Preface: How can we not have practice after learning some theory and skills? Let's build our own vulnerability practice platform.
============================================================
Using the Pikachu Vulnerability Playground System, I can't find the official website...
Pikachu is a web application system with vulnerabilities, which includes common web security vulnerabilities. If you are a web penetration testing learner and are worried about not having a suitable playground for practice, then Pikachu might be just right for you.
The vulnerability types on Pikachu are listed below:
Burt Force
XSS (Cross-Site Scripting)
CSRF (Cross-Site Request Forgery)
SQL-Inject (SQL Injection)
RCE (Remote Command/Code Execution)
Files Inclusion
Unsafe file downloads
Unsafe file uploads
Over Permission
../../../ (Directory Traversal)
I can see your ABC (Sensitive Information Disclosure)
PHP Deserialization Vulnerability
XXE (XML External Entity attack)
Insecure URL Redirection
SSRF (Server-Side Request Forgery)
More... (Look for surprises!)
The management tool provides a simple XSS management background for you to test phishing and steal cookies~
More vulnerabilities will be continuously added in the future. You are also welcome to submit vulnerability cases to me. Please follow Pikachu for the latest version.
Author's GitHub link: https://github.com/zhuifengshaonianhanlu
For each vulnerability category, different subclasses are designed based on different situations.
Installation#
The database used is mysql, so to run Pikachu, you need to install the basic environment of "PHP+MYSQL+Middleware (such as Apache, Nginx, etc.)" in advance. It is recommended to use integrated software to build these basic environments directly in your testing environment, such as XAMPP, WAMP, etc.
-->Put the downloaded Pikachu folder in the web server's root directory;
-->Modify the database connection configuration in inc/config.inc.php according to the actual situation;
-->Access http://x.x.x.x/pikachu, and there will be a passionate prompt in red saying "Welcome, Pikachu has not been initialized, click to proceed with the initialization installation!" Click to complete the installation.
It's not difficult to build it at home by yourself. You need a Raspberry Pi or other hardware with low requirements. If not, a virtual machine will also work.