开源Web应用扫描软件使用笔记

渗透测试扫描软件

Word count: 1.6kReading time: 8 min

 2020/11/09   Share

w3af

介绍

上手就感觉挺复古的，运行环境用的是python2，很多包都被弃用了还要求安装，可以用docker,docker是个好东西，该框架有三个主要的插件类型：crawl，audit和attack。

crawl

经典案例就是爬虫，循环爬取url就完事了

audit

翻译过来是审计，就是将crawl发送过来的url进行测试，比如说在url后面加?id=1'

attack

利用audit中发现的漏洞进行进一步攻击，在远程服务器上面返回一个shell或者别的

其他插件

Infrastructure

辨识系统信息，比如WAF、操作系统和HTTP daemon
grep

分析其他插件发送过来的http包，找到其中的特定字符串比如”passwd”
output

规定输出的一些参数

Mangle

正则表达式修改请求和相应

bruteforce

在crawl里面发现需要登录的表单则暴力破解

Evasion

修改插件来逃避简单的入侵规则

扫描配置

crawl和audit之后将漏洞或其他信息存储在知识库中，用attack进行攻击

官网配置建议

crawl: web_spider
audit: Enable all
grep: Enable all

使用

启动

1	./w3af_console

启动w3af命令行

1	./w3af_gui

启动w3af图形界面

命令

help查看命令
view浏览选项
set设置参数
back回到上一层

w3af>>> help
|---------------------------------------------------------------------------------------------------------------------------|
| start            | Start the scan.                                                                                        |
| plugins          | Enable and configure plugins.                                                                          |
| exploit          | Exploit the vulnerability.                                                                             |
| profiles         | List and use scan profiles.                                                                            |
| cleanup          | Cleanup before starting a new scan.                                                                    |
|---------------------------------------------------------------------------------------------------------------------------|
| help             | Display help. Issuing: help [command] , prints more specific help about "command"                      |
| version          | Show w3af version information.                                                                         |
| keys             | Display key shortcuts.                                                                                 |
|---------------------------------------------------------------------------------------------------------------------------|
| http-settings    | Configure the HTTP settings of the framework.                                                          |
| misc-settings    | Configure w3af misc settings.                                                                          |
| target           | Configure the target URL.                                                                              |
|---------------------------------------------------------------------------------------------------------------------------|
| back             | Go to the previous menu.                                                                               |
| exit             | Exit w3af.                                                                                             |
|---------------------------------------------------------------------------------------------------------------------------|
| kb               | Browse the vulnerabilities stored in the Knowledge Base                                                |
|---------------------------------------------------------------------------------------------------------------------------|

这是plugins菜单中的命令用法：

w3af/plugins>>> help
|---------------------------------------------------------------------------------------------------------------------------|
| list                       | List available plugins.                                                                      |
|---------------------------------------------------------------------------------------------------------------------------|
| back                       | Go to the previous menu.                                                                     |
| exit                       | Exit w3af.                                                                                   |
|---------------------------------------------------------------------------------------------------------------------------|
| grep                       | View, configure and enable grep plugins                                                      |
| evasion                    | View, configure and enable evasion plugins                                                   |
| audit                      | View, configure and enable audit plugins                                                     |
| auth                       | View, configure and enable auth plugins                                                      |
| mangle                     | View, configure and enable mangle plugins                                                    |
| crawl                      | View, configure and enable crawl plugins                                                     |
| infrastructure             | View, configure and enable infrastructure plugins                                            |
| bruteforce                 | View, configure and enable bruteforce plugins                                                |
| output                     | View, configure and enable output plugins                                                    |
|---------------------------------------------------------------------------------------------------------------------------|

