Walkthrough : testphp.vulnweb.com

About testphp.vulnweb.com

Suhel Kathi
7 min readMar 7, 2022

It is an example PHP application, which is intentionally vulnerable to web attacks. It is intended to help you test Acunetix. It also helps you understand how developer errors and bad configuration may let someone break into your website. You can use it to test other tools and your manual hacking skills as well.


This VAPT was performed during my winter vacation. The detailed report and findings are described below.


The objective of this test was to determine security vulnerabilities in the web server configuration and website running on the server. The tests were carried out assuming the identity of an attacker or with malicious intent. At the same time due care was taken not to harm the web server. This is the vulnerability assessment and penetration testing (VAPT) of testphp.vulnweb.com and our finding are described below.


The scope is to find OWASP top 10 vulnerabilities on the website Also, find other potential vulnerabilities testphp.vulnweb.com.

OWASP top 10–2017

A1 Injection

A2 Broken Authentication

A3 Sensitive Data exposure

A4 XML External Entities

A5 Broken Access control

A6 Security Misconfiguration

A7 Cross site Scripting

A8 Insecure Deserialization

A9 Using components with known vulnerabilities

A10 Insufficient logging and monitoring


All information, techniques and tools described in this write-up are for educational purposes only. Use anything in this write-up at your own discretion, I cannot be held responsible for any damages caused to any systems or yourselves legally. Usage of all tools and techniques described in this write-up for attacking individuals or organizations without their prior consent is highly illegal. It is your responsibility to obey all applicable local, state and federal laws. I assume and accept no liability and will not be responsible for any misuse or damage caused by using information herein.

HTML Injection , XSS(Client side scripting)

Hypertext Markup Language (HTML) injection is a technique used to take advantage of non-validated input to modify a web page presented by a web application to its users. Attackers take advantage of the fact that the content of a web page is often related to a previous interaction with users.

Cross-site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application.

In the search art box form I had given following html code & script

After running the following script & code I found this

After successful login it gives us this following input

In this the name form is vulnerable it accepts the cross site script and it get stored in database which is reflecting when we call the current_user or system_user or we can use simple html h1 tag

Directory Listing , Improper Error Handling

A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers. Extended Description. A directory listing provides an attacker with the complete index of all the resources located inside of the directory.

Improper error handling flaws occur when an error message that’s displayed to an end user provides clues about how an application or website operates.

I went to the source page and I found this images/logo.gif

After clicking on that I had removed logo.gif so I had found this

DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analyzing the responses.

After this I used dirb and I found following output

After this I had visited each directory http://testphp.vulnweb.com/admin/

And that create.sql file gives me this information

After this http://testphp.vulnweb.com/cgi-bin/ gives information about server & port number

After this http://testphp.vulnweb.com/CVS/Repository its downloading a file and showing this information

After this http://testphp.vulnweb.com/index.php/ its giving information about nginx & its version

After this http://testphp.vulnweb.com/pictures/ its showing some text file and some html






After login I had tried to refresh its gives me this information

Broken Authentication & SQL Injection

Broken authentication attacks aim to take over one or more accounts giving the attacker the same privileges as the attacked user. Authentication is “broken” when attackers are able to compromise passwords, keys or session tokens, user account information, and other details to assume user identities.

SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access

Weak password test & test Easy to crack by using brute force

SQL injection using SQL queries using ‘ or 1=1 — -

SQLmap is an open-source tool used in penetration testing to detect and exploit SQL injection flaws. SQLmap automates the process of detecting and exploiting SQL injection. SQL Injection attacks can take control of databases that utilize SQL.

Now I am going to use SQLMAP

sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 –dump

And I get the database name

sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 — dump -D acuart

After trying with sqlmap now we are trying from the victim directly without using sqlmap tool.

Now will run some MYSQL query to inject and try to get table details


It had given all the table name from all the database in target machine now will ask the specific database table name.


A list of table shown





And many more in below snap

Now will ask the particular table name data for eg: users


We can see a list columns in below snap

Directory traversal & Local File Inclusion

Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application.

Local File Inclusion is an attack technique in which attackers trick a web application into either running or exposing files on a web server. LFI attacks can expose sensitive information, and in severe cases, they can lead to cross-site scripting (XSS) and remote code execution.

In burp suite I had captured this particular image request

After capturing the request I had tried local file inclusion and successfully done

Business Price change

I had seen in the categories we can buy a product so I captured that request in burp suite

The price of the given product is $10000.

Now I am going to buy it in $10 as you can see my cart

Information Disclosure within a cookie

We can see username and password when we capture the request in burpsuite in cookie field


Experience has shown that a focused effort to problem outlined in this report can result in dramatic security improvements. Most of the identified problems do not required high-tech solutions, just knowledge of and commitment to good practices. For system to remain secure, however, security posture must be evaluated and improved continuously. Establishing the organisation structure that will support these ongoing improvements is essential in order to maintain control of corporate information systems. We conclude that the overall security needs to improve. We hope that the issues cited in this report will be addressed.

Thank you for reading this write-up.