Web App Vulnerability Scanning With WMAP

Posted by r3kind1e on January 11, 2023

Web App Vulnerability Scanning With WMAP

WMAP

WMAP is a powerful, feature-rich web application vulnerability scanner that can be used to automate web server enumeration and scan web applications for vulnerabilities.

WMAP is available as an MSF plugin and can be loaded directly into MSF.

WMAP is fully integrated with MSF, which consequently allows us to perform web app vulnerability scanning from within the MSF.

使用 WMAP 扫描 Web 应用程序漏洞

WMAP

WMAP 是一个功能强大、功能丰富的 Web 应用程序漏洞扫描程序,可用于自动执行 Web 服务器枚举和扫描 Web 应用程序的漏洞。

WMAP 可作为 MSF 插件使用,可以直接加载到 MSF 中。

WMAP 与 MSF 完全集成,因此允许我们从 MSF 内部执行 Web 应用程序漏洞扫描。

Demo: Web App Vulnerability Scanning With WMAP(演示:使用 WMAP 扫描 Web 应用程序漏洞)

It can also be used to automate web server enumeration. So if you remeber during the enumeration section of this course, we explored the process of utilizing various auxiliary modules to enumerate information from a web server. WMAP can automate that process and can do everything for us without us having to load and utilize those modules.

1
2
3
ifconfig

eth1: 192.157.89.2
1
2
3
4
service postgresql start
msfconsole -q
workspace -a Web_Scanning
setg RHOSTS 192.157.89.3

Load up the WMAP module:

1
2
load wmap
wmap_[Tab]

Firstly, take a look at our sites. Because we want to add a site as our target.

1
wmap_sites -h

In our case, we’re going to add our sites.

1
wmap_sites -a 192.157.89.3

Set up our target.

1
2
wmap_targets -h
wmap_targets -t http://192.157.89.3

Check our sites.

1
wmap_sites -l
1
wmap_targets -l

WMAP utilizes the in-built MSF auxiliary modules to perform vulnerability scanning. And of course, they are very useful in identifying various vulnerabilities.

In order to define or to set up the specific modules that we want to use based on the target web application, we need to utilize a specific command: wmap_run -t, it’ll check for the various auxiliary modules that would makes sense, or rather would be useful in regards to our targets. It will search for only the modules that will be able to enumerate information from all targets. So it’s not going to use any other type of auxiliary modules that may be target the IIS web server.

1
wmap_run -h

-t: Show all enabled modules for your particular target.

And the once we’ve done that, it’s going to say we can use the -e option to launch the profile modules against all matched targets.

1
wmap_run -t

In order to run our vulnerability scan against the target, all we need to do is type in wmap_run -e. And because we’re using our current profile.

1
wmap_run -e

Check for the enabled HTTP methods. The HTTP methods allowed on this web server.

1
auxiliary/scanner/http/options
1
auxiliary/scanner/http/http_put

List out all of the vulnerabilities that WMAP was able to detect.

1
wmap_vulns -h

List out all the vulnerabilities.

1
wmap_vulns -l

The most important piece of information that we are able to identify here is the various HTTP options available or that can be used on this web server.

We can utilize the HTTP PUT auxiliary module to test whether or not we can upload or put a file within a directory.

This is not a safe method to have on a web server or to have configured on a web server because attackers can potentially use it to upload malicious files or they can use it to deface a website.

1
2
3
use auxiliary/scanner/http/options
show options
run

use the HTTP PUT auxiliary module to test various directories on the web server to see whether we can put a file within that specific directory.

1
2
3
use auxiliary/scanner/http/http_put
show options
run

The root of the web server currently doesn’t allow us to utilize the PUT method.

1
2
set PATH /data/
run

The HTTP PUT and POST methods are fairly similar in that they allow us to create a new resource or are used to send or submit data to a web server.

