[b]快速开始[/b]
[b]帮助[/b]
使用-h来查看arachni功能
arachni -h
当扫描进行时,可以使用回车键来暂停/恢复,中断,延缓执行,以及查看一个发现的问题的总结。
可以这样运行arachni:
将会加载所有的checks,在/plugins/defaults下的插件,审计所有的表单,链接以及cookie。
下面的例子中,将会使用所有的的checks,审计链接/表单/cookie,跟随子域名,以及显示各种信息来扫描http://test.com。结果将会保存在test.com.afr文件中:
afr文件可以用于生成几种文件格式的报告,例如:
查看报告的组件:
[color=blue]使用*和-简化加载checks过程:[/color]
使用*来加载所有的xss checks:
使用*来加载所有的主动checks:
只排除csrf check:
更多资源查看:[url]http://support.arachni-scanner.com/kb/general-use[/url]和
[b]命令手册:[/b]
[b]通用[/b]
[color=blue]版本:(--version)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
输出arachni的banner和版本信息
[color=blue]授权来自 (--authorized-by)[/color]
Expects: string
Default: disabled
Multiple invocations?: no
传到这个参数的字符串将会被用于HTTP头中的From域的值。其值应该是授权扫描人的邮件
[b]输出[/b]
[color=blue]额外信息 (--output-verbose)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
当允许冗余信息,arachni将会输出整个过程中的细节信息。
例如:
将会加载xss checks以及审计所有的表单来扫描http://testfire.net/
[color=blue]冗余信息关闭[/color]
上述运行中没有--output-verbose标志位
arachni输出信息分为几类,每一类都有一个不同颜色的前缀:
[color=cyan][*] 状态信息
[~] 情报信息
[+] 成功信息
[v] 冗余信息
[!] 调试信息
[-] 错误信息[/color]
我们不讨论颜色问题
[quote]Arachni - Web Application Security Scanner Framework v1.0
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
(With the support of the community and the Arachni Team.)
Website: http://arachni-scanner.com
Documentation: http://arachni-scanner.com/wiki
[*] Initializing...
[*] Waiting for plugins to settle...
[*] BrowserCluster: Initializing 6 browsers...
[*] BrowserCluster: Initialization completed with 6 browsers in the pool.
[*] [HTTP: 200] http://testfire.net/
[~] Identified as: windows, iis, asp, aspx
[~] Analysis resulted in 0 usable paths.
[~] DOM depth: 0 (Limit: 10)
[*] XSS: Auditing form input 'txtSearch' pointing to: 'http://testfire.net/search.aspx'
[*] XSS: Submitting form with original values for txtSearch at 'http://testfire.net/search.aspx'.
[*] XSS: Submitting form with sample values for txtSearch at 'http://testfire.net/search.aspx'.
[*] XSS: Auditing form input 'txtSearch' pointing to: 'http://testfire.net/search.aspx'
[*] XSS: Auditing form input 'txtSearch' pointing to: 'http://testfire.net/search.aspx'
[*] Harvesting HTTP responses...
[~] Depending on server responsiveness and network conditions this may take a while.
[*] XSS: Analyzing response #2...
[~] XSS: Response is tainted, looking for proof of vulnerability.
[+] XSS: In form input 'txtSearch' with action http://testfire.net/search.aspx
[*] XSS: Analyzing response #3...
[*] XSS: Analyzing response #4...
[*] XSS: Analyzing response #5...
[~] XSS: Response is tainted, looking for proof of vulnerability.
[+] XSS: In form input 'txtSearch' with action http://testfire.net/search.aspx
[*] XSS: Analyzing response #6...
[~] XSS: Response is tainted, looking for proof of vulnerability.
[+] XSS: In form input 'txtSearch' with action http://testfire.net/search.aspx[/quote]
[color=blue]冗余信息模式开启[/color]
观察这次运行中的额外信息:
[v]信息是额外信息
[quote]$ arachni --audit-forms --checks=xss http://testfire.net/ --scope-page-limit=1 [color=green]--output-verbose[/color]
Arachni - Web Application Security Scanner Framework v1.0
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
(With the support of the community and the Arachni Team.)
Website: http://arachni-scanner.com
Documentation: http://arachni-scanner.com/wiki
[*] Initializing...
[*] Waiting for plugins to settle...
[*] BrowserCluster: Initializing 6 browsers...
[*] BrowserCluster: Initialization completed with 6 browsers in the pool.
[*] [HTTP: 200] http://testfire.net/
[~] Identified as: windows, iis, asp, aspx
[~] Analysis resulted in 0 usable paths.
[~] DOM depth: 0 (Limit: 10)
[*] XSS: Auditing form input 'txtSearch' pointing to: 'http://testfire.net/search.aspx'
[v] XSS: --> With: "<some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>" -> "arachni_text<some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>"
[*] XSS: Submitting form with original values for txtSearch at 'http://testfire.net/search.aspx'.
[v] XSS: --> With: nil -> ""
[*] XSS: Submitting form with sample values for txtSearch at 'http://testfire.net/search.aspx'.
[v] XSS: --> With: nil -> ""
[*] XSS: Auditing form input 'txtSearch' pointing to: 'http://testfire.net/search.aspx'
[v] XSS: --> With: "()\"&%1'-;<some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>'" -> "arachni_text()\"&%1'-;<some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>'"
[*] XSS: Auditing form input 'txtSearch' pointing to: 'http://testfire.net/search.aspx'
[v] XSS: --> With: "--><some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/><!--" -> "arachni_text--><some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/><!--"
[*] Harvesting HTTP responses...
[~] Depending on server responsiveness and network conditions this may take a while.
[*] XSS: Analyzing response #2...
