Mutillidae was originally created by Adrian Crenshaw aka “Irongeek” and is now maintained by Jeremy Druin. For this course we will be using two different versions of Mutillidae.
- Mutillidae in the Metasploitable 2 Virtual Machine.
- We will install the latest Version of Mutillidae on our Windows 7 virtual Machine.
So the first question which you may be having right know is. Why two different versions ? The reason for doing that is the Mutillidae on Metasploitable VM is an older version and it is running in a Linux Environment. A the latest release which is 2.6 we will be running on Windows 7. The benefit of doing that is we can see how website attacks interact differently with the underlaying operation system.
The attack commands and its effects will be different on both operating systems and also the Metasploitable 2 Mutillidae is more responsive in a virtual environment.
There are some database connection related issue in the Mutillidae running in Metasploitable 2 so we will fix that first and after that will move on to installing Mutillidae on Windows 7.
Mutillidae Database Configuration Changes :-
As written in the above para graph that Metasploitable version of Mutillidae have some database configuration error so here is how we can change them. The default database name in the config file is “Metasploit” and we will change it to “owasp10” to get Mutillidae to run without errors.
- Start your Metasploitable VM
- Login to the system (default username and password is “msfadmin“)
- Change directory to /var/www/mutilliade
- Then type : sudo nano config.inc
- And now change the database name from “metasploit” to “owasp10“
- After that press “Cntrl+x” and “Y” to exit and save the changes.
Php.ini Config Changes :-
Lastly we will change some setting in php.ini file to perform Remote Inclusion Attacks which will be covered in future chapters of Web Application Testing.
The php.ini file is stored in /etc/php5/cgi/ . We need to edit this file use sudo nano php.ini , Find “Fopen wrappers” section and change “allow_url_include” to “on“. Now just save and exit. Restart Apache and reset the database.
- Restart Apache by typing : “sudo /etc/init.d/apache2 restart“
- Now finally form you Host of other VM open Mutillidae in a browser “Metasploitable2 IP address/mutillidae“
- Click, “Reset DB“
- And this is all things we need to do and Metasploitable VM is all set !!