Kali linux 学习笔记(四十一)Web渗透——扫描工具之w3af 2020.3.18
2024-05-09 21:38:55
前言
w3af (web application attack and audit framework)
- 基于python开发
- 发现和利用所有web应用程序漏洞
- 比较重量级
功能有:
- audit(审计):该类插件会向Crawl插件爬取出的注入点发送特制的POC数据以确认漏洞是否存在。
- infrastructure(基础):这类插件用来标识有关目标系统的信息,如安装的WAF,操作系统和HTTP守护进程等。
- grep(检索):这类插件会分析其他插件发送的HTTP请求和相应并识别漏洞。
- evasion(绕过):通过修改由其他插件生成的HTTP请求来绕过简单的入侵检测规则。
- mangle:允许修改基于正则表达式的请求和响应
- auth:身份认证
- Mangle:允许修改基于正则表达式的请求和响应。
- bruteforce:在爬取阶段进行暴力登陆
- output(输出):这类插件会将插件的数据保存到文本,xml或者是html文件中。调试的信息也会发送到输出Output插件并可保存和分析。如果启用了text_file和xml_file这两个Output插件,则这两个都会记录有Audit插件发现的任何漏洞。
- crawl(爬取):通过爬取网站站点来获得新的URL地址。如果用户启用了Crawl类型的多个插件,此时将产生一个循环: A插件在第一次运行时发现了一个新的url,w3af会将其发送到插件B。如果插件B发现一个新的url则会发送到插件A。这个过程持续进行直到所有插件都已运行且无法找到更多的新信息。
- Attack(攻击):如果Audit插件发现了漏洞,Attack将会进行攻击和利用,通常会在远程服务器上返回一个shell或者比如SQL注入则会获取数据库的数据。
1、安装
安装可参考
https://blog.csdn.net/kevinhanser/article/details/78010003
https://blog.csdn.net/deng_xj/article/details/87753112
2、基础
help帮助界面
root@attacker:~# w3afconsole
w3af>>> help|----------------------------------------------------------------------------------------------------------------------------------|| start | Start the scan. || plugins | Enable and configure plugins. || exploit | Exploit the vulnerability. || profiles | List and use scan profiles. || cleanup | Cleanup before starting a new scan. | | ------------------------------------------------- -------------------------------------------------- ------------------------------- || help | Display help. Issuing: help [command] , prints more specific help about "command" || version | Show w3af version information. || keys | Display key shortcuts. ||----------------------------------------------------------------------------------------------------------------------------------|| http-settings | Configure the HTTP settings of the framework. || misc-settings | Configure w3af misc settings. || target | Configure the target URL. ||----------------------------------------------------------------------------------------------------------------------------------|| back | Go to the previous menu. || exit | Exit w3af. ||----------------------------------------------------------------------------------------------------------------------------------|| kb | Browse the vulnerabilities stored in the Knowledge Base ||----------------------------------------------------------------------------------------------------------------------------------|plugins 插件
w3af>>> plugins
w3af/plugins>>> help|-----------------------------------------------------------------------------------------------------------------------------------|| list | List available plugins. || ------------------------------------------------- -------------------------------------------------- -------------------------------- | | 返回| 转到上一个菜单。| | 退出| 退出w3af。| | ------------------------------------------------- -------------------------------------------------- -------------------------------- | | 回避| 查看,配置和启用evasion插件|| auth | View, configure and enable auth plugins || grep | View, configure and enable grep plugins || audit | View, configure and enable audit plugins || bruteforce | View, configure and enable bruteforce plugins || output | View, configure and enable output plugins || crawl | View, configure and enable crawl plugins || infrastructure | View, configure and enable infrastructure plugins || mangle | View, configure and enable mangle plugins ||-----------------------------------------------------------------------------------------------------------------------------------|
w3af/plugins>>> list auth |---------------------------------------------------------------------------------------------------------------------------------|| Plugin name | Status | Conf | Description ||---------------------------------------------------------------------------------------------------------------------------------|| detailed | | Yes | Detailed authentication plugin. || generic | | Yes | Generic authentication plugin. ||---------------------------------------------------------------------------------------------------------------------------------|
w3af/plugins>>> list audit |---------------------------------------------------------------------------------------------------------------------------------|| Plugin name | Status | Conf | Description ||---------------------------------------------------------------------------------------------------------------------------------|| blind_sqli | | Yes | Identify blind SQL injection vulnerabilities. || buffer_overflow | | | Find buffer overflow vulnerabilities. || cors_origin | | Yes | Inspect if application checks that the value of the "Origin" HTTP header isconsistent || | | | with the value of the remote IP address/Host of the sender ofthe incoming HTTP request. || csrf | | | Identify Cross-Site Request Forgery vulnerabilities. || dav | | | Verify if the WebDAV module is properly configured. || eval | | Yes | Find insecure eval() usage. || file_upload | | Yes | Uploads a file and then searches for the file inside all known directories. || format_string | | | Find format string vulnerabilities. || frontpage | | | Tries to upload a file using