In this case, what an attacker would typically do is they would utilize this vulnerability or this misconfiguration to upload a web payload. So they will specify the file name and the file data and they’ll upload a web payload to the target web server. And then they’ll set up their reverse listener here, a Meterpreter listener. And then whenever they’ll browse to that particular directory and to that particular file, then that particular payload will be executed. And consequently, the attacker will receive a reverse connection if they configured a reverse shell payload.

We can test and see whether this file has been successfully uploaded to the target.

1
curl http://192.157.89.3:80/data/msf_http_put_test.txt
1
2
3
4
show options
set FILEDATA "This does work"
set FILENAME this_works.txt
run
1
curl http://192.157.89.3:80/data/this_works.txt

It would work fairly similar in that I would just upload a PHP Meterpreter module here. And once that is uploaded, I simply need to navigate to the URL on my browser. And once that is executed, or rather the PHP module is executed, I will get a reverse shell.

So you can utilize WMAP to identify all sorts of vulnerabilities within a web application. And when we’re talking about specific web applications or third party solutions like content management systems, we’ll exploring how to identify vulnerabilities within those web applications and how they can be exploited during the exploitation phase.

Web App Vulnerability Scanning With WMAP(使用 WMAP 扫描 Web 应用程序漏洞)

Overview(概述)

This lab covers the process of performing web app vulnerability scanning with the WMAP Metasploit extension.

The WMAP extension is typically used to automate the process of performing web server enumeration and also automates the process of identifying misconfigurations and vulnerabilities on a web server.

本实验涵盖使用 WMAP Metasploit 扩展执行 Web 应用程序漏洞扫描的过程。

WMAP 扩展通常用于自动执行 Web 服务器枚举的过程,还可以自动执行识别 Web 服务器上的错误配置和漏洞的过程。

我自己的思路

1
2
3
4
root@attackdefense:~# ifconfig
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.227.46.2  netmask 255.255.255.0  broadcast 192.227.46.255
        ether 02:42:c0:e3:2e:02  txqueuelen 0  (Ethernet)
1
2
3
4
5
6
7
8
root@attackdefense:~# service postgresql start
[ ok ] Starting PostgreSQL 11 database server: main.
root@attackdefense:~# msfconsole -q
msf5 > workspace -a Web_Scanning
[*] Added workspace: Web_Scanning
[*] Workspace: Web_Scanning
msf5 > setg RHOSTS 192.227.46.3
RHOSTS => 192.227.46.3
1
2
3
4
5
6
7
8
9
msf5 > load wmap

.-.-.-..-.-.-..---..---.
| | | || | | || | || |-'
`-----'`-'-'-'`-^-'`-'
[WMAP 1.5.1] ===  et [  ] metasploit.com 2012
[*] Successfully loaded plugin: wmap
msf5 > wmap_
wmap_modules  wmap_nodes    wmap_run      wmap_sites    wmap_targets  wmap_vulns
1
2
3
4
5
6
7
msf5 > wmap_sites -h
[*] Usage: wmap_sites [options]
        -h        Display this help text
        -a [url]  Add site (vhost,url)
        -d [ids]  Delete sites (separate ids with space)
        -l        List all available sites
        -s [id]   Display site structure (vhost,url|ids) (level) (unicode output true/false)
1
2
3
4
5
6
[*] 用法:wmap_sites [选项]
         -h 显示此帮助文本
         -a [url] 添加站点 (vhost,url)
         -d [ids] 删除站点(用空格分隔ids)
         -l 列出所有可用站点
         -s [id] 显示站点结构 (vhost,url|ids) (level) (unicode 输出 true/false)
1
2
msf5 > wmap_sites -a 192.227.46.3
[*] Site created.
1
2
3
4
5
6
7
msf5 > wmap_targets -h
[*] Usage: wmap_targets [options]
        -h              Display this help text
        -t [urls]       Define target sites (vhost1,url[space]vhost2,url) 
        -d [ids]        Define target sites (id1, id2, id3 ...)
        -c              Clean target sites list
        -l              List all target sites
1
2
3
4
5
6
[*] 用法:wmap_targets [选项]
         -h 显示此帮助文本
         -t [urls] 定义目标站点 (vhost1,url[space]vhost2,url)
         -d [ids] 定义目标站点(id1、id2、id3 ...)
         -c 清理目标站点列表
         -l 列出所有目标站点
1
msf5 > wmap_targets -t http://192.227.46.3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
msf5 > wmap_sites -l
[*] Available sites
===============

