WebApp exploitation with Arachni and Metasploit

Yanjin Ding's Avatar

Yanjin Ding

12 Feb, 2013 05:18 PM

Hello Tasos,

I have a problem about exploitation with Arachni and Metasploit and need your kind help. Thank you in advance.

I scanned this testing web app, http://testphp.vulnweb.com, using Arachni and generated Metareport. Then I tried to load metareport into Metaspoit and exploit the vulnerabilities found and reported by Arachni.

I did manual exploit using this command arachni_manual vuln_id following instructions in this example: https://github.com/Arachni/arachni/blob/master/EXPLOITATION.md. However, when I run exploit it said [-] Exploit failed: A payload has not been selected.

Below is detailed infomation:

Vulnerabilities
ID  Host           Path                  Name                                 Method  Params                                                                                                                                                                                                                              Exploit
    --  ----           ----                  ----                                 ------  ------                                                                                                                                                                                                                              -------
    1   176.28.50.165  /listproducts.php     SQL Injection                        GET     {"cat"=>"1XXinjectionXX"}                                                                                                                                                                                                           unix/webapp/arachni_sqlmap
    2   176.28.50.165  /search.php           SQL Injection                        GET     {"test"=>"queryXXinjectionXX"}                                                                                                                                                                                                      unix/webapp/arachni_sqlmap
    3   176.28.50.165  /artists.php          SQL Injection                        GET     {"artist"=>"1XXinjectionXX"}                                                                                                                                                                                                        unix/webapp/arachni_sqlmap
    4   176.28.50.165  /product.php          SQL Injection                        GET     {"pic"=>"1XXinjectionXX"}                                                                                                                                                                                                           unix/webapp/arachni_sqlmap
    5   176.28.50.165  /listproducts.php     SQL Injection                        GET     {"artist"=>"1XXinjectionXX"}                                                                                                                                                                                                        unix/webapp/arachni_sqlmap
    6   176.28.50.165  /secured/newuser.php  SQL Injection                        POST    {"uuname"=>"arachni_nameXXinjectionXX", "upass"=>"5543!%arachni_secret", "upass2"=>"5543!%arachni_secret", "urname"=>"arachni_name", "ucc"=>"1", "uemail"=>"[email blocked]", "uphone"=>"1", "signup"=>"signup", "uaddress"=>"1"}  unix/webapp/arachni_sqlmap
    7   176.28.50.165  /search.php           Blind SQL Injection (timing attack)  POST    {"searchFor"=>"XXinjectionXX", "goButton"=>"go"}                                                                                                                                                                                    unix/webapp/arachni_sqlmap
    8   176.28.50.165  /product.php          Code injection (timing attack)       GET     {"pic"=>"XXinjectionXX"}                                                                                                                                                                                                            unix/webapp/arachni_php_eval
    9   176.28.50.165  /artists.php          Code injection (timing attack)       GET     {"artist"=>"XXinjectionXX"}                                                                                                                                                                                                         unix/webapp/arachni_php_eval
    10  176.28.50.165  /listproducts.php     Code injection (timing attack)       GET     {"cat"=>"XXinjectionXX"}                                                                                                                                                                                                            unix/webapp/arachni_php_eval
    11  176.28.50.165  /listproducts.php     Code injection (timing attack)       GET     {"artist"=>"XXinjectionXX"}                                                                                                                                                                                                         unix/webapp/arachni_php_eval
    12  176.28.50.165  /index.php            Blind SQL Injection (timing attack)  HEADER  {"Accept-Encoding"=>"XXinjectionXX"}                                                                                                                                                                                                unix/webapp/arachni_sqlmap
    13  176.28.50.165  /index.php            Blind SQL Injection (timing attack)  HEADER  {"User-Agent"=>"XXinjectionXX"}                                                                                                                                                                                                     unix/webapp/arachni_sqlmap
    14  176.28.50.165  /userinfo.php         Blind SQL Injection (timing attack)  POST    {"uname"=>"XXinjectionXX", "pass"=>"5543!%arachni_secret"}                                                                                                                                                                          unix/webapp/arachni_sqlmap
    15  176.28.50.165  /userinfo.php         Blind SQL Injection (timing attack)  POST    {"uname"=>"arachni_name", "pass"=>"XXinjectionXX"}                                                                                                                                                                                  unix/webapp/arachni_sqlmap
    16  176.28.50.165  /showimage.php        Path Traversal                       GET     {"file"=>"XXinjectionXX"}                                                                                                                                                                                                           unix/webapp/arachni_path_traversal

Command msf > arachni_manual 5

[*] Using unix/webapp/arachni_sqlmap .
[*] Preparing datastore for 'SQL Injection' vulnerability @ 176.28.50.165/listproducts.php ...
SRVHOST => 127.0.0.1
SRVPORT => 14248
RHOST => 176.28.50.165
RPORT => 80
LHOST => 127.0.0.1
LPORT => 10421
SSL => false
GET => artist=1XXinjectionXX
METHOD => GET
COOKIES => 
HEADERS => Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8::User-Agent=Arachni/v0.4.1.3
PATH => /listproducts.php
[*] Done!
[-] Unknown variable
Usage: set [option] [value]
Set the given option to value.  If value is omitted, print the current value.
If both are omitted, print options that are currently set.
If run from a module context, this will set the value in the module's
datastore.  Use -g to operate on the global datastore

Command msf exploit(arachni_sqlmap) > show options

Module options (exploit/unix/webapp/arachni_sqlmap):
Name         Current Setting                 Required  Description
COOKIES                                      no
GET id=1 no HTTP GET query METHOD GET yes HTTP Method OPTS --users --dbs --sql-shell -v 0 no The sqlmap options to use PATH /listproducts.php yes The path to test for SQL injection POST no The data string to be sent through POST Proxies no Use a proxy chain RHOST 176.28.50.165 yes The target address RPORT 80 yes The target port SQLMAP_PATH /home/nopsec/sqlmap/sqlmap.py yes The sqlmap 0.9 full path VHOST no HTTP server virtual host
Then I set SQLMAP_PATH to the corrent full path of sqlmap and run exploit it gave the errror asking me to select a payload. But there is no compatible payload. Run show payloads returned nothing.
Any idea on how to set payload?
  1. Support Staff 1 Posted by Tasos Laskos on 13 Feb, 2013 02:26 AM

    Tasos Laskos's Avatar

    I think there was an MSF update which requires all exploit modules to have a payload.
    I'll have to update the sqlmap module to be an auxiliary one.

  2. 2 Posted by Yanjin Ding on 13 Feb, 2013 02:53 PM

    Yanjin Ding's Avatar

    That's awesome. Please let me know when you're done. Thank you!

  3. Support Staff 3 Posted by Tasos Laskos on 15 Feb, 2013 06:47 PM

    Tasos Laskos's Avatar

    Was planning to take care of this sooner but it'll have to wait until sometime during this 3-day weekend because I've been busy working on the web interface.

    FYI: I usually try to be on top of support requests and bugfixes but the Metasploit integration stuff aren't really supported so they get a lower priority.
    Updating the relevant file to reflect that now.

  4. Support Staff 4 Posted by Tasos Laskos on 23 Feb, 2013 02:47 PM

    Tasos Laskos's Avatar

    Sorry I left you waiting, I just pushed the fix to the experimental branch.
    Let me know if you come across any issues.

  5. Tasos Laskos closed this discussion on 23 Feb, 2013 02:47 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac