This section covers some of the example attacks against PHP-Nuke, a free, open source web site framework written in PHP. The application runs on many platforms (Windows, Linux, Unix) and can interface with multiple databases (MySQL, MS SQL, Oracle, etc). It can be downloaded from http://www.phpnuke.org.
In order to follow along, please install the application on your system; Linux installation directions are provided for convenience. Keep in mind that it should not be used for any production purposes.
We assume that you have a modern Linux system. PHP-Nuke requires that MySQL, PHP, and Apache are installed. You might also need to install the following RPM packages, if you are using Red Hat Linux (all of these are included in the distribution; some other prerequisites might need to be satisfied):
The application is surprisingly easy to install and configure and will produce a flexible database-driven web site, complete with all the latest SQL injection vulnerabilities, in minutes.
Follow these steps to get the application up and running:
Download the application:
$ wget http://umn.dl.sourceforge.net/sourceforge/phpnuke/PHP-Nuke-6.5.tar.gz
Unpack the resulting archive:
$ tar zxf PHP-Nuke-6.5.tar.gz
Start the database server:
# /etc/init.d/mysql start
Create the database using the MySQL administrator tool:
# mysqladmin create nuke
Create all the required database structures using the included "nuke.sql" tool:
# cd sql ; mysql nuke < nuke.sql ...