Friday, November 12, 2010

Meteasploit's new HTTP fuzzer

In a blog post, I noticed metasploit has a new HTTP fuzzer:

http://www.corelan.be:8800/index.php/2010/11/12/metasploit-module-http-form-field-fuzzer/

One thing that really stood out on that post was:
While this type of fuzzing/audits most likely won’t reveal bugs in the most common webserver platforms themselves (Apache, IIS, etc), I am convinced that there are a lot of other web server components out there that may not properly validate input from form fields or header fields.
So, I thought to myself, what embedded system do I have.... My router, and low and behold(after a little bit to figure out the timing):


msf auxiliary(http_form_field) > set url /cgi-bin/XXXX
url => http://192.168.1.1/cgi-bin/XXXX
msf auxiliary(http_form_field) > set rhost 192.168.1.1
rhost => 192.168.1.1
msf auxiliary(http_form_field) > set vhost 192.168.1.1
vhost => 192.168.1.1
msf auxiliary(http_form_field) > set rport 80
rport => 80
msf auxiliary(http_form_field) > set delay .1
delay => .1
msf auxiliary(http_form_field) > run


[*] [+] Grabbing webpage /cgi-bin/XXXX from 192.168.1.1
[*] [+] Code : 200
[*] [+] Enumerating form data
[*]     Number of forms : 1
[*]     - Enumerating form #1
[*]       Field : username, type text
[*]       Field : password, type password
[*]       Field : , type submit
[*]       Field : , type reset
[*]       Nr of fields in form 'noname_1' : 2
[*]     Forms : 
[*]      - Name : noname_1, ID : noname_1, Action : /cgi-bin/XXXX, Method : post
[*] [+] Fuzzing fields in form NONAME_1
[*]     - Fuzzing field username
[*] [+] Done fuzzing fields in form NONAME_1
[*] [+] Fuzzing header fields
[*]     - Fuzzing header 'method' (1/12)
[-]       [-] No response - 1 / 2 - fuzzdata length : 1000
[-]       [-] No response - 2 / 2 - fuzzdata length : 2000
[*]       *!* No response : header method | fuzzdata length : 2000
[*]     - Fuzzing header 'User-Agent' (2/12)
[-]       [-] No response - 1 / 2 - fuzzdata length : 1000
[-]       [-] No response - 2 / 2 - fuzzdata length : 2000
[*]       *!* No response : header User-Agent | fuzzdata length : 2000
[*]     - Fuzzing header 'Content-Type' (3/12)
[-]       [-] No response - 1 / 2 - fuzzdata length : 1000
[-]       [-] No response - 2 / 2 - fuzzdata length : 2000
[*]       *!* No response : header Content-Type | fuzzdata length : 2000
[*]     - Fuzzing header 'Content-Length' (4/12)
[-]       [-] No response - 1 / 2 - fuzzdata length : 1000
[-]       [-] No response - 2 / 2 - fuzzdata length : 2000
[*]       *!* No response : header Content-Length | fuzzdata length : 2000
[*]     - Fuzzing header 'Accept-Encoding' (5/12)
[-]       [-] No response - 1 / 2 - fuzzdata length : 1000
[-]       [-] No response - 2 / 2 - fuzzdata length : 2000
[*]       *!* No response : header Accept-Encoding | fuzzdata length : 2000
[*]     - Fuzzing header 'Referer' (6/12)
[-]       [-] No response - 1 / 2 - fuzzdata length : 1000
[-]       [-] No response - 2 / 2 - fuzzdata length : 2000
[*]       *!* No response : header Referer | fuzzdata length : 2000
[*]     - Fuzzing header 'Keep-Alive' (7/12)
[-]       [-] No response - 1 / 2 - fuzzdata length : 1000
[-]       [-] No response - 2 / 2 - fuzzdata length : 2000
[*]       *!* No response : header Keep-Alive | fuzzdata length : 2000
[*]     - Fuzzing header 'Accept' (8/12)
[-]       [-] No response - 1 / 2 - fuzzdata length : 1000
[-]       [-] No response - 2 / 2 - fuzzdata length : 2000
[*]       *!* No response : header Accept | fuzzdata length : 2000
^C[-] Auxiliary interrupted by the console user
[*] Auxiliary module execution completed


First try... Web server is not responding.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)