[~] XSS: Response is tainted, looking for proof of vulnerability.
[+] XSS: In form input 'txtSearch' with action http://testfire.net/search.aspx
[v] XSS: Injected: "arachni_text<some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>"
[v] XSS: Proof: <some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>
[v] XSS: Request:
GET /search.aspx?txtSearch=arachni_text%3Csome_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714%2F%3E HTTP/1.1
Host: testfire.net
Accept-Encoding: gzip, deflate
User-Agent: Arachni/v1.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Cookie: ASP.NET_SessionId=e4h4wy45jmb5vkrg0wl1rj45;amSessionId=15420499882
[*] XSS: Analyzing response #3...
[*] XSS: Analyzing response #4...
[*] XSS: Analyzing response #6...
[~] XSS: Response is tainted, looking for proof of vulnerability.
[+] XSS: In form input 'txtSearch' with action http://testfire.net/search.aspx
[v] XSS: Injected: "arachni_text--><some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/><!--"
[v] XSS: Proof: <some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>
[v] XSS: Request:
GET /search.aspx?txtSearch=arachni_text--%3E%3Csome_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714%2F%3E%3C%21-- HTTP/1.1
Host: testfire.net
Accept-Encoding: gzip, deflate
User-Agent: Arachni/v1.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Cookie: ASP.NET_SessionId=e4h4wy45jmb5vkrg0wl1rj45;amSessionId=15420499882
[*] XSS: Analyzing response #5...
[~] XSS: Response is tainted, looking for proof of vulnerability.
[+] XSS: In form input 'txtSearch' with action http://testfire.net/search.aspx
[v] XSS: Injected: "arachni_text()\"&%1'-;<some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>'"
[v] XSS: Proof: <some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>
[v] XSS: Request:
GET /search.aspx?txtSearch=arachni_text%28%29%22%26%251%27-%3B%3Csome_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714%2F%3E%27 HTTP/1.1
Host: testfire.net
Accept-Encoding: gzip, deflate
User-Agent: Arachni/v1.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Cookie: ASP.NET_SessionId=e4h4wy45jmb5vkrg0wl1rj45;amSessionId=15420499882[/quote]
[color=blue]调试 (--output-debug)[/color]
Expects: integer
Default: 1
Multiple invocations?: no
当设置该标志位时,系统将会输出许多细节信息。细节的级别为1~3。如果不想淹没在烦人和无聊的信息中,可以使用管道来把调试信息输出到一个独立的文件:
arachni http://example.com --output-debug 2> debug.log
[color=blue]明确的问题 (--output-only-positives)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
除了成功信息外压缩其他的信息--只显示发现的问题
[b]范围[/b]
不使用"/"封装的ruby正则表达式
[color=blue]Include (--scope-include-pattern)[/color]
Expects: pattern
Default: disabled
Multiple invocations?: yes
把扫描的范围限制为匹配模式的url资源
[color=blue]子域名包含 (--scope-include-subdomains)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
扫描子域名
[color=blue]排除 (--scope-exclude-pattern)[/color]
Expects: pattern
Default: disabled
Multiple invocations?: yes
排除匹配正则表达式的url
[color=blue]通过内容排除页面 (--scope-exclude-content-pattern)[/color]
Expects: pattern
Default: disabled
Multiple invocations?: yes
排除匹配模式的web页面
[color=blue]Exclude binaries (--scope-exclude-binaries)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
排除包含二进制内容的页面
[color=red]Note: 二进制内容可能对实施模式匹配的被动check造成困惑[/color]
[color=blue]冗余 (--scope-redundant-path-pattern)[/color]
Expects: pattern:integer
Default: disabled
Multiple invocations?: yes
该选项为一个正则表达式和一个数字,例如: --scope-redundant-path-pattern='calendar.php:3'
将会导致包含calendar.php的页面只爬虫三次
[color=red]当扫描很多类似图库或动态生成日历的时候,该选项很有用[/color]
[color=blue]Auto-redundant (--scope-auto-redundant)[/color]
Expects: integer
Default: disabled (如果没指定,则默认为10)
Multiple invocations?: no
该选项限制扫描时相同参数的url资源的扫描次数。可以避免例如相册或目录造成的无限循环
例如当设置--scope-auto-redundant=2时,下列的url中:
[quote]http://test.com/?stuff=1
http://test.com/?stuff=2
http://test.com/?stuff=other-stuff
http://test.com/?stuff=blah
http://test.com/?stuff=blah&stuff2=1
http://test.com/?stuff=blah&stuff2=2
http://test.com/?stuff=blah2&stuff2=bloo
http://test.com/path.php?stuff=blah&stuff2=1[/quote]
检查时只包含:
[quote]http://test.com/?stuff=1
http://test.com/?stuff=2
http://test.com/?stuff=blah&stuff2=1
http://test.com/?stuff=blah&stuff2=2
http://test.com/path.php?stuff=blah&stuff2=1[/quote]
[color=blue]目录深度限制 (--scope-directory-depth-limit)[/color]
Expects: integer
Default: infinite
Multiple invocations?: no
限制扫描器扫描的网站的深度
[color=blue]页面限制 (--scope-page-limit)[/color]
Expects: integer
Default: infinite
Multiple invocations?: no
限制扫描页面数目
[color=blue]扩展路径 (--scope-extend-paths)[/color]
Expects: filepath
Default: disabled
Multiple invocations?: yes
通过使用指定文件为种子来扩展扫描范围。
[color=red]必须一行一个路径[/color]
[color=blue]限制扫描路径 (--scope-restrict-paths)[/color]
Expects: filepath
Default: disabled
Multiple invocations?: yes
Uses the paths contained within the given file instead of performing a crawl.
