Wayne,
On Mon, Jan 2, 2012 at 2:26 PM, Andres Riancho <andres.rian...@gmail.com> wrote:
> Wayne,
>
> Please read comments inline,
>
> On Fri, Dec 30, 2011 at 6:59 PM, Wayne Dawson
> <wayne_daw...@inventuresolutions.com> wrote:
>> I was using w3af on a samurai CD ( which is Ubuntu 9.04), but had updated it
>> to current SVN version). Note that /usr/bin/python is linked to python2.6,
>> and python -V reports “Python 2.6.2”.
>
> Ok, setup seems correct then
>
>> After updating w3af, to get it to work, I had to follow the instructions
>> provided in the tools std err. It involved downloading and installing
>> PyYAML-3.0.9, Nltk, Python-dev, and some python filter library that I can’t
>> remember now.
>
> mmap bloom filter :) That all sounds correct,
>
>> I used this against a machine running a purposely vulnerable app. One of
>> the vulnerabilities is osCommanding, in the commandinj.php page:
>>
>> <?php
>>
>> Passthru($_GET[command]);
>>
>> ?>
>>
>>
>>
>> This was found and reported (via the plugin’s ping test).
>>
>>
>>
>> Going to the exploit tab, selecting osCommandingShell > Exploit All To First
>> success. I tried to interact with the shell, no output was given in
>> response to my commands.
>>
>>
>>
>>
>>
>> The saved results were this:
>>
>>
>> www-data@sec542> id
>> www-data@sec542> who
>> www-data@sec542> uname -a
>
> Hmmm.... sorry about that, I'll return an error message when the
> command does not exist. You should use "e id" or "e who" instead of
> "id" or "who". This changed around 6 months ago.
Modified ! Here's your change :)
http://sourceforge.net/apps/trac/w3af/changeset/4613
>>
>> However, I could exploit it manually, by typing in the browser url bar,
>> typing
>>
>> https://www.sec542.org/scanners/commandinj.php?command=id
>>
>> This gets the expected output (returned in the browser window):
>>
>> uid=33(www-data) gid=33(www-data) groups=33(www-data)
>>
>>
>>
>> At least last night, a shell was created. When I repeated the test today, I
>> found the shell didn’t even get created, even though it found the
>> vulnerability, and I could still manually get the results.
>>
>> GET https://www.sec542.org/scanners/commandinj.php?command=/bin/echo
>> TqLUCesg returned HTTP code "200" - id: 245
>>
>> Defined cut header and footer using exact match
>>
>> Defined header length to 0
>>
>> Defined footer length to 0
>>
>> POST https://www.sec542.org/scanners/commandinj.php with data:
>> "command=/bin/echo ynyRYKuK" returned HTTP code "200" - id: 246
>>
>> The vulnerability was found using method GET, tried to change the method to
>> POST for exploiting but failed.
>>
>>
>>
>> I don’t see any errors that would explain the shell not getting created
>> here.
>>
>>
>>
>> I looked for bug reports by searching for “shell” but found only old ones.
>> Ditto for searching for osCommanding. I was running. It might be
>> something with the old samurai machine, but it didn’t happen prior to
>> updating to the new version (Version 1.2, Rev 4610).
>>
>>
>>
>> Any ideas?
>>
>>
>> ________________________________
>> This email and any files transmitted with it are confidential and intended
>> solely for the use of the individual to whom they are addressed. If you have
>> received this email in error, please delete this email from your system.
>>
>> ------------------------------------------------------------------------------
>> Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
>> infrastructure or vast IT resources to deliver seamless, secure access to
>> virtual desktops. With this all-in-one solution, easily deploy virtual
>> desktops for less than the cost of PCs and save 60% on VDI infrastructure
>> costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
>> _______________________________________________
>> W3af-users mailing list
>> W3af-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/w3af-users
>>
>
>
>
> --
> Andrés Riancho
> Director of Web Security at Rapid7 LLC
> Founder at Bonsai Information Security
> Project Leader at w3af
--
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af
------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users
