OWASP Mutillidae II: Web Pwn in Mass Production
Version: 2.6.48 Security Level: 0 (Hosed) Hints: Enabled (1 - 5cr1pt K1dd1e) Not Logged In
Home | Login/Register | Toggle Hints| Show Popup Hints | Toggle Security | Enforce SSL | Reset DB | View Log | View Captured Data
 
Want to Help?
 
Webpwnized YouTube Channel
Video Tutorials
 
Webpwnized Twitter Channel
Announcements
 
Webpwnized Twitter Channel
Getting Started
 
Installation Instructions
Some Options to run Mutillidae
 
a. Samurai Web Testing Framework
i. Samurai WTF 0.95 is a Linux "Live" DVD to which the users machine boots. Within Samurai is several vulnerable web applications pre-configured to test for vulnerabilities. One of the available applications is Mutillidae version 1. Samurai is preparing to release version 1.0 which will include Mutillidae 2.x.
b. XAMPP (Windows , Linux , Mac OS X )
i. XAMPP is a single installation package which bundles Apache web server, PHP application server, and MySQL database. XAMPP installs Apache and MySQL as either executable or services and can optionally start these services automatically. Once installed XAMPP provides an "htdocs" directory. This directory is "root" meaning that if you browse to http://localhost/, the web site in that "htdocs" folder is what will be served. Mutillidae is installed by placing the multillidae folder into the htdocs folder. The result is that mutillidae is a sub-site served from the mutillidae folder. This makes the URL for mutillidae http://localhost/mutillidae.
The mutillidae files are already in a folder called "mutillidae" when the project is zipped. All that is required is to put the mutillidae folder into the htdocs directory.
The Mutillidae package can be unzipped into htdocs to install Mutillidae. Simply unzip the compressed mutillidae folder right into the htdocs folder. When you are done, the "mutillidae" folder will be inside the "htdocs" folder of XAMMP. All the Mutillidae files are inside that "mutillidae" fodler. Assuming Apache and MySQL are running, the user can open a browser and immediately begin using Mutillidae at http://localhost/mutillidae. Apache automatically serves "index.php" which is located in the mutillidae folder.
ii. Download and install "XAMPP" or "XAMPP Lite" for Windows or Linux. If installing on Windows, when the installation asks if you want to install Apache and MySQL as services, answer "YES". This allows both to run as Windows services and be controlled via services.msc. Run services.msc by typing "services.msc" at the command line. (Start - Run - services.msc - Enter)
iii. Download Mutillidae
iv. Unzip Mutillidae. Note the mutillidae project is in a folder called "mutillidae"
v. Place the entire "mutillidae" directory into XAMPP�s " htdocs" directory
vi. Browse to mutillidae at http://localhost/mutillidae
vii. Click the "Setup/reset the DB" link in the main menu.
viii. Get rid of PHP "strict" errors. They are not compatible with the OWASP ESAPI classes in use in Mutillidae 2.0. The error modifies headers disrupting functionality so this is not simply an annoyance issue. To do this, go to the PHP.INI file and change the line that reads "error_reporting = E_ALL | E_STRICT" to "error_reporting = E_ALL & ~E_NOTICE & ~E_WARNING & ~E_DEPRECIATED". Once the modification is complete, restart the Apache service. If you are not sure how to restart the service, reboot.
Important note: If you use XAMPP Lite or various version of XAMPP on various operating systems, the path for your php.ini file may vary. You may even have multiple php.ini files in which case try to modify the one in the Apache directory first, then the one in the PHP file if that doesnt do the trick.
Windows possible default location C:\xampp\php\php.ini, C:\XamppLite\PHP\php.ini, others Linux possible default locations: /XamppLite/PHP/php.ini, /XamppLite/apache/bin/php.ini, others
ix. By default, Mutillidae tries to connect to MySQL on the localhost with the username "root" and a blank password. To change this, edit "config.inc" with the correct information for your environment.
x. NOTE: Once PHP 6.0 arrives in XAMPP, E_ALL will include E_STRICT so the line to change will probably read "error_reporting = E_ALL". In any case, change the error_reporting line to "error_reporting = E_ALL & ~E_NOTICE & ~E_DEPRECIATED".
xi. NOTE: Be sure magic quotes is disabled. In XAMMP it seems to be but using MMAP for Apple OS/X seems to have it enabled by default. Just make sure magic quotes is set to off in whatever framework is being used. This setting is in PHP.ini. This includes magic_quotes_gpc, magic_quotes_runtime, and magic_quotes_sybase.
c. Custom Linux ISO
i. Using the Samurai Web Testing Framework as the base operating system, any version of Mutillidae can be installed in addition to the version which comes standard with Samurai. From this custom set-up, a custom ISO can be generated using the Remastersys package.
With Samurai 0.95, Mutillidae is installed into the /srv/mutillidae directory. To install different versions of Mutillidae and make a custom Linux ISO, the following recipe can be followed:
1. Locate the default installation of Mutillidae in the /srv/mutillidae directory.
2. Rename the current installation. For example rename the "mutillidae" folder to "mutillidae-1.5".
3. Download the latest version from www.irongeek.com
4. Unzip the "mutillidae" folder from the latest version to the /srv directory.
5. Test that mutillidae is updated by browsing to http://localhost/mutillidae
6. Test that the original version of mutillidae still works browsing to http://localhost/mutillidae-1.5
7. Make any changes to Linux, Firefox, or other software desired. For example, the lab environment
created for the U of L information security course used an updated version of Firefox with several add-ons.
8. Ensure the current Remastersys installation is clean by running the command "sudo remastersys clean"
9. When ready to create the new ISO, run the command "sudo remastersys backup"
10. The custom ISO will be found in the /home/remastersys/remastersys directory
d. Virtual Machine
i. Mutillidae has been tested in a Virtual Box and VMware Workstation virtual machines running Windows XP SP3 and Ubuntu. Additionally, Virtual Box virtual machines have been booted from the Samurai 0.95 WTF DVD and the Samurai 0.95/Mutillidae 2.x Custom ISO. The Windows XP SP3 installation ran Mutillidae 2.x in the XAMPP environment. The Ubuntu installation was created by installing the Samurai 0.95 WTF to a Linux virtual machine. Basically any of the previously mentioned installation options work equally well in virtual environments.
Browser: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)
PHP Version: 5.4.16