不使用爬虫,取而代之的是指定文件包含的扫描路径
[color=red]必须一行一个路径[/color]
[color=blue]重写URL (--scope-url-rewrite)[/color]
Expects: pattern:substitution
Default: disabled
Multiple invocations?: yes
This option expects a pattern and a substitution, like so:
参数为一个正则表达式和一个替代,例如--scope-url-rewrite='/articles\/[\w-]+\/(\d+)/:articles.php?id=\1'
上述规则将会把urlhttp://test.com/articles/some-stuff/23重写为http://test.com/articles.php?id=23.
[color=blue]DOM深度限制 (--scope-dom-depth-limit)[/color]
Expects: integer
Default: infinite
Multiple invocations?: no
将会限制扫描每个页面的DOM结构深度。
[color=blue]HTTPS (--scope-https-only)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
迫使系统仅扫描https
目标url必须是https
[b]审计[/b]
[color=blue]审计链接 (--audit-links)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
开启审计链接
[color=blue]审计表单 (--audit-forms)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
开启审计表单
[color=blue]审计cookies (--audit-cookies)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
开启审计cookie
[color=blue]广泛审计cookie (--audit-cookies-extensively)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
If enabled the system will submit all links and forms of the page along with the cookie permutations.
如果开启,系统将会使用cookie提交页面中所有的链接和表单。
[color=red]将会严重增加扫描时间[/color]
[color=blue]审计头部信息 (--audit-headers)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
审计http请求头部信息
Note: 头部信息审计使用暴力破解. 即使web程序没有使用的合法的http头也会被审计
[color=red]Warning: 开启该选项会增加请求个数[/color]
[color=blue]链接模板 (--audit-link-template)[/color]
Expects: pattern
Default: disabled
Multiple invocations?: yes
该选项允许提取/审计基于使用名称组(name groups)的ruby正则表达式过滤的路径中的输入
从http://test.com/input1/value1/input2/value2中提取input1和input2,使用:
/input1\/(?<input1>\w+)\/input2\/(?<input2>\w+)/
[color=blue]两种方法 (--audit-with-both-methods)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
如果开启,系统将会使用GET/POST提交所有元素。
[color=red]Warning:会严重增加扫描时间[/color]
[color=blue]排除向量 (--audit-exclude-vector)[/color]
Expects: pattern
Default: disabled
Multiple invocations?: yes
不审计输入名字符合正则表达式的向量
[color=blue]包含向量 (--audit-include-vector)[/color]
Expects: pattern
Default: disabled
Multiple invocations?: yes
只审计输入名字符合正则表达式的向量
[b]HTTP[/b]
[color=blue]User agent (--http-user-agent)[/color]
Expects: string
Default: "Arachni/<version>"
Multiple invocations?: no
指定HTTP请求中User-Agent部分
[color=blue]请求并发数 (--http-request-concurrency)[/color]
Expects: integer
Default: 20
Multiple invocations?: no
Sets the maximum amount of requests to be active at any given time; this usually directly translates to the amount of open connections.
设定某个时间请求最大个数;通常直接等于开放链接个数。
[color=red]Note: 如果扫描没有相应,那么降低个数来缓解服务器压力
Warning: 加入有足够带宽和一个较高的并发数设置,扫描将会造成DOS。[/color]
[color=blue]请求超时 (--http-request-timeout)[/color]
Expects: integer (milliseconds)
Default: 50000
Multiple invocations?: no
设置客户端等待服务器应答的时间
[color=blue]请求重定向限制 (--http-request-redirect-limit)[/color]
Expects: integer
Default: 5
Multiple invocations?: no
限制每个请求重定向的次数
[color=blue]请求队列大小 (--http-request-queue-size)[/color]
Expects: integer
Default: 500
Multiple invocations?: no
客户端队列的最大请求个数
[color=red]Note: 多意味着更好的调度和更好的性能, 少意味着较少的RAM消耗[/color]
[color=blue]请求头 (--http-request-header)[/color]
Expects: string
Default: disabled
Multiple invocations?: yes
运行以键值对的格式指定请求头
例如--http-request-header='field_name=field value'
[color=blue]响应最大大小 (--http-response-max-size)[/color]
Expects: integer
Default: infinite
Multiple invocations?: no
限制客户端接收响应体的大小。实质上,客户端不会下载Content-Length大于指定值的响应body。
[color=blue]Cookie jar (--http-cookie-jar)[/color]
Expects: filepath
Default: disabled
Multiple invocations?: no
arachni允许传递Netscape cookie-jar file格式的cookie。如果想审计网站登录后的部分,那么应该传递session cookie给arachni。
[color=red]Note:如果觉得设置cookie-jar不适应,可以使用proxy或autologin插件来登录web应用程序[/color]
[color=blue]Cookie字符串 (--http-cookie-string)[/color]
Expects: string
Default: disabled
Multiple invocations?: no
Cookies作为字符串发送
例如--http-cookie-string='userid=19;sessionid=deadbeefbabe'
[color=blue]认证user名 (--http-authentication-username)[/color]
Expects: string
Default: disabled
Multiple invocations?: no
HTTP认证用的用户名
[color=blue]认证密码[/color] (--http-authentication-password)
Expects: string
Default: disabled
Multiple invocations?: no
HTTP认证用的密码
[color=blue]Proxy (--http-proxy)[/color]
Expects: server:port
Default: disabled
Multiple invocations?: no
为客户端设置http代理
[color=blue]代理认证 (--http-proxy-auth)[/color]
Expects: username:password
Default: disabled
Multiple invocations?: no
为指定的代理服务器设置认证口令
[color=blue]代理类型 (--http-proxy-type)[/color]
Expects: http, http_1_0, socks4, socks5, socks4a
Default: auto
Multiple invocations?: no
设置指定的代理服务器的类型
[b]Input[/b]
[color=blue]值 (--input-value)[/color]
Expects: pattern:value
Default: disabled
Multiple invocations?: yes
设置匹配模式的输入的值
[color=blue]值 (--input-values-from-file)[/color]
Expects: filepath
Default: disabled
Multiple invocations?: no
含有正则表达的hash object的YAML文件,来匹配输入名作为名字,值作为值
[color=blue]不使用默认 (--input-without-defaults)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
如果开启,不使用系统默认值
[color=blue]强制 (--input-force)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
强制系统填写甚至不为空的表单
[b]Checks[/b]
[color=blue]列表 (--checks-list)[/color]
Expects: pattern
Default: disabled
Multiple invocations?: yes
罗列所有可用的checks。如果提供选项,那么将会作为正则表达式来过滤显示的checks
[color=blue]加载 (--checks)
[/color]
Expects: string,string
Default: * (all)
Multiple invocations?: no
加载给定名字的checks。
可以使用不含逗号分隔的值,或者*来加载全部. 通过前缀-来组织check被加载.
