Web渗透-扫描工具之w3af
前言
w3af (web application attack and audit framework)
基于python开发
发现和利用所有web应用程序漏洞
比较重量级
功能有:
audit(审计):该类插件会向Crawl插件爬取出的注入点发送特制的POC数据以确认漏洞是否存在。
infrastructure(基础):这类插件用来标识有关目标系统的信息,如安装的WAF,操作系统和HTTP守护进程等。
grep(检索):这类插件会分析其他插件发送的HTTP请求和相应并识别漏洞。
evasion(绕过):通过修改由其他插件生成的HTTP请求来绕过简单的入侵检测规则。
mangle:允许修改基于正则表达式的请求和响应
auth:身份认证
Mangle:允许修改基于正则表达式的请求和响应。
bruteforce:在爬取阶段进行暴力登陆
output(输出):这类插件会将插件的数据保存到文本,xml或者是html文件中。调试的信息也会发送到输出Output插件并可保存和分析。如果启用了text_file和xml_file这两个Output插件,则这两个都会记录有Audit插件发现的任何漏洞。
crawl(爬取):通过爬取网站站点来获得新的URL地址。如果用户启用了Crawl类型的多个插件,此时将产生一个循环:A插件在第一次运行时发现了一个新的url,w3af会将其发送到插件B。如果插件B发现一个新的url则会发送到插件A。这个过程持续进行直到所有插件都已运行且无法找到更多的新信息。
Attack(攻击):如果Audit插件发现了漏洞,Attack将会进行攻击和利用,通常会在远程服务器上返回一个shell或者比如SQL注入则会获取数据库的数据。
1、安装
安装可参考
https://blog.csdn.net/kevinhanser/article/details/78010003
https://blog.csdn.net/deng_xj/article/details/87753112
2、基础
help帮助界面
root@attacker:~# w3afconsolew3af>>> help|----------------------------------------------------------------------------------------------------------------------------------|| start | Start the scan. || plugins | Enable and configure plugins. || exploit | Exploit the vulnerability. || profiles | List and use scan profiles. || cleanup | Cleanup before starting a new scan. || ------------------------------------------------- -------------------------------------------------- ------------------------------- || help | Display help. Issuing: help [command] , prints more specific help about "command" || version | Show w3af version information. || keys | Display key shortcuts. ||----------------------------------------------------------------------------------------------------------------------------------|| http-settings | Configure the HTTP settings of the framework. || misc-settings | Configure w3af misc settings. || target | Configure the target URL. ||----------------------------------------------------------------------------------------------------------------------------------|| back | Go to the previous menu. || exit | Exit w3af. ||----------------------------------------------------------------------------------------------------------------------------------|| kb | Browse the vulnerabilities stored in the Knowledge Base ||----------------------------------------------------------------------------------------------------------------------------------|
plugins 插件
w3af>>> pluginsw3af/plugins>>> help|-----------------------------------------------------------------------------------------------------------------------------------|| list | List available plugins. || ------------------------------------------------- -------------------------------------------------- -------------------------------- || 返回| 转到上一个菜单。|| 退出| 退出w3af。|| ------------------------------------------------- -------------------------------------------------- -------------------------------- || 回避| 查看,配置和启用evasion插件|| auth | View, configure and enable auth plugins || grep | View, configure and enable grep plugins || audit | View, configure and enable audit plugins || bruteforce | View, configure and enable bruteforce plugins || output | View, configure and enable output plugins || crawl | View, configure and enable crawl plugins || infrastructure | View, configure and enable infrastructure plugins || mangle | View, configure and enable mangle plugins ||-----------------------------------------------------------------------------------------------------------------------------------|w3af/plugins>>> list auth|---------------------------------------------------------------------------------------------------------------------------------|| Plugin name | Status | Conf | Description ||---------------------------------------------------------------------------------------------------------------------------------|| detailed | | Yes | Detailed authentication plugin. || generic | | Yes | Generic authentication plugin. ||---------------------------------------------------------------------------------------------------------------------------------|w3af/plugins>>> list audit|---------------------------------------------------------------------------------------------------------------------------------|| Plugin name | Status | Conf | Description ||---------------------------------------------------------------------------------------------------------------------------------|| blind_sqli | | Yes | Identify blind SQL injection vulnerabilities. || buffer_overflow | | | Find buffer overflow vulnerabilities. || cors_origin | | Yes | Inspect if application checks that the value of the "Origin" HTTP header isconsistent || | | | with the value of the remote IP address/Host of the sender ofthe incoming HTTP request. || csrf | | | Identify Cross-Site Request Forgery vulnerabilities. || dav | | | Verify if the WebDAV module is properly configured. || eval | | Yes | Find insecure eval() usage. || file_upload | | Yes | Uploads a file and then searches for the file inside all known directories. || format_string | | | Find format string vulnerabilities. || frontpage | | | Tries to upload a file using frontpage extensions (author.dll). || generic | | Yes | Find all kind of bugs without using a fixed error database. || global_redirect | | | Find scripts that redirect the browser to any site. || htaccess_methods | | | Find misconfigurations in Apache's "<LIMIT>" configuration. || ldapi | | | Find LDAP injection bugs. || lfi | | | Find local file inclusion