Error: Failure is always an option and this situation proves it
Message	Sorry. An error occured. Support has been notified.
Did you setup/reset the DB?

Capture Data

  Back

Data Capture Page
This page is designed to capture any parameters sent and store them in a file and a database table. It loops through the POST and GET parameters and records them to a file named captured-data.txt. On this system, the file should be found at /var/www/mutillidae/captured-data.txt. The page also tries to store the captured data in a database table named captured_data. There is another page named captured-data.php that attempts to list the contents of this table.
The data captured on this request is: page = capture-data.php\nshowhints = 0;HTTPOnly\nPHPSESSID = 6f23e4c527dfa1e9b523aa71e06c6a9e\nshowhints = 0;HTTPOnly\nPHPSESSID = 6f23e4c527dfa1e9b523aa71e06c6a9e\n
Would it be possible to hack the hacker? Assume the hacker will view the captured requests with a web browser.

 

 

Hints

Cross Site Scripting This page is the easiest in the site to inject XSS. The page reflects any input. This input could be from the Cookies, and URL query parameter, or any POSTed parameter. Cross Site Scripting Via URL query parameters Try make up any URL query parameter and inject a script. In reality, just inject a script as the variable. This page is very easy to inject. Cross Site Scripting Via POST parameters Use Burp-Suite to create POST parameters. Make one of the parameters a cross site script. Cross Site Scripting Via Cookie Use Cookie Manager or Burp-Suite to create a cross site script. When this page prints the value of the cookie to the screen, the script will execute.