pikachu

"If you want to understand a vulnerability, the better way is: you can create this vulnerability yourself (written in code), then exploit it, and finally fix it."

Pikachu is a vulnerable web application system that contains common web security vulnerabilities here. If you are a web penetration test learner and are worried about not having a suitable shooting range to practice, then Pikachu may be just right.

• Burt Force (brute force cracking vulnerabilities)
  
• XSS (cross-site scripting vulnerability)
  
• CSRF (cross-site request forgery)
  
• SQL-Inject (SQL injection vulnerability)
  
• RCE (remote command/code execution)
  
• Files Inclusion (file contains vulnerabilities)
  
• Unsafe file downloads (unsafe file download)
  
• Unsafe file uploads (unsafe file upload)
  
• Over Permisson (Unparatory Vulnerability)
  
• ../../../(Catalog Traversal)
  
• I can see your ABC (sensitive information leakage)
  
• PHP deserialization vulnerability
  
• XXE(XML External Entity attack)
  
• Unsafe URL redirection
  
• SSRF (Server-Side Request Forgery)
  
• Management Tools
  
• More...(Look for it?...there are Easter eggs!)
  

The management tool provides a simple xss management backend for you to test phishing and cookies, and can also do keyboard records! ~
Some new vulnerabilities will be updated in the future. You are also welcome to submit vulnerability cases to me. Please pay attention to pikachu for the latest version.
Each type of vulnerability has designed different subclasses according to different situations. At the same time, in order to make these vulnerabilities more interesting, some small scenarios have been designed for each vulnerability on the Pikachu platform. Click the "Prompt" in the upper right corner of the vulnerability page to view the help information.

Pikachu is developed using PHP, the best language in the world -_-
The database uses mysql, so you need to install the basic environment of "PHP+MYSQL+ middleware (such as apache, nginx, etc.)" in advance when running Pikachu. It is recommended to use some integrated software to build these basic environments in your test environment, such as XAMPP, WAMP, etc. As a security person, these things should not be difficult for you. Next:
-->Put the downloaded pikachu folder to the root directory of the web server;
-->Modify the database connection configuration in inc/config.inc.php according to actual conditions;
--> Visit h ttp://xxxx/pikachu, and there will be a red enthusiastic prompt "Welcome to use, pikachu has not been initialized yet, click to initialize the installation!", click to complete the installation.

If you have any questions about the use of Pikachu, you can consult in QQ group: 532078894 (full), 973351978 (not full). Although you have consulted, someone may not answer -_-.

Use existing builds:

docker run -d -p 8765:80 8023/pikachu-expect:latest

Local build:

如果你熟悉docker,也可以直接用docker部署
docker build -t " pikachu " .
docker run -d -p 8080:80 pikachu

"Less means more, slow means fast"

Click to enter