Here we will tell how to use toolkit SimpleHttp.groovy to help us doing exploit CVE:2014-3704 from Metaexploit. Firstly, let's check our target CVE:
The Drupal is an package provide content-management framework through HTTP service. The attacker can use target CVE which leverage SQL injection to create an account with administrator privilege and do what he or she wants.
The exploit code from Metasploit is called Drupal HTTP Parameter Key/Value SQL Injection. When you read the code and you can observer below actions will be taken to exploit the target server:
Toolkit Usage
At current version of SimpleHttp.groovy, it should be used under MSFConsoleATF framework. And we will develop different HTTP handlers for each cve into single .groovy file and store it under path
Start Http Service At Exploitable Target
Please enter
Run CVE-2014-6271 Through Metasploit
Now let's move to Kali Linux. Please key-in "msfconsole" in the terminal console to enter the interface of MSF:
Let's search our target cve:
Next step is to use this exploit:
Let's check how to use this exploit:
Here we have to setup RHOST as the IP of host running Fake HTTP service and do the exploit:
Let's back to Fake Http Server console and it record the all attacking behaviors:
Supplement
* [Toolkit] Simple Web Service - SimpleHttp.groovy
沒有留言:
張貼留言