frontpage extensions (author.dll). || generic | | Yes | Find all kind of bugs without using a fixed error database. || global_redirect | | | Find scripts that redirect the browser to any site. || htaccess_methods | | | Find misconfigurations in Apache's "<LIMIT>" configuration. || ldapi | | | Find LDAP injection bugs. || lfi | | | Find local file inclusion vulnerabilities. || memcachei | | | No description available for this plugin. || mx_injection | | | Find MX injection vulnerabilities. || os_commanding | | | Find OS Commanding vulnerabilities. || phishing_vector | | | Find phishing vectors. || preg_replace | | | Find unsafe usage of PHPs preg_replace. || redos | | | Find ReDoS vulnerabilities. || response_splitting | | | Find response splitting vulnerabilities. || rfd | | | Identify reflected file download vulnerabilities. || rfi | | Yes | Find remote file inclusion vulnerabilities. || rosetta_flash | | | Find Rosetta Flash vulnerabilities in JSONP endpoints || shell_shock | | | Find shell shock vulnerabilities. || sqli | | | Find SQL injection bugs. || ssi | | | Find server side inclusion vulnerabilities. || ssl_certificate | | Yes | Check the SSL certificate validity (if https is being used). || un_ssl | | | Find out if secure content can also be fetched using http. || websocket_hijacking | | | Detect Cross-Site WebSocket hijacking vulnerabilities. || xpath | | | Find XPATH injection vulnerabilities. || xss | | Yes | Identify cross site scripting vulnerabilities. || xst | | | Find Cross Site Tracing vulnerabilities. ||---------------------------------------------------------------------------------------------------------------------------------|
w3af/plugins>>> audit xss sqli lfi #开启使用三个插件模块
w3af/plugins>>> list audit #这时候的插件模块状态变为 enabled |----------------------------------------------------------------------------------------------------------------------------------|| Plugin name | Status | Conf | Description ||----------------------------------------------------------------------------------------------------------------------------------|| blind_sqli | | Yes | Identify blind SQL injection vulnerabilities. || buffer_overflow | | | Find buffer overflow vulnerabilities. || cors_origin | | Yes | Inspect if application checks that the value of the "Origin" HTTP header isconsistent || | | | with the value of the remote IP address/Host of the sender ofthe incoming HTTP request. || csrf | | | Identify Cross-Site Request Forgery vulnerabilities. || dav | | | Verify if the WebDAV module is properly configured. || eval | | Yes | Find insecure eval() usage. || file_upload | | Yes | Uploads a file and then searches for the file inside all known directories. || format_string | | | Find format string vulnerabilities. || frontpage | | | Tries to upload a file using frontpage extensions (author.dll). || generic | | Yes | Find all kind of bugs without using a fixed error database. || global_redirect | | | Find scripts that redirect the browser to any site. || htaccess_methods | | | Find misconfigurations in Apache's "<LIMIT>" configuration. || ldapi | | | Find LDAP injection bugs. || lfi | Enabled | | Find local file inclusion vulnerabilities. || memcachei | | | No description available for this plugin. || mx_injection | | | Find MX injection vulnerabilities. || os_commanding | | | Find OS Commanding vulnerabilities. || phishing_vector | | | Find phishing vectors. || preg_replace | | | Find unsafe usage of PHPs preg_replace. || redos | | | Find ReDoS vulnerabilities. || response_splitting | | | Find response splitting vulnerabilities. || rfd | | | Identify reflected file download vulnerabilities. || rfi | | Yes | Find remote file inclusion vulnerabilities. || rosetta_flash | | | Find Rosetta Flash vulnerabilities in JSONP endpoints || shell_shock | | | Find shell shock vulnerabilities. || sqli | Enabled | | Find SQL injection bugs. || ssi | | | Find server side inclusion vulnerabilities. || ssl_certificate | | Yes | Check the SSL certificate validity (if https is being used). || un_ssl | | | Find out if secure content can also be fetched using http. || websocket_hijacking | | | Detect Cross-Site WebSocket hijacking vulnerabilities. || xpath | | | Find XPATH injection vulnerabilities. || xss | Enabled | Yes | Identify cross site scripting vulnerabilities. || xst | | | Find Cross Site Tracing vulnerabilities. ||----------------------------------------------------------------------------------------------------------------------------------|
w3af/plugins>>> audit all #扫描所有插件模块
w3af/plugins>>> list audit |----------------------------------------------------------------------------------------------------------------------------------|| Plugin name | Status | Conf | Description ||----------------------------------------------------------------------------------------------------------------------------------|| blind_sqli | Enabled | Yes | Identify blind SQL injection vulnerabilities. || buffer_overflow | Enabled | | Find buffer overflow vulnerabilities. || cors_origin | Enabled | Yes | Inspect if application checks that the value of the "Origin" HTTP header isconsistent || | | | with the value of the remote IP address/Host of the sender ofthe incoming HTTP request. || csrf | Enabled | | Identify Cross-Site Request Forgery vulnerabilities. || dav | Enabled | | Verify if the WebDAV module is properly configured. || eval | Enabled | Yes | Find insecure eval() usage. || file_upload | Enabled | Yes | Uploads a file and then searches for the file inside all known directories. || format_string | Enabled | | Find format string vulnerabilities. || frontpage | Enabled | | Tries to upload a file using frontpage extensions (author.dll). || generic | Enabled | Yes | Find all kind of bugs without using a fixed error database. || global_redirect | Enabled | | Find scripts that redirect the browser to any site. || htaccess_methods | Enabled | | Find misconfigurations in Apache's "<LIMIT>" configuration. || ldapi | Enabled | | Find LDAP injection bugs. || lfi | Enabled | | Find local file inclusion vulnerabilities. || memcachei | Enabled | | No description available for this plugin. || mx_injection | Enabled | | Find MX injection vulnerabilities. || os_commanding | Enabled | | Find OS Commanding vulnerabilities. || phishing_vector | Enabled | | Find phishing vectors. || preg_replace | Enabled | | Find unsafe usage of PHPs preg_replace. || redos | Enabled | | Find ReDoS vulnerabilities. || response_splitting | Enabled | | Find response splitting vulnerabilities. || rfd | Enabled | | Identify reflected file download vulnerabilities. || rfi | Enabled | Yes | Find remote file inclusion vulnerabilities. || rosetta_flash | Enabled | | Find Rosetta Flash vulnerabilities in JSONP endpoints || shell_shock | Enabled | | Find shell shock vulnerabilities. || sqli | Enabled | | Find SQL injection bugs. || ssi | Enabled | | Find server side inclusion vulnerabilities. || ssl_certificate | Enabled | Yes | Check the SSL certificate validity (if https is being used). || un_ssl | Enabled | | Find out if secure content can also be fetched using http. || websocket_hijacking | Enabled | | Detect Cross-Site WebSocket hijacking vulnerabilities. || xpath | Enabled | | Find XPATH injection vulnerabilities. || xss | Enabled | Yes | Identify cross site scripting vulnerabilities. || xst | Enabled | | Find Cross Site Tracing vulnerabilities. ||----------------------------------------------------------------------------------------------------------------------------------|
w3af/plugins>>> grep all
w3af/plugins>>> crawl web_spider
w3af/plugins>>> list crawl |---------------------------------------------------------------------------------------------------------------------------------|| Plugin name | Status | Conf | Description ||---------------------------------------------------------------------------------------------------------------------------------|| archive_dot_org | | Yes | Search archive.org to find new pages in the target site. || bing_spider | | Yes | Search Bing to get a list of new URLs || content_negotiation | | Yes | Use content negotiation to find new resources. || digit_sum | | Yes | Take an URL with a number (index2.asp) and try to find related || | | | files(index1.asp, index3.asp). || dir_file_bruter | | Yes | Finds Web server directories and files by bruteforcing. || dot_listing | | | Search for .listing files and extracts new filenames from it. || dwsync_xml | | | Search Dream Waver Sync file (dwsync.xml) and extract referenced files. || find_backdoors | | | Find web backdoors and web shells. || find_captchas | | | Identify captcha images on web pages. || find_dvcs | | | Search Git, Mercurial (HG), Bazaar (BZR), Subversion (SVN) and CVSrepositories || | | | and checks for files containing || genexus_xml | | | Analyze the execute.xml and DeveloperMenu.xml files and find new URLs || ghdb | | Yes | Search Google for vulnerabilities in the target site. || google_spider | | Yes | Search google using google API to get new URLs || import_results | | Yes | Import HTTP requests found by output.export_requests and Burp || oracle_discovery | | | Find Oracle applications on the remote web server. || phishtank | | | Search the phishtank.com database to determine if your server is (or was)being || | | | used in phishing scams. || phpinfo | | | Search PHP Info file and if it finds it will determine the version of PHP. || pykto | | Yes | A nikto port to python. || ria_enumerator | | Yes | Fingerprint Rich Internet Apps - Google Gears Manifest files, Silverlight and || | | | Flash. || robots_txt | | | Analyze the robots.txt file and find new URLs || sitemap_xml | | | Analyze the sitemap.xml file and find new URLs || spider_man | | Yes | SpiderMan is a local proxy that will collect new URLs. || url_fuzzer | | Yes | Try to find backups, and other related files. || urllist_txt | | | Analyze the urllist.txt file and find new URLs || user_dir | | | Identify user directories like "http://test/~user/" and infer the remote OS. || web_diff | | Yes | Compare a local directory with a remote URL path. || web_spider | Enabled | Yes | Crawl the web application. || wordnet | | Yes | Use the wordnet lexical database to find new URLs. || wordpress_enumerate_users | | | Finds users in a WordPress installation. || wordpress_fingerprint | | | Finds the version of a WordPress installation. || wordpress_fullpathdisclosure | | | Try to find the path where the WordPress is installed || wsdl_finder | | | Find web service definitions files. ||---------------------------------------------------------------------------------------------------------------------------------|