vulnerabilities. || memcachei | | | No description available for this plugin. || mx_injection | | | Find MX injection vulnerabilities. || os_commanding | | | Find OS Commanding vulnerabilities. || phishing_vector | | | Find phishing vectors. || preg_replace | | | Find unsafe usage of PHPs preg_replace. || redos | | | Find ReDoS vulnerabilities. || response_splitting | | | Find response splitting vulnerabilities. || rfd | | | Identify reflected file download vulnerabilities. || rfi | | Yes | Find remote file inclusion vulnerabilities. || rosetta_flash | | | Find Rosetta Flash vulnerabilities in JSONP endpoints || shell_shock | | | Find shell shock vulnerabilities. || sqli | | | Find SQL injection bugs. || ssi | | | Find server side inclusion vulnerabilities. || ssl_certificate | | Yes | Check the SSL certificate validity (if https is being used). || un_ssl | | | Find out if secure content can also be fetched using http. || websocket_hijacking | | | Detect Cross-Site WebSocket hijacking vulnerabilities. || xpath | | | Find XPATH injection vulnerabilities. || xss | | Yes | Identify cross site scripting vulnerabilities. || xst | | | Find Cross Site Tracing vulnerabilities. ||---------------------------------------------------------------------------------------------------------------------------------|w3af/plugins>>> audit xss sqli lfi #开启使用三个插件模块w3af/plugins>>> list audit #这时候的插件模块状态变为 enabled|----------------------------------------------------------------------------------------------------------------------------------|| Plugin name | Status | Conf | Description ||----------------------------------------------------------------------------------------------------------------------------------|| blind_sqli | | Yes | Identify blind SQL injection vulnerabilities. || buffer_overflow | | | Find buffer overflow vulnerabilities. || cors_origin | | Yes | Inspect if application checks that the value of the "Origin" HTTP header isconsistent || | | | with the value of the remote IP address/Host of the sender ofthe incoming HTTP request. || csrf | | | Identify Cross-Site Request Forgery vulnerabilities. || dav | | | Verify if the WebDAV module is properly configured. || eval | | Yes | Find insecure eval() usage. || file_upload | | Yes | Uploads a file and then searches for the file inside all known directories. || format_string | | | Find format string vulnerabilities. || frontpage | | | Tries to upload a file using frontpage extensions (author.dll). || generic | | Yes | Find all kind of bugs without using a fixed error database. || global_redirect | | | Find scripts that redirect the browser to any site. || htaccess_methods | | | Find misconfigurations in Apache's "<LIMIT>" configuration. || ldapi | | | Find LDAP injection bugs. || lfi | Enabled | | Find local file inclusion vulnerabilities. || memcachei | | | No description available for this plugin. || mx_injection | | | Find MX injection vulnerabilities. || os_commanding | | | Find OS Commanding vulnerabilities. || phishing_vector | | | Find phishing vectors. || preg_replace | | | Find unsafe usage of PHPs preg_replace. || redos | | | Find ReDoS vulnerabilities. || response_splitting | | | Find response splitting vulnerabilities. || rfd | | | Identify reflected file download vulnerabilities. || rfi | | Yes | Find remote file inclusion vulnerabilities. || rosetta_flash | | | Find Rosetta Flash vulnerabilities in JSONP endpoints || shell_shock | | | Find shell shock vulnerabilities. || sqli | Enabled | | Find SQL injection bugs. || ssi | | | Find server side inclusion vulnerabilities. || ssl_certificate | | Yes | Check the SSL certificate validity (if https is being used). || un_ssl | | | Find out if secure content can also be fetched using http. || websocket_hijacking | | | Detect Cross-Site WebSocket hijacking vulnerabilities. || xpath | | | Find XPATH injection vulnerabilities. || xss | Enabled | Yes | Identify cross site scripting vulnerabilities. || xst | | | Find Cross Site Tracing vulnerabilities. ||----------------------------------------------------------------------------------------------------------------------------------|w3af/plugins>>> audit all #扫描所有插件模块w3af/plugins>>> list audit|----------------------------------------------------------------------------------------------------------------------------------|| Plugin name | Status | Conf | Description ||----------------------------------------------------------------------------------------------------------------------------------|| blind_sqli | Enabled | Yes | Identify blind SQL injection vulnerabilities. || buffer_overflow | Enabled | | Find buffer overflow vulnerabilities. || cors_origin | Enabled | Yes | Inspect if application checks that the value of the "Origin" HTTP header isconsistent || | | | with the value of the remote IP address/Host of the sender ofthe incoming HTTP request. || csrf | Enabled | | Identify Cross-Site Request Forgery vulnerabilities. || dav | Enabled | | Verify if the WebDAV module is properly configured. || eval | Enabled | Yes | Find insecure eval() usage. || file_upload | Enabled | Yes | Uploads a file and then searches for the file inside all known directories. || format_string | Enabled | | Find format string vulnerabilities. || frontpage | Enabled | | Tries to upload a file using frontpage extensions (author.dll). || generic | Enabled | Yes | Find all kind of bugs without using a fixed error database. || global_redirect | Enabled | | Find scripts that