
Group daemon

Showing that the User and Group are indeed “daemon”.

So the last bit of set-up is to make sure that the simulator files are owned by daemon:

> cd /Applications/XAMPP/xamppfiles/htdocs
> sudo chown -R daemon:daemon *

That’s it.  Now go back to manager-osx, select “Apache Web Server” and click Start then also select “MySQL Database” and click start.

Screen Shot 2016-11-11 at 14.26.59.png

Now once again go to localhost and you should see the SQL Injection simulator running:

Screen Shot 2016-11-11 at 14.28.57.png

Click the “Setup / Reset” tab

Screen Shot 2016-11-11 at 14.29.17.png

Then click “Launch database script”

Screen Shot 2016-11-11 at 14.29.32.png

And that’s it, the simulator is all set-up and running.  Select the Instructions tab and dive in.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s