w3af/plugins>>> back #插件选好之后,回到第一级目录profile模块
w3af>>> help|----------------------------------------------------------------------------------------------------------------------------------|| start | Start the scan. || plugins | Enable and configure plugins. || exploit | Exploit the vulnerability. || profiles | List and use scan profiles. || cleanup | Cleanup before starting a new scan. ||----------------------------------------------------------------------------------------------------------------------------------|| help | Display help. Issuing: help [command] , prints more specific help about "command" || version | Show w3af version information. || keys | Display key shortcuts. ||----------------------------------------------------------------------------------------------------------------------------------|| http-settings | Configure the HTTP settings of the framework. || misc-settings | Configure w3af misc settings. || target | Configure the target URL. ||----------------------------------------------------------------------------------------------------------------------------------|| back | Go to the previous menu. || exit | Exit w3af. ||----------------------------------------------------------------------------------------------------------------------------------|| kb | Browse the vulnerabilities stored in the Knowledge Base ||----------------------------------------------------------------------------------------------------------------------------------|
w3af>>> profiles #预定义扫描文件
w3af/profiles>>> list #显示当前可用扫描配置文件|----------------------------------------------------------------------------------------------------------------------------------|| Profile | Description ||----------------------------------------------------------------------------------------------------------------------------------|| bruteforce | Bruteforce form or basic authentication access controls using default credentials. To run this profile, || | set the target URL to the resource where the access control is, and then click on Start. || audit_high_risk | Perform a scan to only identify the vulnerabilities with higher risk, like SQL Injection, OS Commanding, || | Insecure File Uploads, etc. || full_audit | This profile performs a full audit of the target website, using only the web_spider plugin for crawling. || OWASP_TOP10 | The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on || | improving the security of application software. OWASP searched for and published the ten most common || | security flaws. This profile search for this top 10 security flaws. For more information about the || | security flaws: http://www.owasp.org/index.php/OWASP_Top_Ten_Project . || fast_scan | Perform a fast scan of the target site, using only a few discovery plugins and the fastest audit || | plugins. || empty_profile | This is an empty profile that you can use to start a new configuration from. || web_infrastructure | Use all the available techniques in w3af to fingerprint the remote Web infrastructure. || full_audit_spider_man | Perform a manual discovery using the spider_man plugin, and afterwards scan the site for any known || | vulnerabilities. || sitemap | Use different online techniques to create a fast sitemap of the target web application. This plugin will || | only work if you've got Internet access and the target web application is being spidered by Yahoo! ||----------------------------------------------------------------------------------------------------------------------------------|
w3af/profiles>>> help |----------------------------------------------------------------------------------------------------------------------------------|| use | Use a profile. || list | List available profiles. || save_as | Save the current configuration to a profile. ||----------------------------------------------------------------------------------------------------------------------------------|| back | Go to the previous menu. || exit | Exit w3af. ||----------------------------------------------------------------------------------------------------------------------------------|
w3af/profiles>>> save_as #先选择 plugin ,然后选择 grep、crawl等,然后在 profiles 里面 save_as 保存例
w3af/profiles>>> save_as test01Parameter missing, please see the help:Save the current configuration to a profile.Syntax: save_as PROFILE_NAME Example: save_as fast_scanExample: save_as fast_scan self-contained #独立的,能避免一些问题Please note that the save_as command will overwrite existing profiles with thesame name.When the "self-contained" flag is set the profile will bundle all files referencedby the plugin configurations. This is useful for sharing custom profiles betweendifferent workstations. Disabled by default.
w3af/profiles>>> use fast_scan The plugins configured by the scan profile have been enabled, and their options configured.Please set the target URL(s) and start the scan.
