andresriancho / w3af

w3af: web application attack and audit framework, the open source web vulnerability scanner.

http://w3af.org/

4.59k stars 1.22k forks source link

Referring to a non-existent file during exploiting file_upload #534

Closed 1d3df9903ad closed 10 years ago

1d3df9903ad commented 11 years ago

User description

target : http://certifiedhacker.com/corporate-learning-website/01-homepage.html

Enabled all audit plugin , except rfi

crawl - webspider only

grep - enable all the plugin

After the scan finished try to exploit, file_upload

Exploiting 'file_upload'... 1 vulnerabilites to exploit Checking suitability for vuln 'File upload form'... ok Exploiting... Failed to open filename: plugins/attack/payloads/webshell/webshell.html

If we navigate to the plugins/attack/payloads/webshell - we can note that there is no webshell.html

Version Information

  Python version: 2.7.3 (default, Jan  2 2013, 13:56:14) [GCC 4.7.2]
  GTK version: 2.24.10
  PyGTK version: 2.24.0
  w3af version:
    w3af - Web Application Attack and Audit Framework
    Version: 1.6
    Revision: 9b61cd7027 - 18 Jul 2013 15:10
    Author: Andres Riancho and the w3af team.

mydeadlyvenoms commented 10 years ago

Faced exactly the same issue today. After navigating to the payloads folder I found out there was no webshell subfolder at all.

Checking suitability for vuln 'File upload form'...
  ok
Exploiting...
Failed to open filename: 
.../w3af/plugins/attack/payloads/webshell/webshell.

andresriancho commented 10 years ago

Changed severity since it seems to be a common issue Moved to 1.6.1 milestone.

@mydeadlyvenoms: If you want to debug/fix, you're more than welcome :+1: If not, I might fix it next week

andresriancho commented 10 years ago

@mydeadlyvenoms got any site I can reproduce the issue? http://certifiedhacker.com/corporate-learning-website/01-homepage.html doesn't seem to repro the problem

andresriancho commented 10 years ago

Failed to repro at http://certifiedhacker.com/corporate-learning-website/01-homepage.html , maybe credentials are required.

mydeadlyvenoms commented 10 years ago

Hey unfortunately I am not allowed to disclose the website, because it is not one for general testing purposes. I reproduced the issue several times. I am actually a bit confused, because the files are missing at all. Ether the problem occurs because of the missing files or the search path is probably wrong. I tend to the first one, because I was not able to locate these files.. Maybe we should start to maintain a collection of websites to test all implemented exploits?

andresriancho commented 10 years ago

Well, I maintain that already, only that this specific scenario is not there. You can see the different sites which are run as targets here:

https://github.com/andresriancho/w3af/tree/feature/fix_534/w3af/core/controllers/ci/install_scripts

I believe today I'll be able to reproduce this issue, don't worry :+1:

mydeadlyvenoms commented 10 years ago

Ah perfect, haven't seen that list before, cool. Yes take your time - let me now if I can assist during testing.

andresriancho commented 10 years ago

Fixed! Wasn't hard to reproduce, but found a ton of different issues in my way.

mydeadlyvenoms commented 10 years ago

That was fast - nice one ;-)