[color=red]Note: check参照他们的文件名,不含rb后缀,使用--checks-list查看所有checks[/color]
例如:
[b]插件[/b]
[color=blue]列举 (--plugins-list)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
罗列所有可用的plugins.
[color=blue]加载 (--plugin)[/color]
Expects: string
Default: disabled
Multiple invocations?: yes
加载给定插件,配置参数
Note: 参照他们的文件名,不含rb后缀,使用--plugins-list查看所有
例如排除logout url以及使用autologin插件来登录程序:
arachni http://testfire.net --scope-page-limit=1 --checks=xss \
--plugin=autologin:url=http://testfire.net/bank/login.aspx,parameters='uid=jsmith&passw=Demo1234',check='Sign Off|MY ACCOUNT' \
--scope-exclude-pattern logout
[b]平台[/b]
[color=blue]列举 (--platforms-list)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
罗列所有可用平台
[b]Session[/b]
[color=blue]检查url (--session-check-url)[/color]
Expects: string
Default: disabled
Multiple invocations?: no
Requires: session-check-pattern
传递到这个选项的url将会被用于判断系统仍然登录到web应用程序
如果url的http响应体匹配session-check-pattern,那么表明系统是登录状态
[color=blue]Check模式 (--session-check-pattern)[/color]
Expects: string
Default: disabled
Multiple invocations?: no
Requires: session-check-url
一个正则表达式用于匹配session-check-url的body部分用于识别系统是否仍然是登录状态。匹配表明系统是登录状态
[b]Profiles[/b]
[color=blue]保存 (--profile-save-filepath)[/color]
Expects: filepath
Default: disabled
Multiple invocations?: no
允许保存当前配置, 所有传递的参数保存到Arachni Framework Profile(.afp)文件
[color=blue]加载 (--profile-load-filepath)[/color]
Expects: filepath
Default: disabled
Multiple invocations?: no
允许加载和运行一个保存的profile文件.
Note: 该选项不影响设置更多的选项或重新保存profile文件
[b]浏览器簇[/b]
[color=blue]Pool大小 (--browser-cluster-pool-size)[/color]
Expects: integer
Default: 6
Multiple invocations?: no
pool维护的浏览器进程的个数.
[color=blue]Job 超时 (--browser-cluster-job-timeout)[/color]
Expects: integer
Default: 120
Multiple invocations?: no
每个job的允许时间,单位秒
[color=blue]存活工作时间 (--browser-cluster-worker-time-to-live)[/color]
Expects: integer
Default: 100
Multiple invocations?: no
在进程重生之前每个进程应该处理的job数
Note: 主要用于防止一个浏览器进程占用太多RAM
[color=blue]忽略图片 (--browser-cluster-ignore-images)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
如果开启,浏览器不会加载图片
[color=blue]屏幕宽度 (--browser-cluster-screen-width)[/color]
Expects: integer
Default: 1600
Multiple invocations?: no
设置浏览器屏幕宽度
Note: 用于测试响应和web程序.
[color=blue]屏幕高度 (--browser-cluster-screen-height)[/color]
Expects: integer
Default: 1200
Multiple invocations?: no
设置浏览器屏幕高度
Note: 用于测试响应和web程序.
[b]报告[/b]
[color=blue]保存路径 (--report-save-path)[/color]
Expects: string
Default: .
Multiple invocations?: no
设置存储报告的路径
Note: 可以使用arachni_reporter命令来使用生成的文件来生成不同格式的报告
[b]快照[/b]
[color=blue]保存路径 (--snapshot-save-path)[/color]
Expects: string
Default: .