w3af/profiles>>> backhelp-setting模块
w3af>>> help|----------------------------------------------------------------------------------------------------------------------------------|| start | Start the scan. || plugins | Enable and configure plugins. || exploit | Exploit the vulnerability. || profiles | List and use scan profiles. || cleanup | Cleanup before starting a new scan. ||----------------------------------------------------------------------------------------------------------------------------------|| help | Display help. Issuing: help [command] , prints more specific help about "command" || version | Show w3af version information. || keys | Display key shortcuts. ||----------------------------------------------------------------------------------------------------------------------------------|| http-settings | Configure the HTTP settings of the framework. || misc-settings | Configure w3af misc settings. || target | Configure the target URL. ||----------------------------------------------------------------------------------------------------------------------------------|| back | Go to the previous menu. || exit | Exit w3af. ||----------------------------------------------------------------------------------------------------------------------------------|| kb | Browse the vulnerabilities stored in the Knowledge Base ||----------------------------------------------------------------------------------------------------------------------------------|
w3af>>> http-settings #扫描 http 的配置选项
w3af/config:http-settings>>> help|----------------------------------------------------------------------------------------------------------------------------------|| view | List the available options and their values. || set | Set a parameter value. || save | Save the configured settings. ||----------------------------------------------------------------------------------------------------------------------------------|| back | Go to the previous menu. || exit | Exit w3af. ||----------------------------------------------------------------------------------------------------------------------------------|
w3af/config:http-settings>>> view|--------------------------------------------------------------------------------------------------------------------------------|| Setting | Value | Modified | Description ||--------------------------------------------------------------------------------------------------------------------------------|| url_parameter | | | URL parameter (http://host.tld/path;<parameter>) || timeout | 0 | | HTTP connection timeout || headers_file | | | HTTP headers filename which contains additional headers to be added in each || | | | request ||--------------------------------------------------------------------------------------------------------------------------------|| cookie_jar_file | | | Cookie Jar file holding HTTP cookies || ignore_session_cookies | False | | Ignore session cookies ||--------------------------------------------------------------------------------------------------------------------------------|| ntlm_auth_url | | | NTLM authentication domain (target domain name) || ntlm_auth_user | | | NTLM authentication username || ntlm_auth_passwd | | | NTLM authentication password || ntlm_auth_domain | | | NTLM authentication domain (windows domain name) ||--------------------------------------------------------------------------------------------------------------------------------|| rand_user_agent | False | | Use random User-Agent header || max_file_size | 400000 | | Maximum file size || max_http_retries | 2 | | Maximum number of HTTP request retries || user_agent | w3af.org | | User Agent header || max_requests_per_second | 0 | | Maximum HTTP requests per second ||--------------------------------------------------------------------------------------------------------------------------------|| string_match_404 | | | Tag HTTP response as 404 if the string is found in it's body || always_404 | | | Comma separated list of URLs which will always be detected as 404 pages || never_404 | | | Comma separated list of URLs which will never be detected as 404 pages ||--------------------------------------------------------------------------------------------------------------------------------|| proxy_port | 8080 | | Proxy TCP port || proxy_address | | | Proxy IP address ||--------------------------------------------------------------------------------------------------------------------------------|| basic_auth_user | | | Basic authentication username || basic_auth_passwd | | | Basic authentication password || basic_auth_domain | | | Basic authentication domain ||--------------------------------------------------------------------------------------------------------------------------------|
w3af/config:http-settings>>> set rand_user_agent True (启动随机用户代理)
w3af/config:http-settings>>> view|--------------------------------------------------------------------------------------------------------------------------------|| Setting | Value | Modified | Description ||--------------------------------------------------------------------------------------------------------------------------------|| url_parameter | | | URL parameter (http://host.tld/path;<parameter>) || timeout | 0 | | HTTP connection timeout || headers_file | | | HTTP headers filename which contains additional headers to be added in each || | | | request ||--------------------------------------------------------------------------------------------------------------------------------|| cookie_jar_file | | | Cookie Jar file holding HTTP cookies || ignore_session_cookies | False | | Ignore session cookies ||--------------------------------------------------------------------------------------------------------------------------------|| ntlm_auth_url | | | NTLM authentication domain (target domain name) || ntlm_auth_user | | | NTLM authentication username || ntlm_auth_passwd | | | NTLM authentication password || ntlm_auth_domain | | | NTLM authentication domain (windows domain name) ||--------------------------------------------------------------------------------------------------------------------------------|| rand_user_agent | True | Yes | Use random User-Agent header || max_file_size | 400000 | | Maximum file size || max_http_retries | 2 | | Maximum number of HTTP request retries || user_agent | w3af.org | | User Agent header || max_requests_per_second | 0 | | Maximum HTTP requests per second ||--------------------------------------------------------------------------------------------------------------------------------|| string_match_404 | | | Tag HTTP response as 404 if the string is found in it's body || always_404 | | | Comma separated list of URLs which will always be detected as 404 pages || never_404 | | | Comma separated list of URLs which will never be detected as 404 pages ||--------------------------------------------------------------------------------------------------------------------------------|| proxy_port | 8080 | | Proxy TCP port || proxy_address | | | Proxy IP address ||--------------------------------------------------------------------------------------------------------------------------------|| basic_auth_user | | | Basic authentication username || basic_auth_passwd | | | Basic authentication password || basic_auth_domain | | | Basic authentication domain ||--------------------------------------------------------------------------------------------------------------------------------|
w3af/config:http-settings>>> backThe configuration has been saved.misc-settings模块