redirect the browser to any site. || htaccess_methods | Enabled | | Find misconfigurations in Apache's "<LIMIT>" configuration. || ldapi | Enabled | | Find LDAP injection bugs. || lfi | Enabled | | Find local file inclusion vulnerabilities. || memcachei | Enabled | | No description available for this plugin. || mx_injection | Enabled | | Find MX injection vulnerabilities. || os_commanding | Enabled | | Find OS Commanding vulnerabilities. || phishing_vector | Enabled | | Find phishing vectors. || preg_replace | Enabled | | Find unsafe usage of PHPs preg_replace. || redos | Enabled | | Find ReDoS vulnerabilities. || response_splitting | Enabled | | Find response splitting vulnerabilities. || rfd | Enabled | | Identify reflected file download vulnerabilities. || rfi | Enabled | Yes | Find remote file inclusion vulnerabilities. || rosetta_flash | Enabled | | Find Rosetta Flash vulnerabilities in JSONP endpoints || shell_shock | Enabled | | Find shell shock vulnerabilities. || sqli | Enabled | | Find SQL injection bugs. || ssi | Enabled | | Find server side inclusion vulnerabilities. || ssl_certificate | Enabled | Yes | Check the SSL certificate validity (if https is being used). || un_ssl | Enabled | | Find out if secure content can also be fetched using http. || websocket_hijacking | Enabled | | Detect Cross-Site WebSocket hijacking vulnerabilities. || xpath | Enabled | | Find XPATH injection vulnerabilities. || xss | Enabled | Yes | Identify cross site scripting vulnerabilities. || xst | Enabled | | Find Cross Site Tracing vulnerabilities. ||----------------------------------------------------------------------------------------------------------------------------------|w3af/plugins>>> grep allw3af/plugins>>> crawl web_spiderw3af/plugins>>> list crawl|---------------------------------------------------------------------------------------------------------------------------------|| Plugin name | Status | Conf | Description ||---------------------------------------------------------------------------------------------------------------------------------|| archive_dot_org | | Yes | Search archive.org to find new pages in the target site. || bing_spider | | Yes | Search Bing to get a list of new URLs || content_negotiation | | Yes | Use content negotiation to find new resources. || digit_sum | | Yes | Take an URL with a number (index2.asp) and try to find related || | | | files(index1.asp, index3.asp). || dir_file_bruter | | Yes | Finds Web server directories and files by bruteforcing. || dot_listing | | | Search for .listing files and extracts new filenames from it. || dwsync_xml | | | Search Dream Waver Sync file (dwsync.xml) and extract referenced files. || find_backdoors | | | Find web backdoors and web shells. || find_captchas | | | Identify captcha images on web pages. || find_dvcs | | | Search Git, Mercurial (HG), Bazaar (BZR), Subversion (SVN) and CVSrepositories || | | | and checks for files containing || genexus_xml | | | Analyze the execute.xml and DeveloperMenu.xml files and find new URLs || ghdb | | Yes | Search Google for vulnerabilities in the target site. || google_spider | | Yes | Search google using google API to get new URLs || import_results | | Yes | Import HTTP requests found by output.export_requests and Burp || oracle_discovery | | | Find Oracle applications on the remote web server. || phishtank | | | Search the phishtank.com database to determine if your server is (or was)being || | | | used in phishing scams. || phpinfo | | | Search PHP Info file and if it finds it will determine the version of PHP. || pykto | | Yes | A nikto port to python. || ria_enumerator | | Yes | Fingerprint Rich Internet Apps - Google Gears Manifest files, Silverlight and || | | | Flash. || robots_txt | | | Analyze the robots.txt file and find new URLs || sitemap_xml | | | Analyze the sitemap.xml file and find new URLs || spider_man | | Yes | SpiderMan is a local proxy that will collect new URLs. || url_fuzzer | | Yes | Try to find backups, and other related files. || urllist_txt | | | Analyze the urllist.txt file and find new URLs || user_dir | | | Identify user directories like "http://test/~user/" and infer the remote OS. || web_diff | | Yes | Compare a local directory with a remote URL path. || web_spider | Enabled | Yes | Crawl the web application. || wordnet | | Yes | Use the wordnet lexical database to find new URLs. || wordpress_enumerate_users | | | Finds users in a WordPress installation. || wordpress_fingerprint | | | Finds the version of a WordPress installation. || wordpress_fullpathdisclosure | | | Try to find the path where the WordPress is installed || wsdl_finder | | | Find web service definitions files. ||---------------------------------------------------------------------------------------------------------------------------------|w3af/plugins>>> back #插件选好之后,回到第一级目录
profile模块
