In the middle of time I found a very interesting website – www.bitnami.com where you can find pre-installed (mostly) webapps. I though it will be ideal environment for my testing purposes. The only change I’ve done after the OS started was changing display_errors in php.ini from Off to On.
(But for later exploitation it is not really needed. I changed it only for easier spotting SQL-bugs during blackbox testing.)
As an example we will grab 2 webapps from Bitnami: latest DokuWiki and latest Concrete5 CMS. When your app will be ready to run, start the OS (I used VirtualBox to do that). Default credentials you will find on Bitnami’s website.
As you will shortly see, there is no problem to ‘code an exploit’ (or use/rewrite existing one;]) which is ‘for not authenticated users’. In our examples, both ‘ways’ to shell we will achieve assuming we already know the admin’s password.
Our DokuWiki is now ready:
Concrete5 seems to be ready too:
eternal-blue paper’. Idea for creating Napalm was similar to the ‘framework’ created by NSA (and Metasploit… and grabash ;P): „point&click to get the shell”. I decide to prepare my own ‘super cool framework’ and that’s how the Napalm started to live. ;)
Let’s get to work:
As you can see we have a small menu with few options: list (to check available modules/sploits), use (to use one of them) and info to get some details about the bug we would like to „use”. In the listing below you will see some already prepared proof-of-concepts (as well as some skeletons of codes started in the middle of time) but for our purposes we will use only 2 of them: dokuwiki.py and concrete5_shellup.py.
Let's check it out:
https://www.exploit-db.com/exploits/36575/: you need a vulnerable webapp, credentials and link with your shellIn.zip to grab. Results?
So far so good. :] Now let’s prepare Napalm to exploit latest (8.1.0) Concrete5 CMS. Info about the module:
Let’s get our shell:
(If you want a copy: mail me for the password to the zipfile. You will need it.)
As you can see coding ‘your own exploitation framework’ is not so hard today. If you want, feel free to extend Napalm’s code and (re)write your own „module”. ;)