     Id  Host          Vhost         Port  Proto  # Pages  # Forms
     --  ----          -----         ----  -----  -------  -------
     0   192.227.46.3  192.227.46.3  80    http   0        0


msf5 > wmap_targets -l
[*] Defined targets
===============

     Id  Vhost         Host          Port  SSL    Path
     --  -----         ----          ----  ---    ----
     0   192.227.46.3  192.227.46.3  80    false        /
1
2
3
4
5
6
7
8
msf5 > wmap_run -h
[*] Usage: wmap_run [options]
        -h                        Display this help text
        -t                        Show all enabled modules
        -m [regex]                Launch only modules that name match provided regex.
        -p [regex]                Only test path defined by regex.
        -e [/path/to/profile]     Launch profile modules against all matched targets.
                                  (No profile file runs all enabled modules.)
1
2
3
4
5
6
7
[*] 用法:wmap_run [选项]
         -h 显示此帮助文本
         -t 显示所有启用的模块
         -m [regex] 仅启动名称匹配提供的正则表达式的模块。
         -p [regex] 仅测试正则表达式定义的路径。
         -e [/path/to/profile] 针对所有匹配的目标启动配置文件模块。
                                   (没有配置文件运行所有启用的模块。)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
msf5 > wmap_run -t
[*] Testing target:
[*]     Site: 192.227.46.3 (192.227.46.3)
[*]     Port: 80 SSL: false
============================================================
[*] Testing started. 2023-01-11 09:36:55 +0000
[*] Loading wmap modules...
[*] 39 wmap enabled modules loaded.
[*] 
=[ SSL testing ]=
============================================================
[*] Target is not SSL. SSL modules disabled.
[*] 
=[ Web Server testing ]=
============================================================
[*] Module auxiliary/scanner/http/http_version
[*] Module auxiliary/scanner/http/open_proxy
[*] Module auxiliary/admin/http/tomcat_administration
[*] Module auxiliary/admin/http/tomcat_utf8_traversal
[*] Module auxiliary/scanner/http/drupal_views_user_enum
[*] Module auxiliary/scanner/http/frontpage_login
[*] Module auxiliary/scanner/http/host_header_injection
[*] Module auxiliary/scanner/http/options
[*] Module auxiliary/scanner/http/robots_txt
[*] Module auxiliary/scanner/http/scraper
[*] Module auxiliary/scanner/http/svn_scanner
[*] Module auxiliary/scanner/http/trace
[*] Module auxiliary/scanner/http/vhost_scanner
[*] Module auxiliary/scanner/http/webdav_internal_ip
[*] Module auxiliary/scanner/http/webdav_scanner
[*] Module auxiliary/scanner/http/webdav_website_content
[*] 
=[ File/Dir testing ]=
============================================================
[*] Module auxiliary/scanner/http/backup_file
[*] Module auxiliary/scanner/http/brute_dirs
[*] Module auxiliary/scanner/http/copy_of_file
[*] Module auxiliary/scanner/http/dir_listing
[*] Module auxiliary/scanner/http/dir_scanner
[*] Module auxiliary/scanner/http/dir_webdav_unicode_bypass
[*] Module auxiliary/scanner/http/file_same_name_dir
[*] Module auxiliary/scanner/http/files_dir
[*] Module auxiliary/scanner/http/http_put
[*] Module auxiliary/scanner/http/ms09_020_webdav_unicode_bypass
[*] Module auxiliary/scanner/http/prev_dir_same_name_file
[*] Module auxiliary/scanner/http/replace_ext
[*] Module auxiliary/scanner/http/soap_xml
[*] Module auxiliary/scanner/http/trace_axd
[*] Module auxiliary/scanner/http/verb_auth_bypass
[*] 
=[ Unique Query testing ]=
============================================================
[*] Module auxiliary/scanner/http/blind_sql_query
[*] Module auxiliary/scanner/http/error_sql_injection
[*] Module auxiliary/scanner/http/http_traversal
[*] Module auxiliary/scanner/http/rails_mass_assignment
[*] Module exploit/multi/http/lcms_php_exec
[*] 
=[ Query testing ]=
============================================================
[*] 
=[ General testing ]=
============================================================
[*] Done.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
msf5 > wmap_run -e
[*] Using ALL wmap enabled modules.
[-] NO WMAP NODES DEFINED. Executing local modules
[*] Testing target:
[*]     Site: 192.227.46.3 (192.227.46.3)
[*]     Port: 80 SSL: false
============================================================
[*] Testing started. 2023-01-11 09:44:14 +0000
[*] 
=[ SSL testing ]=
============================================================
[*] Target is not SSL. SSL modules disabled.
[*] 
=[ Web Server testing ]=
============================================================
[*] Module auxiliary/scanner/http/http_version