w3af>>> help|----------------------------------------------------------------------------------------------------------------------------------|| start | Start the scan. || plugins | Enable and configure plugins. || exploit | Exploit the vulnerability. || profiles | List and use scan profiles. || cleanup | Cleanup before starting a new scan. ||----------------------------------------------------------------------------------------------------------------------------------|| help | Display help. Issuing: help [command] , prints more specific help about "command" || version | Show w3af version information. || keys | Display key shortcuts. ||----------------------------------------------------------------------------------------------------------------------------------|| http-settings | Configure the HTTP settings of the framework. || misc-settings | Configure w3af misc settings. || target | Configure the target URL. ||----------------------------------------------------------------------------------------------------------------------------------|| back | Go to the previous menu. || exit | Exit w3af. ||----------------------------------------------------------------------------------------------------------------------------------|| kb | Browse the vulnerabilities stored in the Knowledge Base ||----------------------------------------------------------------------------------------------------------------------------------|w3af>>> profiles #预定义扫描文件w3af/profiles>>> list #显示当前可用扫描配置文件|----------------------------------------------------------------------------------------------------------------------------------|| Profile | Description ||----------------------------------------------------------------------------------------------------------------------------------|| bruteforce | Bruteforce form or basic authentication access controls using default credentials. To run this profile, || | set the target URL to the resource where the access control is, and then click on Start. || audit_high_risk | Perform a scan to only identify the vulnerabilities with higher risk, like SQL Injection, OS Commanding, || | Insecure File Uploads, etc. || full_audit | This profile performs a full audit of the target website, using only the web_spider plugin for crawling. || OWASP_TOP10 | The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on || | improving the security of application software. OWASP searched for and published the ten most common || | security flaws. This profile search for this top 10 security flaws. For more information about the || | security flaws: http://www.owasp.org/index.php/OWASP_Top_Ten_Project . || fast_scan | Perform a fast scan of the target site, using only a few discovery plugins and the fastest audit || | plugins. || empty_profile | This is an empty profile that you can use to start a new configuration from. || web_infrastructure | Use all the available techniques in w3af to fingerprint the remote Web infrastructure. || full_audit_spider_man | Perform a manual discovery using the spider_man plugin, and afterwards scan the site for any known || | vulnerabilities. || sitemap | Use different online techniques to create a fast sitemap of the target web application. This plugin will || | only work if you've got Internet access and the target web application is being spidered by Yahoo! ||----------------------------------------------------------------------------------------------------------------------------------|w3af/profiles>>> help|----------------------------------------------------------------------------------------------------------------------------------|| use | Use a profile. || list | List available profiles. || save_as | Save the current configuration to a profile. ||----------------------------------------------------------------------------------------------------------------------------------|| back | Go to the previous menu. || exit | Exit w3af. ||----------------------------------------------------------------------------------------------------------------------------------|w3af/profiles>>> save_as #先选择 plugin ,然后选择 grep、crawl等,然后在 profiles 里面 save_as 保存
例
w3af/profiles>>> save_as test01Parameter missing, please see the help:Save the current configuration to a profile.Syntax: save_as PROFILE_NAMEExample: save_as fast_scanExample: save_as fast_scan self-contained #独立的,能避免一些问题Please note that the save_as command will overwrite existing profiles with thesame name.When the "self-contained" flag is set the profile will bundle all files referencedby the plugin configurations. This is useful for sharing custom profiles betweendifferent workstations. Disabled by default.w3af/profiles>>> use fast_scanThe plugins configured by the scan profile have been enabled, and their options configured.Please set the target URL(s) and start the scan.w3af/profiles>>> back
help-setting模块
w3af>>> help|----------------------------------------------------------------------------------------------------------------------------------|| start | Start the scan. || plugins | Enable and configure plugins. || exploit | Exploit the vulnerability. || profiles | List and use scan profiles. || cleanup | Cleanup before starting a new scan. ||----------------------------------------------------------------------------------------------------------------------------------|| help | Display help. Issuing: help [command] , prints more specific help about "command" || version | Show w3af version information. || keys | Display key shortcuts. ||----------------------------------------------------------------------------------------------------------------------------------|| http-settings | Configure the HTTP settings of the framework. || misc-settings | Configure w3af misc settings. || target | Configure the target URL. ||----------------------------------------------------------------------------------------------------------------------------------|| back | Go to the previous menu. || exit | Exit w3af. ||----------------------------------------------------------------------------------------------------------------------------------|| kb | Browse the vulnerabilities stored in the Knowledge Base ||----------------------------------------------------------------------------------------------------------------------------------|w3af>>> http-settings #扫描 http 的配置选项w3af/config:http-settings>>> help|----------------------------------------------------------------------------------------------------------------------------------|| view | List the available options and their values. || set | Set a parameter value. || save | Save the configured settings. ||----------------------------------------------------------------------------------------------------------------------------------|| back | Go to the previous menu. || exit | Exit w3af. ||----------------------------------------------------------------------------------------------------------------------------------|w3af/config:http-settings>>> view|--------------------------------------------------------------------------------------------------------------------------------|| Setting | Value | Modified | Description ||--------------------------------------------------------------------------------------------------------------------------------|| url_parameter | | | URL parameter (http://host.tld/path;<parameter>) || timeout | 0 | | HTTP connection timeout || headers_file | | | HTTP headers filename which contains additional headers to be added in each || | | | request ||--------------------------------------------------------------------------------------------------------------------------------|| cookie_jar_file | | | Cookie Jar file holding HTTP cookies || ignore_session_cookies | False | | Ignore session cookies ||--------------------------------------------------------------------------------------------------------------------------------|| ntlm_auth_url | | | NTLM authentication domain (target domain name) || ntlm_auth_user | | | NTLM authentication username || ntlm_auth_passwd | | | NTLM authentication password || ntlm_auth_domain | | | NTLM authentication domain (windows domain name) ||--------------------------------------------------------------------------------------------------------------------------------|| rand_user_agent | False | | Use random User-Agent header || max_file_size | 400000 | | Maximum file size || max_http_retries | 2 | | Maximum number of HTTP request retries || user_agent | w3af.org | | User Agent header || max_requests_per_second | 0 | | Maximum HTTP requests per second ||--------------------------------------------------------------------------------------------------------------------------------|| string_match_404 | | | Tag HTTP response as 404 if the string is found in it's body || always_404 | | | Comma separated list of URLs which will always be detected as 404 pages || never_404 | | | Comma separated list of URLs which will never be detected as 404 pages ||--------------------------------------------------------------------------------------------------------------------------------|| proxy_port | 8080 | | Proxy TCP port || proxy_address | | | Proxy IP address ||--------------------------------------------------------------------------------------------------------------------------------|| basic_auth_user | | | Basic authentication username || basic_auth_passwd | | | Basic authentication password || basic_auth_domain | | | Basic authentication domain ||--------------------------------------------------------------------------------------------------------------------------------|w3af/config:http-settings>>> set rand_user_agent True (启动随机用户代理)w3af/config:http-settings>>> view|--------------------------------------------------------------------------------------------------------------------------------|| Setting | Value | Modified | Description ||--------------------------------------------------------------------------------------------------------------------------------|| url_parameter | | | URL parameter (http://host.tld/path;<parameter>) || timeout | 0 | | HTTP connection timeout || headers_file | | | HTTP headers filename which contains additional headers to be added in each || | | | request ||--------------------------------------------------------------------------------------------------------------------------------|| cookie_jar_file | | | Cookie Jar file holding HTTP cookies || ignore_session_cookies | False | | Ignore session cookies ||--------------------------------------------------------------------------------------------------------------------------------|| ntlm_auth_url | | | NTLM authentication domain (target domain name) || ntlm_auth_user | | | NTLM authentication username || ntlm_auth_passwd | | | NTLM authentication password || ntlm_auth_domain | | | NTLM authentication domain (windows domain name) ||--------------------------------------------------------------------------------------------------------------------------------|| rand_user_agent | True | Yes | Use random User-Agent header || max_file_size | 400000 | | Maximum file size || max_http_retries | 2 | | Maximum number of HTTP request retries || user_agent | w3af.org | | User Agent header || max_requests_per_second | 0 | | Maximum HTTP requests per second ||--------------------------------------------------------------------------------------------------------------------------------|| string_match_404 | | | Tag HTTP response as 404 if the string is found in it's body || always_404 | | | Comma