w3af>>> help|----------------------------------------------------------------------------------------------------------------------------------|| start | Start the scan. || plugins | Enable and configure plugins. || exploit | Exploit the vulnerability. || profiles | List and use scan profiles. || cleanup | Cleanup before starting a new scan. ||----------------------------------------------------------------------------------------------------------------------------------|| help | Display help. Issuing: help [command] , prints more specific help about "command" || version | Show w3af version information. || keys | Display key shortcuts. ||----------------------------------------------------------------------------------------------------------------------------------|| http-settings | Configure the HTTP settings of the framework. || misc-settings | Configure w3af misc settings. || target | Configure the target URL. ||----------------------------------------------------------------------------------------------------------------------------------|| back | Go to the previous menu. || exit | Exit w3af. ||----------------------------------------------------------------------------------------------------------------------------------|| kb | Browse the vulnerabilities stored in the Knowledge Base ||----------------------------------------------------------------------------------------------------------------------------------|
w3af>>> misc-settings #杂项设置
w3af/config:misc-settings>>> view |---------------------------------------------------------------------------------------------------------------------------------|| Setting | Value | Modified | Description ||---------------------------------------------------------------------------------------------------------------------------------|| msf_location | /opt/metasploit3/bin/ | | Full path of Metasploit framework binary directory || | | | (/opt/metasploit3/bin/ in most linux installs) ||---------------------------------------------------------------------------------------------------------------------------------|| interface | ppp0 | | Local interface name to use when sniffing, doing reverse || | | | connections, etc. || local_ip_address | 10.10.10.128 | | Local IP address to use when doing reverse connections ||---------------------------------------------------------------------------------------------------------------------------------|| max_discovery_time | 120 | | Maximum crawl time (minutes) || stop_on_first_exception | False | | Stop scan after first unhandled exception ||---------------------------------------------------------------------------------------------------------------------------------|| form_id_action | exclude | | Define the form_id_list filter behaviour || non_targets | | | A comma separated list of URLs that w3af should ignore || form_id_list | [] | | Filter forms to scan using form IDs ||---------------------------------------------------------------------------------------------------------------------------------|| fuzz_url_filenames | False | | Indicates if w3af plugins will send fuzzed file names in order to || | | | find vulnerabilities || fuzz_url_parts | False | | Indicates if w3af plugins will send fuzzed URL parts in order to || | | | find vulnerabilities || fuzzable_headers | | | A list with all fuzzable header names || fuzzed_files_extension | gif | | Indicates the extension to use when fuzzing file content || form_fuzzing_mode | tmb | | Indicates what HTML form combo values w3af plugins will use: all, || | | | tb, tmb, t, b || fuzz_form_files | True | | Indicates if w3af plugins will send payloads in the content of || | | | multipart/post form files. || fuzz_cookies | False | | Indicates if w3af plugins will use cookies as a fuzzable parameter ||---------------------------------------------------------------------------------------------------------------------------------|
w3af/config:misc-settings>>> help|----------------------------------------------------------------------------------------------------------------------------------|| view | List the available options and their values. || set | Set a parameter value. || save | Save the configured settings. ||----------------------------------------------------------------------------------------------------------------------------------|| back | Go to the previous menu. || exit | Exit w3af. ||----------------------------------------------------------------------------------------------------------------------------------|
w3af/config:misc-settings>>> backThe configuration has been saved.target模块
w3af>>> help |----------------------------------------------------------------------------------------------------------------------------------|| start | Start the scan. || plugins | Enable and configure plugins. || exploit | Exploit the vulnerability. || profiles | List and use scan profiles. || cleanup | Cleanup before starting a new scan. ||----------------------------------------------------------------------------------------------------------------------------------|| help | Display help. Issuing: help [command] , prints more specific help about "command" || version | Show w3af version information. || keys | Display key shortcuts. ||----------------------------------------------------------------------------------------------------------------------------------|| http-settings | Configure the HTTP settings of the framework. || misc-settings | Configure w3af misc settings. || target | Configure the target URL. ||----------------------------------------------------------------------------------------------------------------------------------|| back | Go to the previous menu. || exit | Exit w3af. ||----------------------------------------------------------------------------------------------------------------------------------|| kb | Browse the vulnerabilities stored in the Knowledge Base ||----------------------------------------------------------------------------------------------------------------------------------|
w3af>>> target
w3af/config:target>>> help|----------------------------------------------------------------------------------------------------------------------------------|| view | List the available options and their values. || set | Set a parameter value. || save | Save the configured settings. ||----------------------------------------------------------------------------------------------------------------------------------|| back | Go to the previous menu. || exit | Exit w3af. ||----------------------------------------------------------------------------------------------------------------------------------|
w3af/config:target>>> set target http://10.10.10.129
w3af/config:target>>> view|-----------------------------------------------------------------------------------------------------------------------------------|| Setting | Value | Modified | Description ||-----------------------------------------------------------------------------------------------------------------------------------|| target_framework | unknown | | Target programming framework (unknown/php/asp/asp.net/java/jsp/cfm/ruby/perl) || target | http://10.10.10.129 | Yes | A comma separated list of URLs || target_os | unknown | | Target operating system (unknown/unix/windows) ||-----------------------------------------------------------------------------------------------------------------------------------|
w3af/config:target>>> backThe configuration has been saved.
