Mutillidae: Born to be Hacked
|
|
|
|
Site hacked...err...quality-tested with Samurai WTF, Backtrack, Firefox, Burp-Suite, Netcat, and
these Mozilla Add-ons
Developed by Adrian " Irongeek" Crenshaw and Jeremy Druin |
Arbitrary File Inclusion
| |
| |
| Current Page: |
arbitrary-file-inclusion.php |
| |
| |
Notice that the page displayed by Mutillidae is decided
by the value in the "page" variable.
The "page" variable is passed as a URL query parameter.
|
|
What could possibly go wrong?
|
| |
|
-
Parameter pollution can occur for several reasons. One is that developers
sometimes fetch values using the "REQUEST" array. This allows the user to inject
variables into either GET or POST and have the application process them. To
cause parameter pollusion, a user can send parameters via POST which the developer
thinks should be passed via the URL. The user could also pass a variable using both
GET and POST. The application can be tricked by the bogus parameters.
-
Although not the intended theme of this page, it does display output
based on user input. Could it be vulnerable to Cross Site Scripting?
-
Arbitrary File Inclusion: The page displayed in Mutillidae is determined
by the value of the "page" parameter. What would happen the "page"
parameter was changed to a filename which is on the server but not
intended to be served? This defect can be combined with other defects.
For example, the "page" parameter might be able to be passed in via either
GET or POST due to the parameters pollutition flaw. Using the parent
traversal operator ("..") can help break out of the web server file
folders. Also, direct file paths can be tried. For example, if Mutillidae
is running on a Windows XP system, the following values for "page"
can be tried.
- C:\boot.ini
- ..\..\..\..\boot.ini
|
|
Back