Skip to content
Vulnerable Web applications Generator
Branch: master
Clone or download
Latest commit 1a7cca5 Dec 10, 2017
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.vscode Apply watchdog to filePointer Jun 27, 2016
Addon Add description to parser Jan 20, 2017
core many problems are fixed Dec 10, 2017
demo fix some code & add many scripts that I use in HITCON Training Nov 30, 2016
examples
.gitignore add node support Nov 16, 2016
LICENSE
README.md
VWGen.py many problems are fixed Dec 10, 2017
__init__.py
pylintrc clean up Jun 26, 2016
requirements.txt update tsaotun to 0.9.4 Dec 10, 2017

README.md

Vulnerable Web applications Generator

This is the Git repo of the VWGen, which stands for Vulnerable Web applications Generator.

Relevant links: Github


Table of contents


Releases

  • 0.1.0 -- Initial release
  • 0.2.0 -- Now, VWGen can also be one of Tsaotun's addon. 🎉

Status quo

  1. Supporting very limited modules, such as SQLI, NOSQLI, LFI, CRLF, Command Injection and XSS.
  2. There are two important modules which play essential role in deploying vulnerable web apps.
    • unfilter module scrap the sites and find the keywords to be replaced by parameters.
    • expand module learn the sites and try to rearrange the elements to let child modules insert their payloads within it.
  3. Only two themes right now.
  4. Python3 is currently not supported!
  5. --file option works, but it still needs some developing. Example command: ./VWGen.py --file="$VWGen_HOME/examples/2016_ais3_web3/sample.py"

Feature

--file option makes share web challenges easily. All you need to do is provide a custom script, which defines how vulnerabilities would be made or be triggered, and each one can just load that script to spawn the same vulnerable web applications immediately.

There is a examples/ directory in the root folder, and I will put some sample scripts in it. Now, we have so many scripts!

Install

  1. Install docker binary. Only versions 1.11.0 above are supported. Check out official installing guide.
  2. sudo apt-get install -y libcurl4-gnutls-dev libcurl4-nss-dev libcurl4-openssl-dev to make pycurl happy.
  3. Pull fundamental images that we gonna use with VWGen:
    • docker pull richarvey/nginx-php-fpm:php5
    • docker pull richarvey/nginx-php-fpm:php7
    • docker pull mysql:5
    • docker pull phpmyadmin/phpmyadmin:4.6.5.1-1
    • docker pull node:7
  4. Install lxml: apt-get install python-lxml.
  5. Clone VWGen and cd to it.
  6. Install packages:
    1. Through pip
      • pip install -r requirements.txt
    2. Through pipenv
      • pip install pipenv
      • pipenv install
      • pipenv shell or pipenv shell --fancy
  7. Type ./VWGen.py --help to test if it works or check below for more instructions.

Instruction

Usage: VWGen.py [options]

Options:
--version             show program's version number and exit
-h, --help            show this help message and exit
-c, --console         enter console mode
--backend=BACKEND     configure the backend (Default: php)
--theme=THEME         configure the theme (Default: startbootstrap-
                        agency-1.0.6)
--expose=EXPOSE_PORT  configure the port of the host for container binding
                        (Default: 80)
--database=DBMS, --db=DBMS
                        configure the dbms for container linking
--modules=LIST        list of modules to load (Default: +unfilter)
--color               set terminal color
-v, --verbose         set verbosity level

Under development:
    Following options are still in development!

    --file=FILENAME     specify the file that VWGen will gonna operate on

In Brief

Which types of vulnerabilities will be generated would depend on the modules you set while you start VWGen, and following are some screenshots of VWGen:

  • ./VWGen.py -c - Enter console mode.
  • ./VWGen.py - Start VWGen with some default arguments.
  • ./VWGen.py --module="+sqli" --database="MySQL" - Start VWGen with MySQL based SQL Injection.
  • ./VWGen.py --module="+exec" - Start VWGen with command injection vulnerability.

Known issues

  1. mod_expand.py can produce defferent extensions, but it still needs user's interaction to modify source code (Warning message is provided).

Contributing to VWGen

Linux Windows MacOSX
Compatibility Docker Version Compatibility Docker Version Compatibility Docker Version

Wanna enrich the possibilities that VWGen can inspire? Send pull requests or issues immediately!

LICENSE

This project use Apache License, Version 2.0.

You can’t perform that action at this time.