本文记录 Kali Linux 2017.1 学习使用和渗透测试的详细过程,教程为安全牛课堂里的《Kali Linux 渗透测试》课程
- w3af_console 简单使用
- w3af_console 链接:
w3af 安装并配置桌面和快速启动栏
Kali Linux渗透测试(苑房弘)076 扫描工具-w3af 身份认证
Kali Linux渗透测试(苑房弘)077 扫描工具-w3af 截断代理
1.w3af_console 使用简介
plugin 简介
audit(审计):该类插件会向Crawl插件爬取出的注入点发送特制的POC数据以确认漏洞是否存在。 infrastructure(基础):这类插件用来标识有关目标系统的信息,如安装的WAF,操作系统和HTTP守护进程等。 grep(检索):这类插件会分析其他插件发送的HTTP请求和相应并识别漏洞。 evasion(绕过):通过修改由其他插件生成的HTTP请求来绕过简单的入侵检测规则。 mangle:允许修改基于正则表达式的请求和响应 auth: Mangle:允许修改基于正则表达式的请求和响应。 bruteforce:在爬取阶段进行暴力登陆 output(输出):这类插件会将插件的数据保存到文本,xml或者是html文件中。调试的信息也会发送到输出Output插件并可保存和分析。如果启用了text_file和xml_file这两个Output插件,则这两个都会记录有Audit插件发现的任何漏洞。 crawl(爬取):通过爬取网站站点来获得新的URL地址。如果用户启用了Crawl类型的多个插件,此时将产生一个循环: A插件在第一次运行时发现了一个新的url,w3af会将其发送到插件B。如果插件B发现一个新的url则会发送到插件A。这个过程持续进行直到所有插件都已运行且无法找到更多的新信息。 Attack(攻击):如果Audit插件发现了漏洞,Attack将会进行攻击和利用,通常会在远程服务器上返回一个shell或者比如SQL注入则会获取数据库的数据。
kali 2.0 中的 w3af 的安装与配置
1. 安装 cd ~ apt-get update apt-get install -y python-pip w3af pip install --upgrade pip git clone https://github.com/andresriancho/w3af.git cd w3af ./w3af_console 乮./w3af_gui乯 apt-get build-dep python-lxml . /tmp/w3af_dependency_install.sh 2. 升级 git pull 3. kali linux 2017.1 安装 w3af
快速启动 w3af
1. 创建桌面快捷方式(复制或者手动创建 kali-w3af.desktop 文件) root@attacker:~# cp /usr/share/applications/kali-burpsuite.desktop /root/Desktop/ root@attacker:~# cd Desktop root@kali:~/Desktop# cat kali-burpsuite.desktop [Desktop Entry] Name=burpsuite Encoding=UTF-8 Exec=sh -c "java -jar /usr/bin/burpsuite" Icon=kali-burpsuite.png StartupNotify=false Terminal=false Type=Application Categories=03-webapp-analysis;03-06-web-application-proxies; X-Kali-Package=burpsuite root@kali:~/Desktop# vim kali-w3af.desktop [Desktop Entry] Name=w3af Encoding=UTF-8 Exec=sh -c "/usr/local/src/w3af/w3af_gui" Icon=/usr/local/src/w3af/w3af/core/ui/gui/data/w3af_logo.png StartupNotify=false Terminal=false Type=Application Categories=03-webapp-analysis;03-05-web-vulnerability-scanners; X-Kali-Package=w3af root@attacker:~/Desktop# chmod +x kali-w3af.desktop #变成可执行文件 root@kali:~/Desktop# cp kali-w3af.desktop /usr/share/applications/ # 在启动菜单栏出现 w3af 图标快捷启动 2. 创建命令行快速启动(使用命令别名) root@attacker:~# vim .bashrc alias w3af_console='/usr/local/src/w3af_console' alias w3af_gui='/usr/local/src/w3af_gui' root@attacker:~# source .bashrc # 重新加载配置文件 root@attacker:~# w3af w3af>>>
W3af_console 帮助
help #显示可用指令 plugin #进入 plugin 子命令 Help #显示可用指令 list audit #列出 audit 类所有插件 audit sqli xss #选择使用的 audit 插件 http-settings / misc-settings #全局配置 help #显示可用指令 view #查看可配置的参数 set #设置参数 back #回到上一级命令 Profiles save_as self-contained #保存为完全独立的配置文件,避免配置文件和别人交换时出现字典等文件的缺失 save_as test self-contained Target set target http://1.1.1.1/ Start Script script/*.w3af
w3af_console 实操
启动帮助
root@attacker:~# w3afconsole w3af>>> help |----------------------------------------------------------------------------------------------------------------------------------| | start | Start the scan. | | 插件| 启用和配置插件。| | 利用| 利用此漏洞。| | 配置文件| 列出并使用扫描配置文件。| | 清理| 在开始新的扫描之前进行清理。| | ------------------------------------------------- -------------------------------------------------- ------------------------------- | | help | Display help. Issuing: help [command] , prints more specific help about "command" | | version | Show w3af version information. | | keys | Display key shortcuts. | |----------------------------------------------------------------------------------------------------------------------------------| | http-settings | Configure the HTTP settings of the framework. | | misc-settings | Configure w3af misc settings. | | target | Configure the target URL. | |----------------------------------------------------------------------------------------------------------------------------------| | back | Go to the previous menu. | | exit | Exit w3af. | |----------------------------------------------------------------------------------------------------------------------------------| | kb | Browse the vulnerabilities stored in the Knowledge Base | |----------------------------------------------------------------------------------------------------------------------------------|
plugins 模块