[+] 192.227.46.3:80 Apache/2.4.18 (Ubuntu)
[*] Module auxiliary/scanner/http/open_proxy
[*] Module auxiliary/admin/http/tomcat_administration
[*] Module auxiliary/admin/http/tomcat_utf8_traversal
[*] Attempting to connect to 192.227.46.3:80
[+] No File(s) found
[*] Module auxiliary/scanner/http/drupal_views_user_enum
[-] 192.227.46.3 does not appear to be vulnerable, will not continue
[*] Module auxiliary/scanner/http/frontpage_login
[*] 192.227.46.3:80       - http://192.227.46.3/ may not support FrontPage Server Extensions
[*] Module auxiliary/scanner/http/host_header_injection
[*] Module auxiliary/scanner/http/options
[+] 192.227.46.3 allows GET,HEAD,POST,OPTIONS methods
[*] Module auxiliary/scanner/http/robots_txt
[*] [192.227.46.3] /robots.txt found
[+] Contents of Robots.txt:
# robots.txt for attackdefense 
User-agent: test                     
# Directories
Allow: /webmail

User-agent: *
# Directories
Disallow: /data
Disallow: /secure

[*] Module auxiliary/scanner/http/scraper
[+] [192.227.46.3] / [Apache2 Ubuntu Default Page: It works]
[*] Module auxiliary/scanner/http/svn_scanner
[*] Using code '404' as not found.
[*] Module auxiliary/scanner/http/trace
[*] Module auxiliary/scanner/http/vhost_scanner
[*] [192.227.46.3] Sending request with random domain SScjw. 
[*] [192.227.46.3] Sending request with random domain OuYZM. 
[*] Module auxiliary/scanner/http/webdav_internal_ip
[*] Module auxiliary/scanner/http/webdav_scanner
[*] 192.227.46.3 (Apache/2.4.18 (Ubuntu)) WebDAV disabled.
[*] Module auxiliary/scanner/http/webdav_website_content
[*] 
=[ File/Dir testing ]=
============================================================
[*] Module auxiliary/scanner/http/backup_file
[*] Module auxiliary/scanner/http/brute_dirs
[*] Path: /
[*] Using code '404' as not found.
[+] Found http://192.227.46.3:80/doc/ 200
[+] Found http://192.227.46.3:80/pro/ 200
[*] Module auxiliary/scanner/http/copy_of_file
[*] Module auxiliary/scanner/http/dir_listing
[*] Path: /
[*] Module auxiliary/scanner/http/dir_scanner
[*] Path: /
[*] Detecting error code
[*] Using code '404' as not found for 192.227.46.3
[+] Found http://192.227.46.3:80/cgi-bin/ 404 (192.227.46.3)
[+] Found http://192.227.46.3:80/data/ 404 (192.227.46.3)
[+] Found http://192.227.46.3:80/doc/ 404 (192.227.46.3)
[+] Found http://192.227.46.3:80/downloads/ 404 (192.227.46.3)
[+] Found http://192.227.46.3:80/icons/ 404 (192.227.46.3)
[+] Found http://192.227.46.3:80/manual/ 404 (192.227.46.3)
[+] Found http://192.227.46.3:80/secure/ 404 (192.227.46.3)
[+] Found http://192.227.46.3:80/users/ 404 (192.227.46.3)
[+] Found http://192.227.46.3:80/uploads/ 404 (192.227.46.3)
[+] Found http://192.227.46.3:80/webadmin/ 404 (192.227.46.3)
[+] Found http://192.227.46.3:80/web_app/ 404 (192.227.46.3)
[+] Found http://192.227.46.3:80/view/ 404 (192.227.46.3)
[+] Found http://192.227.46.3:80/webmail/ 404 (192.227.46.3)
[+] Found http://192.227.46.3:80/webdav/ 404 (192.227.46.3)
[+] Found http://192.227.46.3:80/webdb/ 404 (192.227.46.3)
[+] Found http://192.227.46.3:80/~admin/ 404 (192.227.46.3)
[+] Found http://192.227.46.3:80/~nobody/ 404 (192.227.46.3)
[*] Module auxiliary/scanner/http/dir_webdav_unicode_bypass
[*] Path: /
[*] Using code '404' as not found.
[*] Found protected folder http://192.227.46.3:80/secure/ 401 (192.227.46.3)
