Wayne,
Please read comments inline,
On Fri, Dec 30, 2011 at 6:59 PM, Wayne Dawson
<wayne_daw...@inventuresolutions.com> wrote:
> I was using w3af on a samurai CD ( which is Ubuntu 9.04), but had updated it
> to current SVN version). Note that /usr/bin/python is linked to python2.6,
> and python -V reports “Python 2.6.2”.
Ok, setup seems correct then
> After updating w3af, to get it to work, I had to follow the instructions
> provided in the tools std err. It involved downloading and installing
> PyYAML-3.0.9, Nltk, Python-dev, and some python filter library that I can’t
> remember now.
mmap bloom filter :) That all sounds correct,
> I used this against a machine running a purposely vulnerable app. One of
> the vulnerabilities is osCommanding, in the commandinj.php page:
>
> <?php
>
> Passthru($_GET[command]);
>
> ?>
>
>
>
> This was found and reported (via the plugin’s ping test).
>
>
>
> Going to the exploit tab, selecting osCommandingShell > Exploit All To First
> success. I tried to interact with the shell, no output was given in
> response to my commands.
>
>
>
>
>
> The saved results were this:
>
>
> www-data@sec542> id
> www-data@sec542> who
> www-data@sec542> uname -a
Hmmm.... sorry about that, I'll return an error message when the
command does not exist. You should use "e id" or "e who" instead of
"id" or "who". This changed around 6 months ago.
>
> However, I could exploit it manually, by typing in the browser url bar,
> typing
>
> https://www.sec542.org/scanners/commandinj.php?command=id
>
> This gets the expected output (returned in the browser window):
>
> uid=33(www-data) gid=33(www-data) groups=33(www-data)
>
>
>
> At least last night, a shell was created. When I repeated the test today, I
> found the shell didn’t even get created, even though it found the
> vulnerability, and I could still manually get the results.
>
> GET https://www.sec542.org/scanners/commandinj.php?command=/bin/echo
> TqLUCesg returned HTTP code "200" - id: 245
>
> Defined cut header and footer using exact match
>
> Defined header length to 0
>
> Defined footer length to 0
>
> POST https://www.sec542.org/scanners/commandinj.php with data:
> "command=/bin/echo ynyRYKuK" returned HTTP code "200" - id: 246
>
> The vulnerability was found using method GET, tried to change the method to
> POST for exploiting but failed.
>
>
>
> I don’t see any errors that would explain the shell not getting created
> here.
>
>
>
> I looked for bug reports by searching for “shell” but found only old ones.
> Ditto for searching for osCommanding. I was running. It might be
> something with the old samurai machine, but it didn’t happen prior to
> updating to the new version (Version 1.2, Rev 4610).
>
>
>
> Any ideas?
>
>
> ________________________________
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual to whom they are addressed. If you have
> received this email in error, please delete this email from your system.
>
> ------------------------------------------------------------------------------
> Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
> infrastructure or vast IT resources to deliver seamless, secure access to
> virtual desktops. With this all-in-one solution, easily deploy virtual
> desktops for less than the cost of PCs and save 60% on VDI infrastructure
> costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
> _______________________________________________
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>
--
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af
------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users