#配置完成,可以保存为配置文件
w3af>>> profiles
w3af/profiles>>> save_as test01Profile saved.
w3af/profiles>>> back 脚本
root@attacker:~# cd /usr/local/src/
root@attacker:/usr/local/src# ls circle.yml libjavascriptcoregtk-1.0-0_2.4.11-3_amd64.deb python-support_1.0.15_all.deb scripts w3af_api w3afgui doc libwebkitgtk-1.0-0_2.4.11-3_amd64.deb python-webkit_1.1.8-3_amd64.deb tools w3afconsole w3af_gui extras profiles README.md w3af w3af_console wXf-master
root@attacker:/usr/local/src# cd scripts/
root@attacker:/usr/local/src/scripts# ls allowed_methods.w3af file_upload_shell.w3af profile-fast_scan.w3af all.w3af frontpage_version.w3af remote_file_include_local_ws.w3af auth_detailed.w3af header_fuzzing.w3af remote_file_include_proxy.w3af bing_spider.w3af html_output.w3af remote_file_include_shell.w3af blind_sqli_detection.w3af list_all_plugins.w3af remote_file_include_shell-xss.w3af cookie_fuzzing.w3af local_file_include-payload.w3af remote_file_include_w3af_site.w3af cross_domain.w3af local_file_include.w3af spider_man.w3af csrf.w3af login_brute_form_GET.w3af sqli.w3af dav_shell.w3af login_brute_password_only.w3af sqlmap_exploit_int.w3af detect_transparent_proxy.w3af mangle_request.w3af targets_from_file.w3af digit_sum.w3af mangle_response.w3af web_spider-ignore_regex.w3af eval_shell.w3af os_commanding-lnx-vdaemon.w3af web_spider-only_forward.w3af eval.w3af os_commanding-lnx-w3afAgent.w3af web_spider.w3af exploit_all.w3af os_commanding_shell.w3af xss_simple.w3af exploit_fast.w3af os_commanding.w3af xss_stored.w3af filename_xss.w3af php_sca-payload.w3af
root@attacker:/usr/local/src/scripts# cat sqli.w3af # This is a demo of the attack plugin sql_shell plugins output console,text_file output config text_file set output_file output-w3af.txt set verbose True back output config console set verbose False back audit sqli crawl web_spider crawl config web_spider set only_forward True back grep path_disclosure back target set target http://moth/w3af/audit/sql_injection/select/sql_injection_string.php?name=andres back start bug-report details 0 back exit
root@attacker:/usr/local/src# ./w3afconsole -s ./scripts/sqli.w3af w3af>>> plugins w3af/plugins>>> output console,text_file w3af/plugins>>> output config text_file w3af/plugins/output/config:text_file>>> set output_file output-w3af.txt w3af/plugins/output/config:text_file>>> set verbose True w3af/plugins/output/config:text_file>>> back The configuration has been saved. w3af/plugins>>> output config console w3af/plugins/output/config:console>>> set verbose False w3af/plugins/output/config:console>>> back The configuration has been saved. w3af/plugins>>> audit sqli w3af/plugins>>> crawl web_spider w3af/plugins>>> crawl config web_spider w3af/plugins/crawl/config:web_spider>>> set only_forward True w3af/plugins/crawl/config:web_spider>>> back The configuration has been saved. w3af/plugins>>> grep path_disclosure w3af/plugins>>> back w3af>>> target w3af/config:target>>> set target http://moth/w3af/audit/sql_injection/select/sql_injection_string.php?name=andres w3af/config:target>>> back The configuration has been saved. w3af>>> start3、身份认证
w3af支持用户可以提供的这些类型的认证凭证,以便扫描器保持会话打开以扫描目标Web应用程序:
- HTTP基本认证
- NTLM身份验证
- 基于表单认证
- 设置一个HTTP cookie
HTTP Basic和NTLM身份验证是通常由Web服务器提供的两种HTTP级别身份验证
表单和Cookie身份验证方法则由应用程序本身提供
用户需要确定与应用程序保持会话需要使用哪种身份验证方法
通常情况下,快速检查HTTP通信将确定需要什么。
基本身份认证
启动安装界面 appwiz.cpl
启动 IIS 服务器
设置 IIS 服务器的属性
设置目录安全性
取消匿名访问,勾选基本身份认证
重启 IIS 服务器
使用 win2003 的本地账号登录,先设置用户然后抓包登录
使用 wiresahrk 抓包捕获明文用户名密码
获取到了 base64 编码的密文 Authorization: Basic dXNlcjE6MTIzNDU2
使用 w3af 解码 dXNlcjE6MTIzNDU2
# 验证一下
root@kali:~# echo -n "user1:123456" | base64dXNlcjE6MTIzNDU2使用 w3af 扫描
选择 w3af 插件
audit --> buffer_overflow && os_commanding
ceawl–> web_spider
grep
使用 wireshark 抓包
windows集成身份验证
windows 在未加入域的情况下,默认都是采用集成身份验证
集成 windows 身份认证认证方式:
先提交一个随机数,并用这个随机数加密
等收到密文并解开,对比这个随机数是否一样
Win2003 配置身份认证
在默认网站右键属性 –> 取消匿名访问、勾选集成 windows 身份认证 –> 站点重启
w3af 配置扫描选项
选择 w3af 插件
audit --> buffer_overflow && os_commanding
ceawl–> web_spider
infrastructure
使用 wireshark抓包
身份认证成功返回 200 OK
基于表单的身份认证
配置 w3af
查看表单域
选择 w3af 插件
audit --> sqli
auth --> detailed
crawl --> web_spider(only_forward)
# only_forward: 只扫描此IP目标指定子目录
# only_forward: 值扫描特定网页等抓包
HTTP cookie
- 双因素身份认证
- anti-CSRF tokens
- w3af 值接收
- 严格格式要求的 cookie 文件(python要求)
cookie 格式要求如上
保存 cookie 文件
cookie 各项参数解释:
配置扫描插件
audit --> sqli、xss
crawl --> web_spider(only_forward)
# only_forward: 只扫描此IP目标指定子目录
# only_forward: 值扫描特定网页等结语
w3af是个很全面的工具
安装有点问题,参考文章开头两篇文章
安装完以后是有GUI的
可以自己摸索
Kali linux 学习笔记(四十一)Web渗透——扫描工具之w3af 2020.3.18相关推荐
- Kali linux 学习笔记(四十二)Web渗透——扫描工具之Arachni 2020.3.19
前言 Arachni 一个功能完整的模块化高性能Ruby框架,旨在帮助渗透测试人员和管理员评估现代Web应用程序的安全性. 它是免费的,其源代码公开并可供审阅. 它是多平台的,支持所有主要操作系统(M ...