[*]     Testing for unicode bypass in IIS6 with WebDAV enabled using PROPFIND request.
[*] Found protected folder http://192.227.46.3:80/webdav/ 401 (192.227.46.3)
[*]     Testing for unicode bypass in IIS6 with WebDAV enabled using PROPFIND request.
[*] Module auxiliary/scanner/http/file_same_name_dir
[*] Path: /
[-] Blank or default PATH set.
[*] Module auxiliary/scanner/http/files_dir
[*] Path: /
[*] Using code '404' as not found for files with extension .null
[*] Using code '404' as not found for files with extension .backup
[+] Found http://192.227.46.3:80/file.backup 200
[*] Using code '404' as not found for files with extension .bak
[*] Using code '404' as not found for files with extension .c
[+] Found http://192.227.46.3:80/code.c 404
[*] Using code '404' as not found for files with extension .cfg
[+] Found http://192.227.46.3:80/code.cfg 200
[*] Using code '404' as not found for files with extension .class
[*] Using code '404' as not found for files with extension .copy
[*] Using code '404' as not found for files with extension .conf
[*] Using code '404' as not found for files with extension .exe
[*] Using code '404' as not found for files with extension .html
[+] Found http://192.227.46.3:80/index.html 200
[*] Using code '404' as not found for files with extension .htm
[*] Using code '404' as not found for files with extension .ini
[*] Using code '404' as not found for files with extension .log
[*] Using code '404' as not found for files with extension .old
[*] Using code '404' as not found for files with extension .orig
[*] Using code '404' as not found for files with extension .php
[+] Found http://192.227.46.3:80/test.php 200
[*] Using code '404' as not found for files with extension .tar
[*] Using code '404' as not found for files with extension .tar.gz
[*] Using code '404' as not found for files with extension .tgz
[*] Using code '404' as not found for files with extension .tmp
[*] Using code '404' as not found for files with extension .temp
[*] Using code '404' as not found for files with extension .txt
[*] Using code '404' as not found for files with extension .zip
[*] Using code '404' as not found for files with extension ~
[*] Using code '404' as not found for files with extension 
[+] Found http://192.227.46.3:80/cgi-bin 301
[+] Found http://192.227.46.3:80/data 301
[+] Found http://192.227.46.3:80/doc 301
[+] Found http://192.227.46.3:80/downloads 301
[+] Found http://192.227.46.3:80/manual 301
[+] Found http://192.227.46.3:80/secure 401
[+] Found http://192.227.46.3:80/users 301
[+] Found http://192.227.46.3:80/uploads 301
[+] Found http://192.227.46.3:80/view 301
[+] Found http://192.227.46.3:80/webdav 401
[+] Found http://192.227.46.3:80/webadmin 301
[+] Found http://192.227.46.3:80/webmail 301
[+] Found http://192.227.46.3:80/~mail 403
[+] Found http://192.227.46.3:80/~admin 403
[+] Found http://192.227.46.3:80/~bin 403
[+] Found http://192.227.46.3:80/~sys 403
[*] Using code '404' as not found for files with extension 
[+] Found http://192.227.46.3:80/cgi-bin 301
[+] Found http://192.227.46.3:80/data 301
[+] Found http://192.227.46.3:80/doc 301
[+] Found http://192.227.46.3:80/downloads 301
[+] Found http://192.227.46.3:80/manual 301
[+] Found http://192.227.46.3:80/secure 401
