Black Hat EU: Web Application Payloads - Andres Riancho

photo Eurofighter Typhoon Payload - A CC NC ND image from Stuart R Brown's Flickr stream
This talk focuses on the w3af project, which has been Andres project for a long time, but is an open source project. It can be found at

Andres starts by giving an overview of w3af.

He then goes into a scenario which is common for a pentest. It starts with a pentester discovering a arbitrary file read vulnerability in a PHP application, but how to proceed to getting root? There appears to a shocking lack of post exploitation tools that can be applied to web application vulnerabilities.

Why is there such a lack of post exploitation tools for web applications?
  • Buffer overflows used to be more common then web application flaws
  • Web applications only allow you to interact with the system in a specific (restircted) manner

Post exploitation of web applications requires a new mindset, because you are often restricted to one or a few functions, e.g. read files with restricted privileges or write files to specific areas.

Andres shows use how a payload in w3af looks like. He shows the following process:
  1. Start a w3af scan
  2. identify arbitrary file read vulnerability
  3. Execute the “users” payload that read /etc/passwd and parses it.
  4. Show the results

W3af has payload for showing the users on the system, showing the open TCP connections and interesting files on the system. The interesting files payload tries to find interesting files in a lot of different places, including all user home directories.

There is logic in payloads as wel, based on the information obtained during the scan phase. E.g. of this is the get_source_code payload that behaves differently on windows and unix based systems. This payload makes it really simple to obtain the full source code from a webserver.

O.K. so now we have the sourcecode, now what? We have build a PoC PHP Static code analyzer and integrated it with w3af. We can now use w3af to discover even more vulnerabilities. E.g. code analysis will show e.g. an SQLi vulnerability that will lead to arbitrary file write.

Andres then showed us that this is not just theory, but demoed it too.

Bare in mind that the current SCA in w3af is only at proof of concept level only. There are many things still missing from it. If you feel like contributing, please contact Andres.

If you can use the exec() function, there are much more cool things to do. w3af can then integrate with the Metasploit framework to execute msf payloads (like meterpreter). This function was also demoed.

Andrés Riancho is an information security researcher, Director of Web security at Rapid7 and founder of Bonsai, where he is mainly involved in Penetration Testing and Vulnerability Research. In the research field, he discovered critical vulnerabilities in IPS appliances from 3com and ISS; and contributed with SAP research performed at his former employer. His main focus has always been the Web Application Security field, in which he developed w3af a Web Application Attack and Audit Framework used extensively by penetration testers and security consultants. Andres has spoken and hold trainings at many security conferences around the globe, like OWASP World C0n (USA), CanSecWest (Canada), T2 (Finland) and ekoparty (Buenos Aires).


Not Published

0/1000 characters
Go Top