Multiple invocations?: no
设置暂停扫描的快照的保存路径
Note: 使用arachni_restore来指定快照开恢复扫描
[b]超时[/b]
[color=blue]超时 (--timeout)[/color]
Expects: hours:minutes:seconds
Default: infinite
Multiple invocations?: no
运行扫描的最大时间
[color=blue]暂停 (--timeout-suspend)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
如果开启,那么当到达--timeout指定的时间时,扫描将会暂停,而不是中断。
[b]帮助[/b]
使用-h来查看arachni功能
arachni -h
当扫描进行时,可以使用回车键来暂停/恢复,中断,延缓执行,以及查看一个发现的问题的总结。
可以这样运行arachni:
arachni http://test.com
将会加载所有的checks,在/plugins/defaults下的插件,审计所有的表单,链接以及cookie。
下面的例子中,将会使用所有的的checks,审计链接/表单/cookie,跟随子域名,以及显示各种信息来扫描http://test.com。结果将会保存在test.com.afr文件中:
arachni --output-verbose --scope-include-subdomains http://test.com --report-save-path=test.com.afr
afr文件可以用于生成几种文件格式的报告,例如:
arachni_reporter test.com.afr --report=html:outfile=my_report.html
查看报告的组件:
arachni_reporter --reporters-list
[color=blue]使用*和-简化加载checks过程:[/color]
使用*来加载所有的xss checks:
arachni http://example.net --checks=xss*
使用*来加载所有的主动checks:
arachni http://example.net --checks=active/*
只排除csrf check:
arachni http://example.net --checks=*,-csrf
更多资源查看:[url]http://support.arachni-scanner.com/kb/general-use[/url]和
http://support.arachni-scanner.com/kb/
[b]命令手册:[/b]
[b]通用[/b]
[color=blue]版本:(--version)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
输出arachni的banner和版本信息
[color=blue]授权来自 (--authorized-by)[/color]
Expects: string
Default: disabled
Multiple invocations?: no
传到这个参数的字符串将会被用于HTTP头中的From域的值。其值应该是授权扫描人的邮件
[b]输出[/b]
[color=blue]额外信息 (--output-verbose)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
当允许冗余信息,arachni将会输出整个过程中的细节信息。
例如:
arachni --audit-forms --checks=xss http://testfire.net/ --scope-page-limit=1
将会加载xss checks以及审计所有的表单来扫描http://testfire.net/
[color=blue]冗余信息关闭[/color]
上述运行中没有--output-verbose标志位
arachni输出信息分为几类,每一类都有一个不同颜色的前缀:
[color=cyan][*] 状态信息
[~] 情报信息
[+] 成功信息
[v] 冗余信息
[!] 调试信息
[-] 错误信息[/color]
我们不讨论颜色问题
[quote]Arachni - Web Application Security Scanner Framework v1.0
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
(With the support of the community and the Arachni Team.)
Website: http://arachni-scanner.com
Documentation: http://arachni-scanner.com/wiki
[*] Initializing...
[*] Waiting for plugins to settle...
[*] BrowserCluster: Initializing 6 browsers...
[*] BrowserCluster: Initialization completed with 6 browsers in the pool.
[*] [HTTP: 200] http://testfire.net/
[~] Identified as: windows, iis, asp, aspx
[~] Analysis resulted in 0 usable paths.
[~] DOM depth: 0 (Limit: 10)
[*] XSS: Auditing form input 'txtSearch' pointing to: 'http://testfire.net/search.aspx'
[*] XSS: Submitting form with original values for txtSearch at 'http://testfire.net/search.aspx'.
[*] XSS: Submitting form with sample values for txtSearch at 'http://testfire.net/search.aspx'.
[*] XSS: Auditing form input 'txtSearch' pointing to: 'http://testfire.net/search.aspx'
[*] XSS: Auditing form input 'txtSearch' pointing to: 'http://testfire.net/search.aspx'
[*] Harvesting HTTP responses...
[~] Depending on server responsiveness and network conditions this may take a while.
[*] XSS: Analyzing response #2...
[~] XSS: Response is tainted, looking for proof of vulnerability.
[+] XSS: In form input 'txtSearch' with action http://testfire.net/search.aspx
[*] XSS: Analyzing response #3...
[*] XSS: Analyzing response #4...
[*] XSS: Analyzing response #5...
[~] XSS: Response is tainted, looking for proof of vulnerability.
[+] XSS: In form input 'txtSearch' with action http://testfire.net/search.aspx
[*] XSS: Analyzing response #6...
[~] XSS: Response is tainted, looking for proof of vulnerability.
[+] XSS: In form input 'txtSearch' with action http://testfire.net/search.aspx[/quote]
[color=blue]冗余信息模式开启[/color]
观察这次运行中的额外信息:
[v]信息是额外信息
[quote]$ arachni --audit-forms --checks=xss http://testfire.net/ --scope-page-limit=1 [color=green]--output-verbose[/color]
Arachni - Web Application Security Scanner Framework v1.0
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
(With the support of the community and the Arachni Team.)
Website: http://arachni-scanner.com
Documentation: http://arachni-scanner.com/wiki
[*] Initializing...
[*] Waiting for plugins to settle...
[*] BrowserCluster: Initializing 6 browsers...
[*] BrowserCluster: Initialization completed with 6 browsers in the pool.
[*] [HTTP: 200] http://testfire.net/
[~] Identified as: windows, iis, asp, aspx
[~] Analysis resulted in 0 usable paths.
[~] DOM depth: 0 (Limit: 10)
[*] XSS: Auditing form input 'txtSearch' pointing to: 'http://testfire.net/search.aspx'
[v] XSS: --> With: "<some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>" -> "arachni_text<some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>"
[*] XSS: Submitting form with original values for txtSearch at 'http://testfire.net/search.aspx'.
[v] XSS: --> With: nil -> ""
[*] XSS: Submitting form with sample values for txtSearch at 'http://testfire.net/search.aspx'.
[v] XSS: --> With: nil -> ""
[*] XSS: Auditing form input 'txtSearch' pointing to: 'http://testfire.net/search.aspx'
[v] XSS: --> With: "()\"&%1'-;<some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>'" -> "arachni_text()\"&%1'-;<some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>'"
[*] XSS: Auditing form input 'txtSearch' pointing to: 'http://testfire.net/search.aspx'
[v] XSS: --> With: "--><some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/><!--" -> "arachni_text--><some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/><!--"
[*] Harvesting HTTP responses...