[+] Found http://192.227.46.3:80/uploads 301
[+] Found http://192.227.46.3:80/users 301
[+] Found http://192.227.46.3:80/view 301
[+] Found http://192.227.46.3:80/webadmin 301
[+] Found http://192.227.46.3:80/webdav 401
[+] Found http://192.227.46.3:80/webmail 301
[+] Found http://192.227.46.3:80/~bin 403
[+] Found http://192.227.46.3:80/~admin 403
[+] Found http://192.227.46.3:80/~mail 403
[+] Found http://192.227.46.3:80/~sys 403
[*] Module auxiliary/scanner/http/http_put
[*] Path: /
[-] 192.227.46.3: File doesn't seem to exist. The upload probably failed
[*] Module auxiliary/scanner/http/ms09_020_webdav_unicode_bypass
[*] Path: /
[-] 192.227.46.3:80 Folder does not require authentication. [405]
[*] Module auxiliary/scanner/http/prev_dir_same_name_file
[*] Path: /
[-] Blank or default PATH set.
[*] Module auxiliary/scanner/http/replace_ext
[*] Module auxiliary/scanner/http/soap_xml
[*] Path: /
[*] Starting scan with 0ms delay between requests
[*] Server 192.227.46.3:80 returned HTTP 404 for /.  Use a different one.
[*] Module auxiliary/scanner/http/trace_axd
[*] Path: /
[*] Module auxiliary/scanner/http/verb_auth_bypass
[*] 
=[ Unique Query testing ]=
============================================================
[*] Module auxiliary/scanner/http/blind_sql_query
[*] Module auxiliary/scanner/http/error_sql_injection
[*] Module auxiliary/scanner/http/http_traversal
[*] Module auxiliary/scanner/http/rails_mass_assignment
[*] Module exploit/multi/http/lcms_php_exec
[*] 
=[ Query testing ]=
============================================================
[*] 
=[ General testing ]=
============================================================
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Launch completed in 260.30396914482117 seconds.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[*] Done.
1
2
3
4
msf5 > wmap_vulns -h
[*] Usage: wmap_vulns [options]
        -h              Display this help text
        -l              Display web vulns table
1
2
3
4
msf5 > wmap_vulns -h
[*] 用法:wmap_vulns [选项]
         -h 显示此帮助文本
         -l 显示网络漏洞表
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
msf5 > wmap_vulns -l
[*] + [192.227.46.3] (192.227.46.3): scraper /
[*]     scraper Scraper
[*]     GET Apache2 Ubuntu Default Page: It works
[*] + [192.227.46.3] (192.227.46.3): directory /pro/
[*]     directory Directory found.
[*]     GET Res code: 200
[*] + [192.227.46.3] (192.227.46.3): directory /cgi-bin/
[*]     directory Directoy found.
[*]     GET Res code: 200
[*] + [192.227.46.3] (192.227.46.3): directory /data/
[*]     directory Directoy found.
[*]     GET Res code: 200
[*] + [192.227.46.3] (192.227.46.3): directory /doc/
[*]     directory Directoy found.
[*]     GET Res code: 200
[*] + [192.227.46.3] (192.227.46.3): directory /downloads/
[*]     directory Directoy found.
[*]     GET Res code: 200
[*] + [192.227.46.3] (192.227.46.3): directory /icons/
[*]     directory Directoy found.
[*]     GET Res code: 403
[*] + [192.227.46.3] (192.227.46.3): directory /manual/
[*]     directory Directoy found.
[*]     GET Res code: 200
[*] + [192.227.46.3] (192.227.46.3): directory /secure/
[*]     directory Directoy found.
[*]     GET Res code: 401
[*] + [192.227.46.3] (192.227.46.3): directory /users/
[*]     directory Directoy found.
[*]     GET Res code: 200
