Vulnerable OS Collection is a collection of four Ubuntu based OSes which contain real world vulnerable web applications. The motive behind this project was to enable the pentesters to learn by doing practical attacks. The OSes comes in OVF format and can be imported into Oracle VirtualBox or VMware Workstation Player/Pro. This enables the pentesters to get these ready in less time and start practicing.
- These Vulnerable OSes are:
- Command Injection (CI) OS which contains following vulnerable web apps
- AjaXplorer
- Basilic
- LotusCMS
- Log1CMS
- PHP -Charts
- PHP Tax
- Webmin
- SugarCRM
- Zenoss
- Splunk
- Arbitray File Upload (AFU) OS which contains following vulnerable web apps
- AppRain CMF
- Cuteflow
- eXtplorer
- Glossword
- Joomla Media Upload
- Kordile EDMS
- Libretto CMS
- Mobilecartly
- ProjectPier
- QdPM
- Sflog
- TestLink
- VCMS
- WebPagetest
- XODA
- ChillyCMS
- Free-Blog
- Cross-Site-Scripting (XSS) OS which contains following vulnerable web apps
- Achievo
- ArticleSetup
- BigTree-CMS
- Concrete
- Family Connection
- GetSimple
- NewsCoop
- ORBIS CMS
- PHP Web Directory
- Posnic
- ProQuiz
- SCMS
- PHP Ticket System
- ShoutBox
- Syndeo CMS
- Pligg CMS
- SQL Injection (SQL) OS which contains following vulnerable web apps
- FoeCMS
- Joomla CMS
- Posnic
- Sandbox
- Wiki Web Help
- YVS Image Gallery
- B2ePMS
- Hotel Portal
- NanoDB
- NewScoop
- PHP My Recipes
- Quotations
- ReciPHP
- SN News
The OSes can be downloaded from the following links:
Default credentials for all OSes
- Username: SecurityTube
- Password: 123321
We have used these VMs in our Pentester Academy courses. Interested people can check those out on following links.
- Pentesting Challenges: http://www.pentesteracademy.com/course?id=12
To learn more about Web Application Pentesting, please have a look at the following courses:
- Web Application Pentesting: http://www.pentesteracademy.com/course?id=5
- Javascript for Pentesters: http://www.pentesteracademy.com/course?id=11
- WAP Challenges: http://www.pentesteracademy.com/course?id=8
- Ashish Bhangale, Sr. Security Researcher, Pentester Academy (@Hax0rGuy)
Vulnerable OS Login Screen