separated list of URLs which will always be detected as 404 pages || never_404 | | | Comma separated list of URLs which will never be detected as 404 pages ||--------------------------------------------------------------------------------------------------------------------------------|| proxy_port | 8080 | | Proxy TCP port || proxy_address | | | Proxy IP address ||--------------------------------------------------------------------------------------------------------------------------------|| basic_auth_user | | | Basic authentication username || basic_auth_passwd | | | Basic authentication password || basic_auth_domain | | | Basic authentication domain ||--------------------------------------------------------------------------------------------------------------------------------|w3af/config:http-settings>>> backThe configuration has been saved.
misc-settings模块
w3af>>> help|----------------------------------------------------------------------------------------------------------------------------------|| start | Start the scan. || plugins | Enable and configure plugins. || exploit | Exploit the vulnerability. || profiles | List and use scan profiles. || cleanup | Cleanup before starting a new scan. ||----------------------------------------------------------------------------------------------------------------------------------|| help | Display help. Issuing: help [command] , prints more specific help about "command" || version | Show w3af version information. || keys | Display key shortcuts. ||----------------------------------------------------------------------------------------------------------------------------------|| http-settings | Configure the HTTP settings of the framework. || misc-settings | Configure w3af misc settings. || target | Configure the target URL. ||----------------------------------------------------------------------------------------------------------------------------------|| back | Go to the previous menu. || exit | Exit w3af. ||----------------------------------------------------------------------------------------------------------------------------------|| kb | Browse the vulnerabilities stored in the Knowledge Base ||----------------------------------------------------------------------------------------------------------------------------------|w3af>>> misc-settings #杂项设置w3af/config:misc-settings>>> view|---------------------------------------------------------------------------------------------------------------------------------|| Setting | Value | Modified | Description ||---------------------------------------------------------------------------------------------------------------------------------|| msf_location | /opt/metasploit3/bin/ | | Full path of Metasploit framework binary directory || | | | (/opt/metasploit3/bin/ in most linux installs) ||---------------------------------------------------------------------------------------------------------------------------------|| interface | ppp0 | | Local interface name to use when sniffing, doing reverse || | | | connections, etc. || local_ip_address | 10.10.10.128 | | Local IP address to use when doing reverse connections ||---------------------------------------------------------------------------------------------------------------------------------|| max_discovery_time | 120 | | Maximum crawl time (minutes) || stop_on_first_exception | False | | Stop scan after first unhandled exception ||---------------------------------------------------------------------------------------------------------------------------------|| form_id_action | exclude | | Define the form_id_list filter behaviour || non_targets | | | A comma separated list of URLs that w3af should ignore || form_id_list | [] | | Filter forms to scan using form IDs ||---------------------------------------------------------------------------------------------------------------------------------|| fuzz_url_filenames | False | | Indicates if w3af plugins will send fuzzed file names in order to || | | | find vulnerabilities || fuzz_url_parts | False | | Indicates if w3af plugins will send fuzzed URL parts in order to || | | | find vulnerabilities || fuzzable_headers | | | A list with all fuzzable header names || fuzzed_files_extension | gif | | Indicates the extension to use when fuzzing file content || form_fuzzing_mode | tmb | | Indicates what HTML form combo values w3af plugins will use: all, || | | | tb, tmb, t, b || fuzz_form_files | True | | Indicates if w3af plugins will send payloads in the content of || | | | multipart/post form files. || fuzz_cookies | False | | Indicates if w3af plugins will use cookies as a fuzzable parameter ||---------------------------------------------------------------------------------------------------------------------------------|w3af/config:misc-settings>>> help|----------------------------------------------------------------------------------------------------------------------------------|| view | List the available options and their values. || set | Set a parameter value. || save | Save the configured settings. ||----------------------------------------------------------------------------------------------------------------------------------|| back | Go to the previous menu. || exit | Exit w3af. ||----------------------------------------------------------------------------------------------------------------------------------|w3af/config:misc-settings>>> backThe configuration has been saved.
