How To Install Mutillidae And Try A Little Test

By -
Bismillah...

So, bofore we start sharing about Mutillidae. Better for us to know it's definition. Open the spoiler to read it, but if you aren't patient enough, just pass it by :D

Open:

Mutillidae is a free, open source web application provided to allow security enthusiest to pen-test and hack a web application. Mutillidae can be installed on Linux, Windows XP, and Windows 7 using XAMMP making it easy for users who do not want to install or administrate their own webserver. It is already installed on Samurai WTF. Simply replace existing version with latest on Samurai. Mutillidae contains dozens of vulnerabilities and hints to help the user exploit them; providing an easy-to-use web hacking environment deliberately designed to be used as a hack-lab for security enthusiast, classroom labs, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, in corporate web sec training courses, and as an "assess the assessor" target for vulnerability software.

Mutillidae has been tested/attacked with Cenzic Hailstorm ARC, W3AF, SQLMAP, Samurai WTF, Backtrack, HP Web Inspect, Burp-Suite, NetSparker Community Edition, and other tools. If you would like to practice pen-testing/hacking a web application by exploiting cross-site scripting, sql injection, response-splitting, html injection, javascript injection, clickjacking, cross frame scripting, forms-caching, authentication bypass, or many other vulnerabilities, then Mutillidae is for you.
Requirements (1-5):
  1. First we need to install Apache, type this in your terminal:
    sudo apt-get install apache2
  2. Then install PHP:
    sudo apt-get install php5 libapache2-mod-php5
  3. Install the MYSQL server:
    sudo apt-get install mysql-server
  4. After that it should prompt you to setup the password for your Mysql server. In my case, I put ‘roo’ as my password just for demo purposes really although it’s not really advisable to use a weak password in a live server. Now setup your phpmyadmin (Optional):
    sudo apt-get install libapache2-mod-auth-mysql php5-mysql phpmyadmin
  5. Change the permission of your /var/www folder to make sure you will have all the rights to read, write and execute files by typing this command in your terminal:
    sudo chmod -R 0777 /var/www
  6. To check if the installation is successful navigate through this link in your browser: http://localhost/ or http://127.0.0.1/

    If you see something that says ‘It Works!’ then you are done setting up your LAMP server. Now time to install Mutillidae! Download and extract Mutillidae in the /var/www directory:
    =>Download mutillidae here
    =>Extract to www directory, you can copas it or open terminal and type "unzip /home/name_user/Download/LATEST-mutillidae-2.3.7.zip" then "copy -r /home/name_user/Download/mutillidae/ /var/www/".
  7. Next up we need to configure the config.inc and MySQLHandler.php which contains the dbhost, dbuser, dppass, and dbname configurations:
    Use your fav editor "gedit /var/www/mutillidae/config.inc"
    $dbhost = 'localhost';
    $dbuser = 'root;      
    $dbpass = 'root';
    $dbname = 'nowasp';       ---you must create it, open your browser localhost/phpmyadmin---
    When you are done next type "gedit /var/www/mutillidae/classes/MySQLHandler.php"
    and do the same steps as above.
  8. By default the value $dbpass is left blank so we need to put the root password for Mysql which you entered during the installation of mysql-server. In my case I put root.
  9. Make sure you have already started the services for Mysql and Apache but if not you can just type these commands in the terminal:
    service mysql start && service apache2 start
  10. Then open your web browser again and point it to 127.0.0.1/mutillidae/ or localhost/mutillidae/. Next, let’s have the web application setup the database automatically by clicking Core Controls > Setup/Reset the DB at the left side or Setup/Reset the DB at the upperight corner.


If you got problems such as "#2002 Cannot log in to the MySQL server" or "#1045 Cannot log in to the MySQL server" here the solution. Click!


Comments

Post a Comment

Populer Post

Extract Database With Sqlmap

By -
Bismlillah... Hello, buddy! have ever think why Oracle Corp will monopolize and commercialize Mysql? While many people already depended on it in their development. You do not need to answer it, seriously. Coz now we aren't going to talk about that, but we're gonna talk about how to use Sqlmap to extract database. Assumption: You have apache2, mysql, phpmyadmin instaled on your system. I use DVWA for victim site, click here  for more information and download link. You have found the vulnerable from DVWA site. Click here for tutorial. I use Mantra and Burp Suite for IG(Information Gathering). Click here for tutorial!. Important to find the cookie. Open your teminal and go to sqlmap directory " cd /pentest/database/sqlmap/ " or use gnome menu. So let's rock, here's the step: First read the manual by typing " ./sqlmap -h ". If you are already knew about the usage, let's continue. Here's the syntax " ./sqlmap.py -u victim_u
Read more