[~] Depending on server responsiveness and network conditions this may take a while.
[*] XSS: Analyzing response #2...
[~] XSS: Response is tainted, looking for proof of vulnerability.
[+] XSS: In form input 'txtSearch' with action http://testfire.net/search.aspx
[v] XSS: Injected: "arachni_text<some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>"
[v] XSS: Proof: <some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>
[v] XSS: Request:
GET /search.aspx?txtSearch=arachni_text%3Csome_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714%2F%3E HTTP/1.1
Host: testfire.net
Accept-Encoding: gzip, deflate
User-Agent: Arachni/v1.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Cookie: ASP.NET_SessionId=e4h4wy45jmb5vkrg0wl1rj45;amSessionId=15420499882
[*] XSS: Analyzing response #3...
[*] XSS: Analyzing response #4...
[*] XSS: Analyzing response #6...
[~] XSS: Response is tainted, looking for proof of vulnerability.
[+] XSS: In form input 'txtSearch' with action http://testfire.net/search.aspx
[v] XSS: Injected: "arachni_text--><some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/><!--"
[v] XSS: Proof: <some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>
[v] XSS: Request:
GET /search.aspx?txtSearch=arachni_text--%3E%3Csome_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714%2F%3E%3C%21-- HTTP/1.1
Host: testfire.net
Accept-Encoding: gzip, deflate
User-Agent: Arachni/v1.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Cookie: ASP.NET_SessionId=e4h4wy45jmb5vkrg0wl1rj45;amSessionId=15420499882
[*] XSS: Analyzing response #5...
[~] XSS: Response is tainted, looking for proof of vulnerability.
[+] XSS: In form input 'txtSearch' with action http://testfire.net/search.aspx
[v] XSS: Injected: "arachni_text()\"&%1'-;<some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>'"
[v] XSS: Proof: <some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>
[v] XSS: Request:
GET /search.aspx?txtSearch=arachni_text%28%29%22%26%251%27-%3B%3Csome_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714%2F%3E%27 HTTP/1.1
Host: testfire.net
Accept-Encoding: gzip, deflate
User-Agent: Arachni/v1.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Cookie: ASP.NET_SessionId=e4h4wy45jmb5vkrg0wl1rj45;amSessionId=15420499882[/quote]
[color=blue]调试 (--output-debug)[/color]
Expects: integer
Default: 1
Multiple invocations?: no
当设置该标志位时,系统将会输出许多细节信息。细节的级别为1~3。如果不想淹没在烦人和无聊的信息中,可以使用管道来把调试信息输出到一个独立的文件:
arachni http://example.com --output-debug 2> debug.log
[color=blue]明确的问题 (--output-only-positives)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
除了成功信息外压缩其他的信息--只显示发现的问题
[b]范围[/b]
不使用"/"封装的ruby正则表达式
[color=blue]Include (--scope-include-pattern)[/color]
Expects: pattern
Default: disabled
Multiple invocations?: yes
把扫描的范围限制为匹配模式的url资源
[color=blue]子域名包含 (--scope-include-subdomains)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
扫描子域名
[color=blue]排除 (--scope-exclude-pattern)[/color]
Expects: pattern
Default: disabled
Multiple invocations?: yes
排除匹配正则表达式的url
[color=blue]通过内容排除页面 (--scope-exclude-content-pattern)[/color]
Expects: pattern
Default: disabled
Multiple invocations?: yes
排除匹配模式的web页面
[color=blue]Exclude binaries (--scope-exclude-binaries)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
排除包含二进制内容的页面
[color=red]Note: 二进制内容可能对实施模式匹配的被动check造成困惑[/color]
[color=blue]冗余 (--scope-redundant-path-pattern)[/color]
Expects: pattern:integer
Default: disabled
Multiple invocations?: yes
该选项为一个正则表达式和一个数字,例如: --scope-redundant-path-pattern='calendar.php:3'
将会导致包含calendar.php的页面只爬虫三次
[color=red]当扫描很多类似图库或动态生成日历的时候,该选项很有用[/color]
[color=blue]Auto-redundant (--scope-auto-redundant)[/color]
Expects: integer
Default: disabled (如果没指定,则默认为10)
Multiple invocations?: no
该选项限制扫描时相同参数的url资源的扫描次数。可以避免例如相册或目录造成的无限循环
例如当设置--scope-auto-redundant=2时,下列的url中:
[quote]http://test.com/?stuff=1
http://test.com/?stuff=2
http://test.com/?stuff=other-stuff
http://test.com/?stuff=blah
http://test.com/?stuff=blah&stuff2=1
http://test.com/?stuff=blah&stuff2=2
http://test.com/?stuff=blah2&stuff2=bloo
http://test.com/path.php?stuff=blah&stuff2=1[/quote]
检查时只包含:
[quote]http://test.com/?stuff=1
http://test.com/?stuff=2
http://test.com/?stuff=blah&stuff2=1
http://test.com/?stuff=blah&stuff2=2
http://test.com/path.php?stuff=blah&stuff2=1[/quote]
[color=blue]目录深度限制 (--scope-directory-depth-limit)[/color]
Expects: integer
Default: infinite
Multiple invocations?: no
限制扫描器扫描的网站的深度
[color=blue]页面限制 (--scope-page-limit)[/color]
Expects: integer
Default: infinite
Multiple invocations?: no
限制扫描页面数目
[color=blue]扩展路径 (--scope-extend-paths)[/color]
Expects: filepath
Default: disabled
Multiple invocations?: yes
通过使用指定文件为种子来扩展扫描范围。
[color=red]必须一行一个路径[/color]
[color=blue]限制扫描路径 (--scope-restrict-paths)[/color]
Expects: filepath
Default: disabled
Multiple invocations?: yes
Uses the paths contained within the given file instead of performing a crawl.
