Mutillidae: Born to be Hacked
Version: 2.1.19 Not Logged In
Home Login/Register Toggle Security Reset DB View Log View Captured Data

OWASP
Site hacked...err...quality-tested with Samurai WTF, Backtrack, Firefox, Burp-Suite, Netcat, and these Mozilla Add-ons
 
 
Twitter
@webpwnized
 
YouTube
Mutillidae
Channel
 
Developed by Adrian "Irongeek" Crenshaw and Jeremy Druin
Vulnerabilities
Note: Pages marked with a * are common. This means their vulnerabilities will appear on most pages.

add-to-your-blog.php

  • SQL Injection on blog entry
  • SQL Injection on logged in user name
  • Cross site scripting on blog entry
  • Cross site scripting on logged in user name
  • Log injection on logged in user name
  • CSRF
  • JavaScript validation bypass
  • XSS in the form title via logged in username
  • The show-hints cookie can be changed by user to enable hints even though they are not suppose to show in secure mode

arbitrary-file-inclusion.php

  • System file compromise
  • Load any page from any site

authorization-required.php

  • No known vulnerabilities. We should add something.
  • This page is only used in secure mode. In insecure mode, the site does not authorize user.

browser-info.php

  • XSS via referer HTTP header
  • JS Injection via referer HTTP header
  • XSS via user-agent string HTTP header

capture-data.php

  • XSS via any GET, POST, or Cookie

captured-data.php

  • XSS via any GET, POST, or Cookie

closedb.inc*

  • No known vulnerabilities. We should add something.

config.inc*

  • Contains unencrytped database credentials

credits.php

  • Unvalidated Redirects and Forwards

dns-lookup.php

  • Cross site scripting on the host/ip field
  • O/S Command injection on the host/ip field
  • This page writes to the log. SQLi and XSS on the log are possible
  • GET for POST is possible because only reading POSTed variables is not enforced.

footer.php*

  • Cross site scripting via the HTTP_USER_AGENT HTTP header.

framer.html

  • Forms caching
  • Click-jacking

framing.php

  • Click-jacking

header.php*

  • XSS via logged in user name and signature
  • The Setup/reset the DB menu item canbe enabled by setting the uid value of the cookie to 1

home.php

  • No known vulnerabilities. We should add something.

index.php*

  • You can XSS the hints-enabled output in the menu because it takes input from the hints-enabled cookie value.
  • You can SQL injection the UID cookie value because it is used to do a lookup
  • You can change your rank to admin by altering the UID value
  • HTTP Response Splitting via the logged in user name because it is used to create an HTTP Header
  • This page is responsible for cache-control but fails to do so
  • This page allows the X-Powered-By HTTP header
  • HTML comments
  • There are secret pages that if browsed to will redirect user to the phpinfo.php page. This can be done via brute forcing

installation.php

  • No known vulnerabilities. We should add something.

log-visit.php

  • SQL injection and XSS via referer HTTP header
  • SQL injection and XSS via user-agent string

login.php

  • Authentication bypass SQL injection via the username field and password field
  • SQL injection via the username field and password field
  • XSS via username field
  • JavaScript validation bypass

notes.php

  • No known vulnerabilities. We should add something.

opendb.inc*

  • No known vulnerabilities. We should add something.

page-not-found.php

  • No known vulnerabilities. We should add something.
  • This page is only used in secure mode. In insecure mode, the site does not validate the "page" parameter.

password-generator.php

  • JavaScript injection

pen-test-tool-lookup.php

  • JSON injection

php-errors.php

  • No known vulnerabilities. We should add something.

phpinfo.php

  • This page gives away the PHP server configuration
  • Application path disclosure
  • Platform path disclosure

process-commands.php

  • Creates cookies but does not make them HTML only

process-login-attempt.php

  • Same as login.php. This is the action page.

redirectandlog.php

  • Same as credits.php. This is the action page.

register.php

  • SQL injection and XSS via the username, signature and password field

rene-magritte.php

  • Click-jacking

robots.txt

  • Contains directories that are supposed to be private.

secret-administrative-pages.php

  • This page gives hints about how to discover the server configuration.

set-background-color.php

  • Cascading style sheet injection and XSS via the color field.

set-up-database.php

  • No known vulnerabilities. We should add something.

show-log.php

  • Denial of Service if you fill up the log
  • XSS via the hostname, client IP, browser HTTP header, Referer HTTP header, and date fields.

site-footer-xss-discusson.php

  • XSS via the user agent string HTTP header

source-viewer.php

  • Loading of any arbitrary file including operating system files.

text-file-viewer.php

  • Loading of any arbitrary web page on the Interet or locally including the sites password files.
  • Phishing

usage-instructions.php

  • No known vulnerabilities. We should add some.

user-info.php

  • SQL injection to dump all usernames and passwords via the username field or the password field
  • XSS via any of the displayed fields. Inject the XSS on the register.php page.
  • XSS via the username feild

user-poll.php

  • Parameter pollution
  • GET for POST
  • XSS via the choice parameter
  • Cross site request forgery to force user choice

view-someones-blog.php

  • XSS via any of the displayed fields. They are input on the add to your blog page.
Browser: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)
PHP Version: 5.2.4-2ubuntu5.10
The newest version of Mutillidae can downloaded from Irongeek's Site