- kali linux学习笔记(四) : 网络端口大全介绍
端口大全介绍 2端口:管理实用程序 3端口:压缩进程 5端口:远程作业登录 7端口:回显 9端口:丢弃 11端口:在线用户 13端口:时间 17端口:每日引用 18端口:消息发送协议 19端口:字符发 ...
- Kali Linux学习笔记—Web渗透(1)
Kali Linux学习笔记-WEB渗透 侦察 Httrack 扫描 Nikto vega skipfish w3af Arachni OWASP_ZAP 必须掌握 Burpsuite 必须掌握 实验 ...
- Kali Linux学习笔记—无线渗透 WPA攻击(PSK破解、AIROLIB、JTR、cowpatty、pyrit)
Kali linux 学习笔记 无线渗透--WPA攻击(PSK破解.AIROLIB.JTR.cowpatty.pyrit) PSK破解原理 PSK破解过程 实验步骤--使用字典rockyou.txt ...
- Linux学习笔记(十一):磁盘配额、磁盘阵列与逻辑卷
Linux学习笔记(十一):磁盘配额.磁盘阵列与逻辑卷 磁盘配额Quota 磁盘阵列RAID RAID level 软件磁盘阵列 逻辑卷管理器LVM 基本概念:PV, VG, LV 逻辑卷创建与管理 ...
- Cty的Linux学习笔记(十一)
Linux学习笔记--第十一篇 文档压缩与打包: .gz:表示由gzip压缩的文件 .bz2:表示由bzip2压缩的文件 .tar:表示由tar打包的文件(tar没有压缩功能,只是把一个目录合并成一个 ...
- 2022自学kali linux学习笔记
关于密码的破解 在Linux上 /etc/passwd /etc/shadow 使用命令 unshadow 第一步 unshadow /etc/passwd /etc/shadow >test_ ...
- kali linux学习笔记
ARP欺骗:netfuck 需先安装wpcapinstall 来源ip就是目标要欺骗的ip 目标ip是本机网关 双向欺骗 爆破常见服务: smb telnet ftp 3389 mssql mysql ...
- Kali linux 学习笔记(七十五)拒绝服务——teardrop 2020.4.15
前言 本节学习teardrop 很古老 利用IP分段偏移 1.简介 teardrop 主要针对早期微软操作系统(95.98.3.x.nt) 近些年有人发现对 2.x 版本的安卓系统.6.0 IOS 系 ...
最新文章
- 【LibreOJ】#6299. 「CodePlus 2018 3 月赛」白金元首与克劳德斯
- 如果我们预先得知未来某一刻会因为此刻的决定而失败,那是否还会继续努力?
- Python Importlib模块与__import__详解
- ASIHTTPRequest 简单使用
- python数据科学指南是什么_《Python数据科学指南》——导读
- ad采样做按键开关_磐石按键测试机解决各种按键测试问题
- 刚刚教育部发声:老师性骚扰学生 零容忍!“害群之马”将被严惩
- Java SQL注入学习笔记
- 文件比较与同步工具——FreeFileSync
- 查询linux安装了哪种中文,linux 安装 中文字体
- win10怎么做文件服务器,win10怎么做云服务器
- 华三路由交换配置命令_华三华为交换机路由器配置常用命令
- 什么是标签?跟数据中台有什么关系?
- ChinaSoft 论坛巡礼 | 云际计算系统软件
- 一文详解IBM SPSS Modeler 18.0安装教程
- opencv 摄像头捕获的图像保存为avi视频 代码解析
- 爬取网络数据到excel表
- 织梦主动提交_织梦实现发布文章主动推送(实时)给百度的方法
- 【JZOJ 5498】 大佬的难题
- 央行紧急通知:你在用的这种支付方式将有重大变化