target模块
w3af>>> help|----------------------------------------------------------------------------------------------------------------------------------|| start | Start the scan. || plugins | Enable and configure plugins. || exploit | Exploit the vulnerability. || profiles | List and use scan profiles. || cleanup | Cleanup before starting a new scan. ||----------------------------------------------------------------------------------------------------------------------------------|| help | Display help. Issuing: help [command] , prints more specific help about "command" || version | Show w3af version information. || keys | Display key shortcuts. ||----------------------------------------------------------------------------------------------------------------------------------|| http-settings | Configure the HTTP settings of the framework. || misc-settings | Configure w3af misc settings. || target | Configure the target URL. ||----------------------------------------------------------------------------------------------------------------------------------|| back | Go to the previous menu. || exit | Exit w3af. ||----------------------------------------------------------------------------------------------------------------------------------|| kb | Browse the vulnerabilities stored in the Knowledge Base ||----------------------------------------------------------------------------------------------------------------------------------|w3af>>> targetw3af/config:target>>> help|----------------------------------------------------------------------------------------------------------------------------------|| view | List the available options and their values. || set | Set a parameter value. || save | Save the configured settings. ||----------------------------------------------------------------------------------------------------------------------------------|| back | Go to the previous menu. || exit | Exit w3af. ||----------------------------------------------------------------------------------------------------------------------------------|w3af/config:target>>> set target http://10.10.10.129w3af/config:target>>> view|-----------------------------------------------------------------------------------------------------------------------------------|| Setting | Value | Modified | Description ||-----------------------------------------------------------------------------------------------------------------------------------|| target_framework | unknown | | Target programming framework (unknown/php/asp/asp.net/java/jsp/cfm/ruby/perl) || target | http://10.10.10.129 | Yes | A comma separated list of URLs || target_os | unknown | | Target operating system (unknown/unix/windows) ||-----------------------------------------------------------------------------------------------------------------------------------|w3af/config:target>>> backThe configuration has been saved.#配置完成,可以保存为配置文件w3af>>> profilesw3af/profiles>>> save_as test01Profile saved.w3af/profiles>>> back
脚本
root@attacker:~# cd /usr/local/src/root@attacker:/usr/local/src# lscircle.yml libjavascriptcoregtk-1.0-0_2.4.11-3_amd64.deb python-support_1.0.15_all.deb scripts w3af_api w3afguidoc libwebkitgtk-1.0-0_2.4.11-3_amd64.deb python-webkit_1.1.8-3_amd64.deb tools w3afconsole w3af_guiextras profiles README.md w3af w3af_console wXf-masterroot@attacker:/usr/local/src# cd scripts/root@attacker:/usr/local/src/scripts# lsallowed_methods.w3af file_upload_shell.w3af profile-fast_scan.w3afall.w3af frontpage_version.w3af remote_file_include_local_ws.w3afauth_detailed.w3af header_fuzzing.w3af remote_file_include_proxy.w3afbing_spider.w3af html_output.w3af remote_file_include_shell.w3afblind_sqli_detection.w3af