Add php page vulnerable to sql injection.

Vagrantfile

@@ -165,6 +165,7 @@ Vagrant.configure("2") do |config|
       chef.add_recipe "metasploitable::docker"
       chef.add_recipe "metasploitable::samba"
       chef.add_recipe "metasploitable::unrealircd"
+      chef.add_recipe "metasploitable::payroll_app"
     end
   end
 end

chef/cookbooks/metasploitable/files/payroll_app/payroll.sql

@@ -0,0 +1,60 @@
+-- phpMyAdmin SQL Dump
+-- version 3.5.8
+-- http://www.phpmyadmin.net
+--
+-- Host: 127.0.0.1
+-- Generation Time: Apr 10, 2017 at 04:42 PM
+-- Server version: 5.5.54-0ubuntu0.14.04.1
+-- PHP Version: 5.4.5
+
+SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";
+SET time_zone = "+00:00";
+
+
+/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
+/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
+/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
+/*!40101 SET NAMES utf8 */;
+
+--
+-- Database: `payroll`
+--
+
+-- --------------------------------------------------------
+
+--
+-- Table structure for table `users`
+--
+
+CREATE TABLE IF NOT EXISTS `users` (
+  `username` varchar(30) COLLATE utf8mb4_unicode_ci NOT NULL,
+  `first_name` varchar(30) COLLATE utf8mb4_unicode_ci NOT NULL,
+  `last_name` varchar(30) COLLATE utf8mb4_unicode_ci NOT NULL,
+  `password` varchar(40) COLLATE utf8mb4_unicode_ci NOT NULL,
+  `salary` int(20) NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
+
+--
+-- Dumping data for table `users`
+--
+
+INSERT INTO `users` (`username`, `first_name`, `last_name`, `password`, `salary`) VALUES
+('luke_skywalker', 'Luke', 'Skywalker', 'password', 102000),
+('leia_organa', 'Leia', 'Organa', 'obiwan', 95600),
+('han_solo', 'Han', 'Solo', 'sh00t-first', 12000),
+('artoo_detoo', 'Artoo', 'Detoo', 'beep_b00p', 22000),
+('c_three_pio', 'C', 'Threepio', 'pr0t0c0l', 32000),
+('ben_kenobi', 'Ben', 'Kenobi', 'thats_no_moon', 1000000),
+('darth_vader', 'Darth', 'Vader', 'd@rk_sid3', 666000),
+('anakin_skywalker', 'Anakin', 'Skywalker', 'yipp33!!', 0),
+('jarjar_binks', 'Jar-Jar', 'Binks', 'mesah_p@ssw0rd', 2000),
+('lando_calrissian', 'Lando', 'Calrissian', 'b@ckstab', 4000000),
+('boba_fett', 'Boba', 'Fett', 'mandalorian1', 2000000),
+('jabba_hutt', 'Jabba', 'The Hutt', 'not-a-slug12', 10000000),
+('greedo', 'Greedo', 'Rodian', 'hanShotFirst!', 500000),
+('chewbacca', 'Chewbacca', '', 'rwaaaaawr5', 4500),
+('kylo_ren', 'Kylo', 'Ren', 'daddy_issues1', 66600);
+
+/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
+/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
+/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;

chef/cookbooks/metasploitable/files/payroll_app/payroll_app.php

@@ -0,0 +1,50 @@
+<?php
+
+$conn = new mysqli('127.0.0.1', 'root', 'sploitme', 'payroll');
+if ($conn->connect_error) {
+    die("Connection failed: " . $conn->connect_error);
+}
+?>
+
+<form action="" method="post">
+<table width="50%">
+    <tr>
+        <td>User</td>
+        <td><input type="text" name="user"></td>
+    </tr>
+    <tr>
+        <td></td>
+        <td><input type="text" name="password"></td>
+    </tr>
+</table>
+    <input type="submit" value="OK" name="s">
+</form>
+
+<?php
+if($_POST['s']){
+    $user = $_POST['user'];
+    $pass = $_POST['password'];
+    $sql = "select username, first_name, last_name, salary from users where username = '$user' and password = '$pass'";
+
+    if ($conn->multi_query($sql)) {
+        do {
+            /* store first result set */
+            echo "<table border=1>";
+            echo "<tr><th>Username</th><th>First Name</th><th>Last Name</th><th>Salary</th></tr>";
+            if ($result = $conn->store_result()) {
+                while ($row = $result->fetch_assoc()) {
+                    $keys = array_keys($row);
+                    echo "<tr>";
+                    foreach ($keys as $key) {
+                        echo "<td>" . $row[$key] . "</td>";
+                    }
+                }
+                $result->free();
+            }
+            if (!$conn->more_results()) {
+                echo "</table>";
+            }
+        } while ($conn->next_result());
+    }
+}
+?>

chef/cookbooks/metasploitable/recipes/payroll_app.rb

@@ -0,0 +1,21 @@
+#
+# Cookbook:: metasploitable
+# Recipe:: payroll_app
+# Copyright:: 2017, Rapid7, All Rights Reserved.
+
+cookbook_file '/var/www/html/payroll_app.php' do
+  source 'payroll_app/payroll_app.php'
+  mode '0755'
+end
+
+cookbook_file '/tmp/payroll.sql' do
+  source 'payroll_app/payroll.sql'
+  mode '0755'
+end
+
+bash 'create payroll database and import data' do
+  code <<-EOH
+    mysql -S /var/run/mysql-default/mysqld.sock --user="root" --password="sploitme" --execute="CREATE DATABASE payroll;"
+    mysql -S /var/run/mysql-default/mysqld.sock --user="root" --password="sploitme" payroll < /tmp/payroll.sql
+  EOH
+end

chef/cookbooks/metasploitable/recipes/php_545.rb

@@ -35,7 +35,7 @@ end
 bash "compile and install php" do
   code <<-EOH
     cd /home/vagrant/php-5.4.5
-    ./configure --with-apxs2=/usr/bin/apxs --with-mysql
+    ./configure --with-apxs2=/usr/bin/apxs --with-mysqli --enable-embedded-mysqli
     make
     make install
   EOH