I was using w3af on a samurai CD ( which is Ubuntu 9.04), but had updated it to
current SVN version). Note that /usr/bin/python is linked to python2.6, and
python -V reports "Python 2.6.2".
After updating w3af, to get it to work, I had to follow the instructions
provided in the tools std err. It involved downloading and installing
PyYAML-3.0.9, Nltk, Python-dev, and some python filter library that I can't
remember now.
I used this against a machine running a purposely vulnerable app. One of the
vulnerabilities is osCommanding, in the commandinj.php page:
<?php
Passthru($_GET[command]);
?>
This was found and reported (via the plugin's ping test).
Going to the exploit tab, selecting osCommandingShell > Exploit All To First
success. I tried to interact with the shell, no output was given in response
to my commands.
The saved results were this:
www-data@sec542> id
www-data@sec542> who
www-data@sec542> uname -a
www-data@sec542>
However, I could exploit it manually, by typing in the browser url bar, typing
https://www.sec542.org/scanners/commandinj.php?command=id
This gets the expected output (returned in the browser window):
uid=33(www-data) gid=33(www-data) groups=33(www-data)
At least last night, a shell was created. When I repeated the test today, I
found the shell didn't even get created, even though it found the
vulnerability, and I could still manually get the results.
GET https://www.sec542.org/scanners/commandinj.php?command=/bin/echo TqLUCesg
returned HTTP code "200" - id: 245
Defined cut header and footer using exact match
Defined header length to 0
Defined footer length to 0
POST https://www.sec542.org/scanners/commandinj.php with data:
"command=/bin/echo ynyRYKuK" returned HTTP code "200" - id: 246
The vulnerability was found using method GET, tried to change the method to
POST for exploiting but failed.
I don't see any errors that would explain the shell not getting created here.
I looked for bug reports by searching for "shell" but found only old ones.
Ditto for searching for osCommanding. I was running. It might be something
with the old samurai machine, but it didn't happen prior to updating to the new
version (Version 1.2, Rev 4610).
Any ideas?
________________________________
This email and any files transmitted with it are confidential and intended
solely for the use of the individual to whom they are addressed. If you have
received this email in error, please delete this email from your system.
------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users
