Tim Monahan - 2013-10-01

I upgraded to Mutillidae 2.6.2 on Metasploitable 2 recently. I am trying to do sql injection on Kali Linux from the Kali box to Metasploitable 2 box on the following page http://192.168.1.104/mutillidae/index.php?page=user-info.php.

I get an error message when I have a syntax error in my query in the "Name" input box. For example if I type "' union select null,VERSION() AS username,null,null -- "I get an error message which gives me relevant information which is what I would expect. If I type "' union select null,VERSION() AS username,null,null,null -- " which has one more column I get rid of the error message but get "0 records found." I know the "nowasp" database is on Metasploitable 2 because I was able to access it using "mysql" query commands and viewed passwords, usernames etc. I have checked the "/var/www/mutillidae/classes/MySQLHandler.php" file using the "vim" command and it appears to be configured properly. I am not sure why these queries will not work. I tried the "sqlmap" tool against the database using "sqlmap -u http://192.168.1.104/mutillidae/index.php?page=user-info.php --forms --batch -D nowasp -T accounts --dump" and it told me that "username" and "password" are not injectable. Since Mutillidae is set up to be injectable on Security Level 0 it should work I think.

I can perform other exploits on Mutillidae 2.6.2 such as command injection. For example the ";ls" command on the "DNS Lookup" page gives me a listing of files in the current directory of Metasploitable 2.Likewise "; cat /etc/passwd" gives me a listing of usernames and passwords. The problem is the sql injection. I must need to configure something differently but I can't figure it out. Has anyone else run into this issue? I had not issues with sql injection on the earlier version of Mutillidae using the same procedures as above.