可以使用audit查看具体插件

w3af/plugins>>> audit
|--------------------------------------------------------------------------------------------------------------------------|
| Plugin name         | Status | Conf | Description                                                                        |
|--------------------------------------------------------------------------------------------------------------------------|
| blind_sqli          |        | Yes  | Identify blind SQL injection vulnerabilities.                                      |
| buffer_overflow     |        |      | Find buffer overflow vulnerabilities.                                              |
| cors_origin         |        | Yes  | Inspect if application checks that the value of the "Origin" HTTP header           |
|                     |        |      | isconsistent with the value of the remote IP address/Host of the sender ofthe      |
|                     |        |      | incoming HTTP request.                                                             |
| csrf                |        |      | Identify Cross-Site Request Forgery vulnerabilities.                               |
| dav                 |        |      | Verify if the WebDAV module is properly configured.                                |
| deserialization     |        |      | Identify deserialization vulnerabilities.                                          |
| eval                |        | Yes  | Find insecure eval() usage.                                                        |
| file_upload         |        | Yes  | Uploads a file and then searches for the file inside all known directories.        |
| format_string       |        |      | Find format string vulnerabilities.                                                |
| frontpage           |        |      | Tries to upload a file using frontpage extensions (author.dll).                    |
| generic             |        | Yes  | Find all kind of bugs without using a fixed error database.                        |
| global_redirect     |        |      | Find scripts that redirect the browser to any site.                                |
| htaccess_methods    |        |      | Find misconfigurations in Apache's "<LIMIT>" configuration.                        |
| ldapi               |        |      | Find LDAP injection bugs.                                                          |
| lfi                 |        |      | Find local file inclusion vulnerabilities.                                         |
| memcachei           |        |      | No description available for this plugin.                                          |
| mx_injection        |        |      | Find MX injection vulnerabilities.                                                 |
| os_commanding       |        |      | Find OS Commanding vulnerabilities.                                                |
| phishing_vector     |        |      | Find phishing vectors.                                                             |
| preg_replace        |        |      | Find unsafe usage of PHPs preg_replace.                                            |
| redos               |        |      | Find ReDoS vulnerabilities.                                                        |
| response_splitting  |        |      | Find response splitting vulnerabilities.                                           |
| rfd                 |        |      | Identify reflected file download vulnerabilities.                                  |
| rfi                 |        | Yes  | Find remote file inclusion vulnerabilities.                                        |
| rosetta_flash       |        |      | Find Rosetta Flash vulnerabilities in JSONP endpoints                              |
| shell_shock         |        |      | Find shell shock vulnerabilities.                                                  |
| sqli                |        |      | Find SQL injection bugs.                                                           |
| ssi                 |        |      | Find server side inclusion vulnerabilities.                                        |
| ssl_certificate     |        | Yes  | Check the SSL certificate validity (if https is being used).                       |
| un_ssl              |        |      | Find out if secure content can also be fetched using http.                         |
| websocket_hijacking |        |      | Detect Cross-Site WebSocket hijacking vulnerabilities.                             |
| xpath               |        |      | Find XPATH injection vulnerabilities.                                              |
| xss                 |        | Yes  | Identify cross site scripting vulnerabilities.                                     |
| xst                 |        |      | Find Cross Site Tracing vulnerabilities.                                           |
| xxe                 |        |      | Find XXE vulnerabilities.                                                          |
|--------------------------------------------------------------------------------------------------------------------------|

用aduit set sqli,xss开启插件

w3af/plugins>>> audit sqli,xss    
w3af/plugins>>> audit
|--------------------------------------------------------------------------------------------------------------------------|
| Plugin name         | Status  | Conf | Description                                                                       |
|--------------------------------------------------------------------------------------------------------------------------|
| blind_sqli          |         | Yes  | Identify blind SQL injection vulnerabilities.                                     |
| buffer_overflow     |         |      | Find buffer overflow vulnerabilities.                                             |
| cors_origin         |         | Yes  | Inspect if application checks that the value of the "Origin" HTTP header          |
|                     |         |      | isconsistent with the value of the remote IP address/Host of the sender ofthe     |
|                     |         |      | incoming HTTP request.                                                            |
| csrf                |         |      | Identify Cross-Site Request Forgery vulnerabilities.                              |
| dav                 |         |      | Verify if the WebDAV module is properly configured.                               |
| deserialization     |         |      | Identify deserialization vulnerabilities.                                         |
| eval                |         | Yes  | Find insecure eval() usage.                                                       |
| file_upload         |         | Yes  | Uploads a file and then searches for the file inside all known directories.       |
| format_string       |         |      | Find format string vulnerabilities.                                               |
| frontpage           |         |      | Tries to upload a file using frontpage extensions (author.dll).                   |
| generic             |         | Yes  | Find all kind of bugs without using a fixed error database.                       |
| global_redirect     |         |      | Find scripts that redirect the browser to any site.                               |
| htaccess_methods    |         |      | Find misconfigurations in Apache's "<LIMIT>" configuration.                       |
| ldapi               |         |      | Find LDAP injection bugs.                                                         |
| lfi                 |         |      | Find local file inclusion vulnerabilities.                                        |
| memcachei           |         |      | No description available for this plugin.                                         |
| mx_injection        |         |      | Find MX injection vulnerabilities.                                                |
| os_commanding       |         |      | Find OS Commanding vulnerabilities.                                               |
| phishing_vector     |         |      | Find phishing vectors.                                                            |
| preg_replace        |         |      | Find unsafe usage of PHPs preg_replace.                                           |
| redos               |         |      | Find ReDoS vulnerabilities.                                                       |
| response_splitting  |         |      | Find response splitting vulnerabilities.                                          |
| rfd                 |         |      | Identify reflected file download vulnerabilities.                                 |
| rfi                 |         | Yes  | Find remote file inclusion vulnerabilities.                                       |
| rosetta_flash       |         |      | Find Rosetta Flash vulnerabilities in JSONP endpoints                             |
| shell_shock         |         |      | Find shell shock vulnerabilities.                                                 |
| sqli                | Enabled |      | Find SQL injection bugs.                                                          |
| ssi                 |         |      | Find server side inclusion vulnerabilities.                                       |
| ssl_certificate     |         | Yes  | Check the SSL certificate validity (if https is being used).                      |
| un_ssl              |         |      | Find out if secure content can also be fetched using http.                        |
| websocket_hijacking |         |      | Detect Cross-Site WebSocket hijacking vulnerabilities.                            |
| xpath               |         |      | Find XPATH injection vulnerabilities.                                             |
| xss                 | Enabled | Yes  | Identify cross site scripting vulnerabilities.                                    |
| xst                 |         |      | Find Cross Site Tracing vulnerabilities.                                          |
| xxe                 |         |      | Find XXE vulnerabilities.                                                         |
|--------------------------------------------------------------------------------------------------------------------------|

