Please use caution while running these web pages; they are intentionally insecure!
To setup a server, install an XAMPP server to get Apache, MySQL/MariaDB, Perl, & PHP setup on your machine. You don't really need Perl, so if you can setup Apache, PHP, and MySQL/MariaDB on your own, go for it!
This repository should then be cloned into your www directory for the files to run.
localhost/search is a demonstration of SQL injection.
localhost/social is a demonstration of XSS and PHP include vulnerability.
The files included in the posts folder are demonstrations of XSS and injection vulnerability; the popups are expected.
Check the search.php file for database details; it assuemes the user is root and there is no password.
The search page assumes that your database has a products table with fields name and price but it doesn't care what's in those.
To setup the database like we did run the following sql queries:
create table products (name text, price int);
insert into products (name, text) values ('hammer', 5);
create table login (username text, password text);
insert into login (username, password) values ('admin', 'pLaInTeXtPaSsWoRd');