webpwnized / mutillidae Goto Github PK

Can someone provide the precise number of vulnerabilities in Mutillidae II for me to compare manually? Alternatively, could someone present a list of the actual vulnerabilities?

The line of code
var lUnsafeCharacters = /[`~!@#$%^&*()-_=+[]{}\|;':",./<>?]/;
is found in six files :
edit-account-profile.php login.php register.php user-info-xpath.php user-info.php xml-validator.php

Two problems
a) The expression )-_ matches the range from ) (ASCCII 51) to _ (ASCII 95) which includes uppercase letters and digits so uppercase letters and digits are considered unsafe so it is best to put the hyphen at the end
b) the character / should be excaped : \/

The correct regex tested with https://regex101.com/ is
var lUnsafeCharacters = /[`~!@#$%^&*()_=+[]{}\|;':",.\/<>?-]/;

This is a (meta) feature request.

I see that there are many releases:

https://github.com/webpwnized/mutillidae/blob/master/documentation/change-log.html

But this is not easy to discover. Most GitHub users tag their releases.

I did a build last night and then did a build this morning and am getting different results. My build from last night is rendering the web application correctly. My build from this morning is only rendering the default "It Works!" web page.

Additional context:
This is built from within SamuraiWTF, using the mutillidae katana script.

So it is making a few modifications to the docker-compose.yml file prior to running. However, these changes appeared to work fine yesterday so I have to believe something about the recent update is affecting it. Also, I am getting an html page for a response, it's just the wrong page (it's the default webserver page instead of the application's home page).

Hello Jeremy;
Please have a look at this. Is this normal?

Once I'm logged in with a user, and then try to logout, I'm stuck as logged-in; no matter how many times I try.
The only way to get this work is by resetting the Firefox history.

See snapshot.

I don't know if the following is related in any way, but when I first registered the user, at the bottom, it showed me a message about Posted Token (Validation not performed).
See snapshot.

Thanks

Not everyone wants to watch a video when they can scan text.

i feel like the hint provided in "Lab 12: Command injection - Extracting User Accounts with Command Injection" isn't related to the lab i used sql injection and i found a list of users but none of them are in the list
[11:19:08] [INFO] fetching entries of column(s) 'username' for table 'accounts' in database 'mutillidae'
Database: mutillidae
Table: accounts
[23 entries]
+----------+
| username |
+----------+
| admin |
| adrian |
| john |
| jeremy |
| bryce |
| samurai |
| jim |
| bobby |
| simba |
| dreveil |
| scotty |
| cal |
| john |
| kevin |
| dave |
| patches |
| rocky |
| tim |
| ABaker |
| PPan |
| CHook |
| james |
| ed |
+----------+

Which of these accounts exists on the Mutillidae Linux server?

 
slack
ntp
george
fred
cmdline

Warning: setcookie() expects parameter 3 to be integer, array given in C:\xampp\htdocs\mutillidae1\index.php on line 137

Open-source insecure web application designed for penetration testers to practice all of the web app-specific vulnerability exploitation.

"Sourceforge: README-MUTILLIDAE-HAS-MIGRATED-TO-GITHUB.txt,"

Sometimes Logout does not disconnect the user. The cookie is not correctly removed.
In particular when changing the security level.
When removing the cookie, the options must be the same as when creating the cookie.

Fine includes/process-commands.php

/* EXISTING CODE */
case "logout":

    setcookie("uid", "deleted", time() - 3600);
    setcookie("username", "deleted", time() - 3600);

    /* NEW CODE TO ADD */
    /* Make sure the cookie is removed, no matter how it has been created */
    $l_cookie_options = array(
        'expires' => time() - 3600,              // 0 means session cookie
        'path' => '/',               // '/' means entire domain
        //'domain' => '.example.com', // default is current domain
        'secure' => FALSE,           // true or false
        'httponly' => TRUE,         // true or false
        'samesite' => 'Strict'          // None || Lax  || Strict
    );
    setcookie("username", "deleted", $l_cookie_options);
    setcookie("uid", "deleted", $l_cookie_options);

    //setrawcookie() allows for response splitting
    $lUsernameCookie = $lRecord->username;
    $l_cookie_options = array(
        'expires' => time() - 3600,              // 0 means session cookie
        'path' => '/',               // '/' means entire domain
        //'domain' => '.example.com', // default is current domain
        'secure' => FALSE,           // true or false
        'httponly' => FALSE,         // true or false
        'samesite' => 'Lax'          // None || Lax  || Strict
    );
    setrawcookie("username", "deleted", $l_cookie_options);
    setrawcookie("uid", "deleted", $l_cookie_options);

Composer Version : "2.3.9"
PHP Version : "8.1.6"

When clicked for setting up new database the error occurred

Fatal error: Uncaught ArgumentCountError: Too few arguments to function CustomErrorHandler::getExceptionMessage(), 1 passed in C:\xampp\htdocs\classes\MySQLHandler.php on line 147 and exactly 2 expected in C:\xampp\htdocs\classes\CustomErrorHandler.php:134 Stack trace: #0 C:\xampp\htdocs\classes\MySQLHandler.php(147): CustomErrorHandler->getExceptionMessage(Object(mysqli_sql_exception)) #1 C:\xampp\htdocs\classes\MySQLHandler.php(162): MySQLHandler->doConnectToDatabase('127.0.0.1', 'root', 'mutillidae', 3306) #2 C:\xampp\htdocs\classes\MySQLHandler.php(104): MySQLHandler->doOpenDatabaseConnection() #3 C:\xampp\htdocs\set-up-database.php(20): MySQLHandler->__construct('owasp-esapi-php...', 0) #4 {main} thrown in C:\xampp\htdocs\classes\CustomErrorHandler.php on line 134