[*] + [192.227.46.3] (192.227.46.3): directory /uploads/
[*]     directory Directoy found.
[*]     GET Res code: 200
[*] + [192.227.46.3] (192.227.46.3): directory /webadmin/
[*]     directory Directoy found.
[*]     GET Res code: 200
[*] + [192.227.46.3] (192.227.46.3): directory /view/
[*]     directory Directoy found.
[*]     GET Res code: 200
[*] + [192.227.46.3] (192.227.46.3): directory /web_app/
[*]     directory Directoy found.
[*]     GET Res code: 200
[*] + [192.227.46.3] (192.227.46.3): directory /webmail/
[*]     directory Directoy found.
[*]     GET Res code: 200
[*] + [192.227.46.3] (192.227.46.3): directory /webdav/
[*]     directory Directoy found.
[*]     GET Res code: 401
[*] + [192.227.46.3] (192.227.46.3): directory /webdb/
[*]     directory Directoy found.
[*]     GET Res code: 200
[*] + [192.227.46.3] (192.227.46.3): directory /~admin/
[*]     directory Directoy found.
[*]     GET Res code: 403
[*] + [192.227.46.3] (192.227.46.3): directory /~nobody/
[*]     directory Directoy found.
[*]     GET Res code: 403
[*] + [192.227.46.3] (192.227.46.3): file /file.backup
[*]     file File found.
[*]     GET Res code: 404
[*] + [192.227.46.3] (192.227.46.3): file /code.c
[*]     file File found.
[*]     GET Res code: 404
[*] + [192.227.46.3] (192.227.46.3): file /code.cfg
[*]     file File found.
[*]     GET Res code: 200
[*] + [192.227.46.3] (192.227.46.3): file /index.html
[*]     file File found.
[*]     GET Res code: 200
[*] + [192.227.46.3] (192.227.46.3): file /test.php
[*]     file File found.
[*]     GET Res code: 404
[*] + [192.227.46.3] (192.227.46.3): file /doc
[*]     file File found.
[*]     GET Res code: 301
[*] + [192.227.46.3] (192.227.46.3): file /manual
[*]     file File found.
[*]     GET Res code: 404
[*] + [192.227.46.3] (192.227.46.3): file /secure
[*]     file File found.
[*]     GET Res code: 404
[*] + [192.227.46.3] (192.227.46.3): file /uploads
[*]     file File found.
[*]     GET Res code: 404
[*] + [192.227.46.3] (192.227.46.3): file /view
[*]     file File found.
[*]     GET Res code: 404
[*] + [192.227.46.3] (192.227.46.3): file /webdav
[*]     file File found.
[*]     GET Res code: 404
[*] + [192.227.46.3] (192.227.46.3): file /webmail
[*]     file File found.
[*]     GET Res code: 404
[*] + [192.227.46.3] (192.227.46.3): file /~mail
[*]     file File found.
[*]     GET Res code: 403
[*] + [192.227.46.3] (192.227.46.3): file /~admin
[*]     file File found.
[*]     GET Res code: 404
[*] + [192.227.46.3] (192.227.46.3): file /cgi-bin
[*]     file File found.
[*]     GET Res code: 404
[*] + [192.227.46.3] (192.227.46.3): file /data
[*]     file File found.
[*]     GET Res code: 301
[*] + [192.227.46.3] (192.227.46.3): file /downloads
[*]     file File found.
[*]     GET Res code: 404
[*] + [192.227.46.3] (192.227.46.3): file /users
[*]     file File found.
[*]     GET Res code: 404
[*] + [192.227.46.3] (192.227.46.3): file /webadmin
[*]     file File found.
[*]     GET Res code: 404
[*] + [192.227.46.3] (192.227.46.3): file /~bin
[*]     file File found.
[*]     GET Res code: 403
[*] + [192.227.46.3] (192.227.46.3): file /~sys
[*]     file File found.
[*]     GET Res code: 404
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
msf5 > use auxiliary/scanner/http/options
msf5 auxiliary(scanner/http/options) > show options