不使用爬虫,取而代之的是指定文件包含的扫描路径
[color=red]必须一行一个路径[/color]
[color=blue]重写URL (--scope-url-rewrite)[/color]
Expects: pattern:substitution
Default: disabled
Multiple invocations?: yes
This option expects a pattern and a substitution, like so:
参数为一个正则表达式和一个替代,例如--scope-url-rewrite='/articles\/[\w-]+\/(\d+)/:articles.php?id=\1'
上述规则将会把urlhttp://test.com/articles/some-stuff/23重写为http://test.com/articles.php?id=23.
[color=blue]DOM深度限制 (--scope-dom-depth-limit)[/color]
Expects: integer
Default: infinite
Multiple invocations?: no
将会限制扫描每个页面的DOM结构深度。
[color=blue]HTTPS (--scope-https-only)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
迫使系统仅扫描https
目标url必须是https
[b]审计[/b]
[color=blue]审计链接 (--audit-links)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
开启审计链接
[color=blue]审计表单 (--audit-forms)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
开启审计表单
[color=blue]审计cookies (--audit-cookies)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
开启审计cookie
[color=blue]广泛审计cookie (--audit-cookies-extensively)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
If enabled the system will submit all links and forms of the page along with the cookie permutations.
如果开启,系统将会使用cookie提交页面中所有的链接和表单。
[color=red]将会严重增加扫描时间[/color]
[color=blue]审计头部信息 (--audit-headers)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
审计http请求头部信息
Note: 头部信息审计使用暴力破解. 即使web程序没有使用的合法的http头也会被审计
[color=red]Warning: 开启该选项会增加请求个数[/color]
[color=blue]链接模板 (--audit-link-template)[/color]
Expects: pattern
Default: disabled
Multiple invocations?: yes
该选项允许提取/审计基于使用名称组(name groups)的ruby正则表达式过滤的路径中的输入
从http://test.com/input1/value1/input2/value2中提取input1和input2,使用:
/input1\/(?<input1>\w+)\/input2\/(?<input2>\w+)/
[color=blue]两种方法 (--audit-with-both-methods)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
如果开启,系统将会使用GET/POST提交所有元素。
[color=red]Warning:会严重增加扫描时间[/color]
[color=blue]排除向量 (--audit-exclude-vector)[/color]
Expects: pattern
Default: disabled
Multiple invocations?: yes
不审计输入名字符合正则表达式的向量
[color=blue]包含向量 (--audit-include-vector)[/color]
Expects: pattern
Default: disabled
Multiple invocations?: yes
只审计输入名字符合正则表达式的向量
[b]HTTP[/b]
[color=blue]User agent (--http-user-agent)[/color]
Expects: string
Default: "Arachni/<version>"
Multiple invocations?: no
指定HTTP请求中User-Agent部分
[color=blue]请求并发数 (--http-request-concurrency)[/color]
Expects: integer
Default: 20
Multiple invocations?: no
Sets the maximum amount of requests to be active at any given time; this usually directly translates to the amount of open connections.
设定某个时间请求最大个数;通常直接等于开放链接个数。
[color=red]Note: 如果扫描没有相应,那么降低个数来缓解服务器压力
Warning: 加入有足够带宽和一个较高的并发数设置,扫描将会造成DOS。[/color]
[color=blue]请求超时 (--http-request-timeout)[/color]
Expects: integer (milliseconds)
Default: 50000
Multiple invocations?: no
设置客户端等待服务器应答的时间
[color=blue]请求重定向限制 (--http-request-redirect-limit)[/color]
Expects: integer
Default: 5
Multiple invocations?: no
限制每个请求重定向的次数
[color=blue]请求队列大小 (--http-request-queue-size)[/color]
Expects: integer
Default: 500
Multiple invocations?: no
客户端队列的最大请求个数
[color=red]Note: 多意味着更好的调度和更好的性能, 少意味着较少的RAM消耗[/color]
[color=blue]请求头 (--http-request-header)[/color]
Expects: string
Default: disabled
Multiple invocations?: yes
运行以键值对的格式指定请求头
例如--http-request-header='field_name=field value'
[color=blue]响应最大大小 (--http-response-max-size)[/color]
Expects: integer
Default: infinite
Multiple invocations?: no
限制客户端接收响应体的大小。实质上,客户端不会下载Content-Length大于指定值的响应body。
[color=blue]Cookie jar (--http-cookie-jar)[/color]
Expects: filepath
Default: disabled
Multiple invocations?: no
arachni允许传递Netscape cookie-jar file格式的cookie。如果想审计网站登录后的部分,那么应该传递session cookie给arachni。
[color=red]Note:如果觉得设置cookie-jar不适应,可以使用proxy或autologin插件来登录web应用程序[/color]
[color=blue]Cookie字符串 (--http-cookie-string)[/color]
Expects: string
Default: disabled
Multiple invocations?: no
Cookies作为字符串发送
例如--http-cookie-string='userid=19;sessionid=deadbeefbabe'
[color=blue]认证user名 (--http-authentication-username)[/color]
Expects: string
Default: disabled
Multiple invocations?: no
HTTP认证用的用户名
[color=blue]认证密码[/color] (--http-authentication-password)
Expects: string
Default: disabled
Multiple invocations?: no
HTTP认证用的密码
[color=blue]Proxy (--http-proxy)[/color]
Expects: server:port
Default: disabled
Multiple invocations?: no
为客户端设置http代理
[color=blue]代理认证 (--http-proxy-auth)[/color]
Expects: username:password
Default: disabled
Multiple invocations?: no
为指定的代理服务器设置认证口令
[color=blue]代理类型 (--http-proxy-type)[/color]
Expects: http, http_1_0, socks4, socks5, socks4a
Default: auto
Multiple invocations?: no
设置指定的代理服务器的类型
[b]Input[/b]
[color=blue]值 (--input-value)[/color]
Expects: pattern:value
Default: disabled
Multiple invocations?: yes
设置匹配模式的输入的值
[color=blue]值 (--input-values-from-file)[/color]
Expects: filepath
Default: disabled
Multiple invocations?: no
含有正则表达的hash object的YAML文件,来匹配输入名作为名字,值作为值
[color=blue]不使用默认 (--input-without-defaults)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
如果开启,不使用系统默认值
[color=blue]强制 (--input-force)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
强制系统填写甚至不为空的表单
[b]Checks[/b]
[color=blue]列表 (--checks-list)[/color]
Expects: pattern
Default: disabled
Multiple invocations?: yes
罗列所有可用的checks。如果提供选项,那么将会作为正则表达式来过滤显示的checks
[color=blue]加载 (--checks)
[/color]
Expects: string,string
Default: * (all)
Multiple invocations?: no
加载给定名字的checks。
可以使用不含逗号分隔的值,或者*来加载全部. 通过前缀-来组织check被加载.