Toggle Security : Security Level: 5 (Secure)
Register http://mutillidae.lan/index.php?page=register.php
Password Generator --> Generate Password
Copy/paste generated password
Create account

Alert : dangerous charaacters detected

Now toggle security to 0, Create account, back to login page, toggle security to 5, click login
Alert : dangerous charaacters detected

So how do I securely connect or use an account with a generated password ?

im getting this error when i exec mutillidae on lamp i use kali linux

Parse error: syntax error, unexpected 'const' (T_CONST), expecting variable (T_VARIABLE) in /opt/lampp/htdocs/mutillidae/classes/EncodingHandler.php on line 8

Sever Banner is visible in Mutillidae Severity Level 5

Provide an official docker image to launch the mutillidae project locally

When I try to fork I get an error message

failed to fork: HTTP 403: Description cannot be more than 350 characters

gh repo fork [email protected]:webpwnized/mutillidae.git
failed to fork: HTTP 403: Description cannot be more than 350 characters (https://api.github.com/repos/webpwnized/mutillidae/forks)

Hi there.

Thanks for making this repo and all the repo to make life easier for others.

However, when I run this on my Mac M1 Chip, all four other containers are running okay. The www, however, crashed with the log below:

2023-02-23 20:54:12 www              | AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.18.0.4. Set the 'ServerName' directive globally to suppress this message
2023-02-23 20:54:12 www              | [Thu Feb 23 09:54:12.622911 2023] [core:emerg] [pid 1] (95)Operation not supported: AH00023: Couldn't create the mpm-accept mutex 
2023-02-23 20:54:12 www              | (95)Operation not supported: could not create accept mutex
2023-02-23 20:54:12 www              | AH00015: Unable to open logs
2023-02-23 21:18:25 www              | AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.19.0.4. Set the 'ServerName' directive globally to suppress this message
2023-02-23 21:18:25 www              | [Thu Feb 23 10:18:25.090711 2023] [core:emerg] [pid 1] (95)Operation not supported: AH00023: Couldn't create the mpm-accept mutex 
2023-02-23 21:18:25 www              | (95)Operation not supported: could not create accept mutex
2023-02-23 21:18:25 www              | AH00015: Unable to open logs

I tried to amend a few configs in www/Dockerfile but got no luck.

RUN echo "Mutex posixsem" >> /etc/apache2/apache2.conf
RUN echo 'Mutex posixsem' >> /etc/apache2/conf/httpd.conf

Could you please give me some hints here? Thank you.

When goto the 127.0.0.1 on my browser, I got warning at the top
Warning: fsockopen(): Unable to connect to 127.0.0.1:389 (A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond) in C:\xampp\htdocs\database-offline.php on line 105

And i also found a big text highlighted

The database server at 127.0.0.1 appears to be offline.

By clicking the first option "Click here to attempt to setup the database. Sometimes this works"

I got the error:
Fatal error: Uncaught Exception: C:\xampp\htdocs\classes\MySQLHandler.php on line 147: C:\xampp\htdocs\classes\MySQLHandler.php on line 138: Access denied for user 'root'@'localhost' (using password: YES) CRITICAL. Error attempting to open MySQL connection. Try checking the connection settings in the MySQLHandler.php class file. If there is a problem connecting, usually one of these settings is incorrect (i.e. - username, password, database name). It is also a good idea to make sure the database is running and that the web site (Mutillidae) is allowed to connect. This error was generated by public function __construct(). Tried to connect with username root, password mutillidae, and hostname 127.0.0.1 (1045) [mysqli_sql_exception] <br /> CRITICAL. Error attempting to open MySQL connection. Try checking the connection settings in includes/database-config.php. If there is a problem connecting, usually one of the settings is incorrect (i.e. - username, password, database name). It is also a good idea to make sure the database is running and that the web site (Mutillidae) is allowed to connect. This error was generated by function doOpenDatabaseConnection() (0) [Exception] <br /> in C:\xampp\htdocs\classes\MySQLHandler.php:177 Stack trace: #0 C:\xampp\htdocs\classes\MySQLHandler.php(104): MySQLHandler->doOpenDatabaseConnection() #1 C:\xampp\htdocs\set-up-database.php(20): MySQLHandler->__construct('owasp-esapi-php...', 0) #2 {main} thrown in C:\xampp\htdocs\classes\MySQLHandler.php on line 177

function doXMLEncodeQueryResults($pUsername, $pQueryResult,
$pEncodeOutput){

Add
global $Encoder;

otherwise $Encoder->encodeForHTML($row->username) (in the while loop) generates an error

You can use this as a starting point (works for me)

kubectl create deployment mutillidae-database --image="webpwnized/mutillidae:database"
kubectl create deployment mutillidae-ldap --image="webpwnized/mutillidae:ldap"
kubectl create deployment mutillidae-www --image="webpwnized/mutillidae:www"
kubectl create deployment mutillidae-databaseadmin --image="webpwnized/mutillidae:database_admin"
kubectl create deployment mutillidae-ldapadmin --image="webpwnized/mutillidae:ldap_admin"

kubectl expose deployment mutillidae-database --name=database --port=3306
kubectl expose deployment mutillidae-ldap --name=directory --port=389
kubectl expose deployment mutillidae-www --name=www --type=LoadBalancer --port=80
kubectl expose deployment mutillidae-databaseadmin --name=databaseadmin --type=LoadBalancer --port=80
kubectl expose deployment mutillidae-ldapadmin --name=ldapadmin --type=LoadBalancer --port=80

Hi Jeremy.

When I attempt to read files from server - using LOAD_FILE('/etc/passwd'), I don't get anything.

Also when attempting to write a file, I get an error.

Please note that I'm able to do the above techniques in the Metasploitable VM.
https://sourceforge.net/projects/metasploitable/

Thanks