Module options (auxiliary/scanner/http/options):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   192.227.46.3     yes       The target address range or CIDR identifier
   RPORT    80               yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   THREADS  1                yes       The number of concurrent threads
   VHOST                     no        HTTP server virtual host

msf5 auxiliary(scanner/http/options) > run

[+] 192.227.46.3 allows GET,HEAD,POST,OPTIONS methods
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
msf5 auxiliary(scanner/http/options) > use auxiliary/scanner/http/http_put
msf5 auxiliary(scanner/http/http_put) > show options

Module options (auxiliary/scanner/http/http_put):

   Name      Current Setting        Required  Description
   ----      ---------------        --------  -----------
   ACTION    PUT                    yes       PUT or DELETE
   FILEDATA  msf test file          no        The data to upload into the file
   FILENAME  msf_http_put_test.txt  yes       The file to attempt to write or delete
   PATH      /                      yes       The path to attempt to write or delete
   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS    192.227.46.3           yes       The target address range or CIDR identifier
   RPORT     80                     yes       The target port (TCP)
   SSL       false                  no        Negotiate SSL/TLS for outgoing connections
   THREADS   1                      yes       The number of concurrent threads
   VHOST                            no        HTTP server virtual host


Auxiliary action:

   Name  Description
   ----  -----------
   PUT   


msf5 auxiliary(scanner/http/http_put) > run

[-] 192.227.46.3: File doesn't seem to exist. The upload probably failed
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
1
2
3
4
5
6
7
msf5 auxiliary(scanner/http/http_put) > set PATH /data
PATH => /data
msf5 auxiliary(scanner/http/http_put) > run

[+] File uploaded: http://192.227.46.3:80/data/msf_http_put_test.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
1
2
3
4
5
6
7
msf5 auxiliary(scanner/http/http_put) > curl http://192.227.46.3:80/data/msf_http_put_test.txt
[*] exec: curl http://192.227.46.3:80/data/msf_http_put_test.txt

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    13  100    13    0     0  13000      0 --:--:-- --:--:-- --:--:-- 13000
msf test file
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
msf5 auxiliary(scanner/http/http_put) > set FILEDATA "This does work"
FILEDATA => This does work
msf5 auxiliary(scanner/http/http_put) > set FILENAME this_work.txt
FILENAME => this_work.txt
msf5 auxiliary(scanner/http/http_put) > run

[+] File uploaded: http://192.227.46.3:80/data/this_work.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/http/http_put) > curl http://192.227.46.3:80/data/this_work.txt
[*] exec: curl http://192.227.46.3:80/data/this_work.txt

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    14  100    14    0     0  14000      0 --:--:-- --:--:-- --:--:-- 14000
This does work