[color=red]Note: check参照他们的文件名,不含rb后缀,使用--checks-list查看所有checks[/color]
例如:
arachni --checks=xss,sqli,path_traversal http://example.com/
arachni http://example.com/
arachni --checks=*,-backup_files,-xss http://example.com/(加载所有checks除了xss和backup_files)
[b]插件[/b]
[color=blue]列举 (--plugins-list)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
罗列所有可用的plugins.
[color=blue]加载 (--plugin)[/color]
Expects: string
Default: disabled
Multiple invocations?: yes
加载给定插件,配置参数
Note: 参照他们的文件名,不含rb后缀,使用--plugins-list查看所有
例如排除logout url以及使用autologin插件来登录程序:
arachni http://testfire.net --scope-page-limit=1 --checks=xss \
--plugin=autologin:url=http://testfire.net/bank/login.aspx,parameters='uid=jsmith&passw=Demo1234',check='Sign Off|MY ACCOUNT' \
--scope-exclude-pattern logout
[b]平台[/b]
[color=blue]列举 (--platforms-list)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
罗列所有可用平台
[b]Session[/b]
[color=blue]检查url (--session-check-url)[/color]
Expects: string
Default: disabled
Multiple invocations?: no
Requires: session-check-pattern
传递到这个选项的url将会被用于判断系统仍然登录到web应用程序
如果url的http响应体匹配session-check-pattern,那么表明系统是登录状态
[color=blue]Check模式 (--session-check-pattern)[/color]
Expects: string
Default: disabled
Multiple invocations?: no
Requires: session-check-url
一个正则表达式用于匹配session-check-url的body部分用于识别系统是否仍然是登录状态。匹配表明系统是登录状态
[b]Profiles[/b]
[color=blue]保存 (--profile-save-filepath)[/color]
Expects: filepath
Default: disabled
Multiple invocations?: no
允许保存当前配置, 所有传递的参数保存到Arachni Framework Profile(.afp)文件
[color=blue]加载 (--profile-load-filepath)[/color]
Expects: filepath
Default: disabled
Multiple invocations?: no
允许加载和运行一个保存的profile文件.
Note: 该选项不影响设置更多的选项或重新保存profile文件
[b]浏览器簇[/b]
[color=blue]Pool大小 (--browser-cluster-pool-size)[/color]
Expects: integer
Default: 6
Multiple invocations?: no
pool维护的浏览器进程的个数.
[color=blue]Job 超时 (--browser-cluster-job-timeout)[/color]
Expects: integer
Default: 120
Multiple invocations?: no
每个job的允许时间,单位秒
[color=blue]存活工作时间 (--browser-cluster-worker-time-to-live)[/color]
Expects: integer
Default: 100
Multiple invocations?: no
在进程重生之前每个进程应该处理的job数
Note: 主要用于防止一个浏览器进程占用太多RAM
[color=blue]忽略图片 (--browser-cluster-ignore-images)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
如果开启,浏览器不会加载图片
[color=blue]屏幕宽度 (--browser-cluster-screen-width)[/color]
Expects: integer
Default: 1600
Multiple invocations?: no
设置浏览器屏幕宽度
Note: 用于测试响应和web程序.
[color=blue]屏幕高度 (--browser-cluster-screen-height)[/color]
Expects: integer
Default: 1200
Multiple invocations?: no
设置浏览器屏幕高度
Note: 用于测试响应和web程序.
[b]报告[/b]
[color=blue]保存路径 (--report-save-path)[/color]
Expects: string
Default: .
Multiple invocations?: no
设置存储报告的路径
Note: 可以使用arachni_reporter命令来使用生成的文件来生成不同格式的报告
[b]快照[/b]
[color=blue]保存路径 (--snapshot-save-path)[/color]
Expects: string
Default: .
Multiple invocations?: no
设置暂停扫描的快照的保存路径
Note: 使用arachni_restore来指定快照开恢复扫描
[b]超时[/b]
[color=blue]超时 (--timeout)[/color]
Expects: hours:minutes:seconds
Default: infinite
Multiple invocations?: no
运行扫描的最大时间
[color=blue]暂停 (--timeout-suspend)[/color]
Expects: <n/a>
Default: disabled
Multiple invocations?: no
如果开启,那么当到达--timeout指定的时间时,扫描将会暂停,而不是中断。