使用help audit查看更多命令

w3af/plugins>>> help audit 
View, configure and enable audit plugins
Syntax: audit [config plugin | plugin1[,plugin2 ... pluginN] | desc plugin]
Example1: audit
Result: All enabled audit plugins are listed.

Example2: audit blind_sqli,buffer_overflow
Result: blind_sqli and buffer_overflow are configured to run

Example3: audit config blind_sqli
Result: Enters to the plugin configuration menu.

Example4: audit all,!buffer_overflow
Result: All audit plugins are configured to run except buffer_overflow.

Example5: audit desc blind_sqli
Result: You will get the plugin description.

Example6: audit blind_sqli,buffer_overflow
          audit !blind_sqli
Result: blind_sqli is disabled in the second command, only buffer_overflow will run.

比较常用的是配置具体插件audit config build_sqli

w3af/plugins>>> audit config build_sqli
Unknown plugin: 'build_sqli'
w3af/plugins>>> audit config blind_sqli
w3af/plugins/audit/config:blind_sqli>>> help
|---------------------------------------------------------------------------------------------------------------------------|
| view      | List the available options and their values.                                                                  |
| set       | Set a parameter value.                                                                                        |
| save      | Save the configured settings.                                                                                 |
|---------------------------------------------------------------------------------------------------------------------------|
| back      | Go to the previous menu.                                                                                      |
| exit      | Exit w3af.                                                                                                    |
|---------------------------------------------------------------------------------------------------------------------------|
w3af/plugins/audit/config:blind_sqli>>> view
|--------------------------------------------------------------------------------------------------------------------------|
| Setting           | Value      | Modified          | Description                                                         |
|--------------------------------------------------------------------------------------------------------------------------|
| eq_limit          | 0.9        |                   | String equal ratio (0.0 to 1.0)                                     |
|--------------------------------------------------------------------------------------------------------------------------|

也可以保存设置

1
2
3

w3af>>> profiles
w3af/profiles>>> save_as tutorial
Profile saved

下次直接用就好了

w3af>>> profiles
w3af/profiles>>> use fast_scan
The plugins configured by the scan profile have been enabled, and their options configured.
Please set the target URL(s) and start the scan.
w3af/profiles>>>

设置一个url就可以准备启动了

w3af>>> target
w3af/config:target>>> set target http://localhost/
w3af/config:target>>> back
w3af>>>
w3af>>> start

使用脚本自动化

可以使用-s参数运行脚本文件，每行一个命令，示例脚本如下:

plugins
output text_file
output config text_file
set output_file output-w3af.txt
set verbose True
back

也可以在scripts/里面找到

使用体验

报告听详细，有风险的摘要，描述，解决方案，CVE漏洞编号，除了配置有点麻烦(可以用docker)之外，没啥可吐槽的地方，操作简便，思想跟metesploit差不多，模块化，是款好软件

Author：HacKerQWQ

原文链接：https://hackerqwq.github.io/2020/11/09/%E5%BC%80%E6%BA%90Web%E5%BA%94%E7%94%A8%E6%89%AB%E6%8F%8F%E8%BD%AF%E4%BB%B6%E4%BD%BF%E7%94%A8%E7%AC%94%E8%AE%B0/

发表日期：November 9th 2020, 8:41:34 am

更新日期：April 18th 2021, 12:40:12 am

Next Post

redis的基本操作笔记
Previous Post

无参数构造payload读取文件(含PHP数组的知识)

CATALOG

1. w3af
2.