list_all_plugins.w3af remote_file_include_shell-xss.w3afcookie_fuzzing.w3af local_file_include-payload.w3af remote_file_include_w3af_site.w3afcross_domain.w3af local_file_include.w3af spider_man.w3afcsrf.w3af login_brute_form_GET.w3af sqli.w3afdav_shell.w3af login_brute_password_only.w3af sqlmap_exploit_int.w3afdetect_transparent_proxy.w3af mangle_request.w3af targets_from_file.w3afdigit_sum.w3af mangle_response.w3af web_spider-ignore_regex.w3afeval_shell.w3af os_commanding-lnx-vdaemon.w3af web_spider-only_forward.w3afeval.w3af os_commanding-lnx-w3afAgent.w3af web_spider.w3afexploit_all.w3af os_commanding_shell.w3af xss_simple.w3afexploit_fast.w3af os_commanding.w3af xss_stored.w3affilename_xss.w3af php_sca-payload.w3afroot@attacker:/usr/local/src/scripts# cat sqli.w3af# This is a demo of the attack plugin sql_shellpluginsoutput console,text_fileoutput config text_fileset output_file output-w3af.txtset verbose Truebackoutput config consoleset verbose Falsebackaudit sqlicrawl web_spidercrawl config web_spiderset only_forward Truebackgrep path_disclosurebacktargetset target http://moth/w3af/audit/sql_injection/select/sql_injection_string.php?name=andresbackstartbug-reportdetails 0backexitroot@attacker:/usr/local/src# ./w3afconsole -s ./scripts/sqli.w3afw3af>>> pluginsw3af/plugins>>> output console,text_filew3af/plugins>>> output config text_filew3af/plugins/output/config:text_file>>> set output_file output-w3af.txtw3af/plugins/output/config:text_file>>> set verbose Truew3af/plugins/output/config:text_file>>> backThe configuration has been saved.w3af/plugins>>> output config consolew3af/plugins/output/config:console>>> set verbose Falsew3af/plugins/output/config:console>>> backThe configuration has been saved.w3af/plugins>>> audit sqliw3af/plugins>>> crawl web_spiderw3af/plugins>>> crawl config web_spiderw3af/plugins/crawl/config:web_spider>>> set only_forward Truew3af/plugins/crawl/config:web_spider>>> backThe configuration has been saved.w3af/plugins>>> grep path_disclosurew3af/plugins>>> backw3af>>> targetw3af/config:target>>> set target http://moth/w3af/audit/sql_injection/select/sql_injection_string.php?name=andresw3af/config:target>>> backThe configuration has been saved.w3af>>> start
3、身份认证
w3af支持用户可以提供的这些类型的认证凭证,以便扫描器保持会话打开以扫描目标Web应用程序:
HTTP基本认证
NTLM身份验证
基于表单认证
设置一个HTTP cookie
HTTP Basic和NTLM身份验证是通常由Web服务器提供的两种HTTP级别身份验证
表单和Cookie身份验证方法则由应用程序本身提供
用户需要确定与应用程序保持会话需要使用哪种身份验证方法
通常情况下,快速检查HTTP通信将确定需要什么。
基本身份认证
启动安装界面 appwiz.cpl
启动 IIS 服务器
设置 IIS 服务器的属性
设置目录安全性
取消匿名访问,勾选基本身份认证
重启 IIS 服务器
使用 win2003 的本地账号登录,先设置用户然后抓包登录
使用 wiresahrk 抓包捕获明文用户名密码
获取到了 base64 编码的密文 Authorization: Basic dXNlcjE6MTIzNDU2
使用 w3af 解码 dXNlcjE6MTIzNDU2
# 验证一下
root@kali:~# echo -n "user1:123456" | base64dXNlcjE6MTIzNDU2
使用 w3af 扫描
选择 w3af 插件
audit --> buffer_overflow && os_commanding
ceawl–> web_spider
grep
使用 wireshark 抓包
windows集成身份验证
windows 在未加入域的情况下,默认都是采用集成身份验证
集成 windows 身份认证认证方式:
先提交一个随机数,并用这个随机数加密
等收到密文并解开,对比这个随机数是否一样
Win2003 配置身份认证
在默认网站右键属性 –> 取消匿名访问、勾选集成 windows 身份认证 –> 站点重启
w3af 配置扫描选项
选择 w3af 插件
audit --> buffer_overflow && os_commanding
ceawl–> web_spider
infrastructure
使用 wireshark抓包
身份认证成功返回 200 OK
基于表单的身份认证
配置 w3af
查看表单域
选择 w3af 插件
audit --> sqli
auth --> detailed
crawl --> web_spider(only_forward)
# only_forward:只扫描此IP目标指定子目录# only_forward:值扫描特定网页等
抓包
HTTP cookie
双因素身份认证
anti-CSRF tokens
w3af 值接收
严格格式要求的 cookie 文件(python要求)
在这里插入图片描述
cookie 格式要求如上
保存 cookie 文件
cookie 各项参数解释:
配置扫描插件
audit --> sqli、xss
crawl --> web_spider(only_forward)
# only_forward:只扫描此IP目标指定子目录# only_forward:值扫描特定网页等
结语
w3af是个很全面的工具
安装有点问题,参考文章开头两篇文章
安装完以后是有GUI的
可以自己摸索
文章转载自红客突击队,如果涉嫌侵权,请发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。