w3af>>> plugins w3af/plugins>>> help |-----------------------------------------------------------------------------------------------------------------------------------| | list | List available plugins. | | ------------------------------------------------- -------------------------------------------------- -------------------------------- | | 返回| 转到上一个菜单。| | 退出| 退出w3af。| | ------------------------------------------------- -------------------------------------------------- -------------------------------- | | 回避| 查看,配置和启用evasion插件| | auth | View, configure and enable auth plugins | | grep | View, configure and enable grep plugins | | audit | View, configure and enable audit plugins | | bruteforce | View, configure and enable bruteforce plugins | | output | View, configure and enable output plugins | | crawl | View, configure and enable crawl plugins | | infrastructure | View, configure and enable infrastructure plugins | | mangle | View, configure and enable mangle plugins | |-----------------------------------------------------------------------------------------------------------------------------------| w3af/plugins>>> list auth |---------------------------------------------------------------------------------------------------------------------------------| | Plugin name | Status | Conf | Description | |---------------------------------------------------------------------------------------------------------------------------------| | detailed | | Yes | Detailed authentication plugin. | | generic | | Yes | Generic authentication plugin. | |---------------------------------------------------------------------------------------------------------------------------------| w3af/plugins>>> list audit |---------------------------------------------------------------------------------------------------------------------------------| | Plugin name | Status | Conf | Description | |---------------------------------------------------------------------------------------------------------------------------------| | blind_sqli | | Yes | Identify blind SQL injection vulnerabilities. | | buffer_overflow | | | Find buffer overflow vulnerabilities. | | cors_origin | | Yes | Inspect if application checks that the value of the "Origin" HTTP header isconsistent | | | | | with the value of the remote IP address/Host of the sender ofthe incoming HTTP request. | | csrf | | | Identify Cross-Site Request Forgery vulnerabilities. | | dav | | | Verify if the WebDAV module is properly configured. | | eval | | Yes | Find insecure eval() usage. | | file_upload | | Yes | Uploads a file and then searches for the file inside all known directories. | | format_string | | | Find format string vulnerabilities. | | frontpage | | | Tries to upload a file using frontpage extensions (author.dll). | | generic | | Yes | Find all kind of bugs without using a fixed error database. | | global_redirect | | | Find scripts that redirect the browser to any site. | | htaccess_methods | | | Find misconfigurations in Apache's "<LIMIT>" configuration. | | ldapi | | | Find LDAP injection bugs. | | lfi | | | Find local file inclusion vulnerabilities. | | memcachei | | | No description available for this plugin. | | mx_injection | | | Find MX injection vulnerabilities. | | os_commanding | | | Find OS Commanding vulnerabilities. | | phishing_vector | | | Find phishing vectors. | | preg_replace | | | Find unsafe usage of PHPs preg_replace. | | redos | | | Find ReDoS vulnerabilities. | | response_splitting | | | Find response splitting vulnerabilities. | | rfd | | | Identify reflected file download vulnerabilities. | | rfi | | Yes | Find remote file inclusion vulnerabilities. | | rosetta_flash | | | Find Rosetta Flash vulnerabilities in JSONP endpoints | | shell_shock | | | Find shell shock vulnerabilities. | | sqli | | | Find SQL injection bugs. | | ssi | | | Find server side inclusion vulnerabilities. | | ssl_certificate | | Yes | Check the SSL certificate validity (if https is being used). | | un_ssl | | | Find out if secure content can also be fetched using http. | | websocket_hijacking | | | Detect Cross-Site WebSocket hijacking vulnerabilities. | | xpath | | | Find XPATH injection vulnerabilities. | | xss | | Yes | Identify cross site scripting vulnerabilities. | | xst | | | Find Cross Site Tracing vulnerabilities. | |---------------------------------------------------------------------------------------------------------------------------------| w3af/plugins>>> audit xss sqli lfi (开启使用三个插件模块) w3af/plugins>>> list audit (这时候的插件模块状态变为 enabled ) |----------------------------------------------------------------------------------------------------------------------------------| | Plugin name | Status | Conf | Description | |----------------------------------------------------------------------------------------------------------------------------------| | blind_sqli | | Yes | Identify blind SQL injection vulnerabilities. | | buffer_overflow | | | Find buffer overflow vulnerabilities. | | cors_origin | | Yes | Inspect if application checks that the value of the "Origin" HTTP header isconsistent | | | | | with the value of the remote IP address/Host of the sender ofthe incoming HTTP request. | | csrf | | | Identify Cross-Site Request Forgery vulnerabilities. | | dav | | | Verify if the WebDAV module is properly configured. | | eval | | Yes | Find insecure eval() usage. | | file_upload | | Yes | Uploads a file and then searches for the file inside all known directories. | | format_string | | | Find format string vulnerabilities. | | frontpage | | | Tries to upload a file using frontpage extensions (author.dll). | | generic | | Yes | Find all kind of bugs without using a fixed error database. | | global_redirect | | | Find scripts that redirect the browser to any site. | | htaccess_methods | | | Find misconfigurations in Apache's "<LIMIT>" configuration. | | ldapi | | | Find LDAP injection bugs. | | lfi | Enabled | | Find local file inclusion vulnerabilities. | | memcachei | | | No description available for this plugin. | | mx_injection | | | Find MX injection vulnerabilities. | | os_commanding | | | Find OS Commanding vulnerabilities. | | phishing_vector | | | Find phishing vectors. | | preg_replace | | | Find unsafe usage of PHPs preg_replace. | | redos | | | Find ReDoS vulnerabilities. | | response_splitting | | | Find response splitting vulnerabilities. | | rfd | | | Identify reflected file download vulnerabilities. | | rfi | | Yes | Find remote file inclusion vulnerabilities. | | rosetta_flash | | | Find Rosetta Flash vulnerabilities in JSONP endpoints | | shell_shock | | | Find shell shock vulnerabilities. | | sqli | Enabled | | Find SQL injection bugs. | | ssi | | | Find server side inclusion vulnerabilities. | | ssl_certificate | | Yes | Check the SSL certificate validity (if https is being used). | | un_ssl | | | Find out if secure content can also be fetched using http. | | websocket_hijacking | | | Detect Cross-Site WebSocket hijacking vulnerabilities. | | xpath | | | Find XPATH injection vulnerabilities. | | xss | Enabled | Yes | Identify cross site scripting vulnerabilities. | | xst | | | Find Cross Site Tracing vulnerabilities. | |----------------------------------------------------------------------------------------------------------------------------------| w3af/plugins>>> audit all (扫描所有插件模块) w3af/plugins>>> list audit |----------------------------------------------------------------------------------------------------------------------------------| | Plugin name | Status | Conf | Description | |----------------------------------------------------------------------------------------------------------------------------------| | blind_sqli | Enabled | Yes | Identify blind SQL injection vulnerabilities. | | buffer_overflow | Enabled | | Find buffer overflow vulnerabilities. | | cors_origin | Enabled | Yes | Inspect if application checks that the value of the "Origin" HTTP header isconsistent | | | | | with the value of the remote IP address/Host of the sender ofthe incoming HTTP request. | | csrf | Enabled | | Identify Cross-Site Request Forgery vulnerabilities. | | dav | Enabled | | Verify if the WebDAV module is properly configured. | | eval | Enabled | Yes | Find insecure eval() usage. | | file_upload | Enabled | Yes | Uploads a file and then searches for the file inside all known directories. | | format_string | Enabled | | Find format string vulnerabilities. | | frontpage | Enabled | | Tries to upload a file using frontpage extensions (author.dll). | | generic | Enabled | Yes | Find all kind of bugs without using a fixed error database. | | global_redirect | Enabled | | Find scripts that redirect the browser to any site. | | htaccess_methods | Enabled | | Find misconfigurations in Apache's "<LIMIT>" configuration. | | ldapi | Enabled | | Find LDAP injection bugs. | | lfi | Enabled | | Find local file inclusion vulnerabilities. | | memcachei | Enabled | | No description available for this plugin. | | mx_injection | Enabled | | Find MX injection vulnerabilities. | | os_commanding | Enabled | | Find OS Commanding vulnerabilities. | | phishing_vector | Enabled | | Find phishing vectors. | | preg_replace | Enabled | | Find unsafe usage of PHPs preg_replace. | | redos | Enabled | | Find ReDoS vulnerabilities. | | response_splitting | Enabled | | Find response splitting vulnerabilities. | | rfd | Enabled | | Identify reflected file download vulnerabilities. | | rfi | Enabled | Yes | Find remote file inclusion vulnerabilities. | | rosetta_flash | Enabled | | Find Rosetta Flash vulnerabilities in JSONP endpoints | | shell_shock | Enabled | | Find shell shock vulnerabilities. | | sqli | Enabled | | Find SQL injection bugs. | | ssi | Enabled | | Find server side inclusion vulnerabilities. | | ssl_certificate | Enabled | Yes | Check the SSL certificate validity (if https is being used). | | un_ssl | Enabled | | Find out if secure content can also be fetched using http. | | websocket_hijacking | Enabled | | Detect Cross-Site WebSocket hijacking vulnerabilities. | | xpath | Enabled | | Find XPATH injection vulnerabilities. | | xss | Enabled | Yes | Identify cross site scripting vulnerabilities. | | xst | Enabled | | Find Cross Site Tracing vulnerabilities. | |----------------------------------------------------------------------------------------------------------------------------------| w3af/plugins>>> grep all w3af/plugins>>> crawl web_spider w3af/plugins>>> list crawl |---------------------------------------------------------------------------------------------------------------------------------| | Plugin name | Status | Conf | Description | |---------------------------------------------------------------------------------------------------------------------------------| | archive_dot_org | | Yes | Search archive.org to find new pages in the target site. | | bing_spider | | Yes | Search Bing to get a list of new URLs | | content_negotiation | | Yes | Use content negotiation to find new resources. | | digit_sum | | Yes | Take an URL with a number (index2.asp) and try to find related | | | | | files(index1.asp, index3.asp). | | dir_file_bruter | | Yes | Finds Web server directories and files by bruteforcing. | | dot_listing | | | Search for .listing files and extracts new filenames from it. | | dwsync_xml | | | Search Dream Waver Sync file (dwsync.xml) and extract referenced files. | | find_backdoors | | | Find web backdoors and web shells. | | find_captchas | | | Identify captcha images on web pages. | | find_dvcs | | | Search Git, Mercurial (HG), Bazaar (BZR), Subversion (SVN) and CVSrepositories | | | | | and checks for files containing | | genexus_xml | | | Analyze the execute.xml and DeveloperMenu.xml files and find new URLs | | ghdb | | Yes | Search Google for vulnerabilities in the target site. | | google_spider | | Yes | Search google using google API to get new URLs | | import_results | | Yes | Import HTTP requests found by output.export_requests and Burp | | oracle_discovery | | | Find Oracle applications on the remote web server. | | phishtank | | | Search the phishtank.com database to determine if your server is (or was)being | | | | | used in phishing scams. | | phpinfo | | | Search PHP Info file and if it finds it will determine the version of PHP. | | pykto | | Yes | A nikto port to python. | | ria_enumerator | | Yes | Fingerprint Rich Internet Apps - Google Gears Manifest files, Silverlight and | | | | | Flash. | | robots_txt | | | Analyze the robots.txt file and find new URLs | | sitemap_xml | | | Analyze the sitemap.xml file and find new URLs | | spider_man | | Yes | SpiderMan is a local proxy that will collect new URLs. | | url_fuzzer | | Yes | Try to find backups, and other related files. | | urllist_txt | | | Analyze the urllist.txt file and find new URLs | | user_dir | | | Identify user directories like "http://test/~user/" and infer the remote OS. | | web_diff | | Yes | Compare a local directory with a remote URL path. | | web_spider | Enabled | Yes | Crawl the web application. | | wordnet | | Yes | Use the wordnet lexical database to find new URLs. | | wordpress_enumerate_users | | | Finds users in a WordPress installation. | | wordpress_fingerprint | | | Finds the version of a WordPress installation. | | wordpress_fullpathdisclosure | | | Try to find the path where the WordPress is installed | | wsdl_finder | | | Find web service definitions files. | |---------------------------------------------------------------------------------------------------------------------------------| w3af/plugins>>> back (插件选好之后,回到第一级目录)
profiles 模块
w3af>>> help |----------------------------------------------------------------------------------------------------------------------------------| | start | Start the scan. | | plugins | Enable and configure plugins. | | exploit | Exploit the vulnerability. | | profiles | List and use scan profiles. | | cleanup | Cleanup before starting a new scan. | |----------------------------------------------------------------------------------------------------------------------------------| | help | Display help. Issuing: help [command] , prints more specific help about "command" | | version | Show w3af version information. | | keys | Display key shortcuts. | |----------------------------------------------------------------------------------------------------------------------------------| | http-settings | Configure the HTTP settings of the framework. | | misc-settings | Configure w3af misc settings. | | target | Configure the target URL. | |----------------------------------------------------------------------------------------------------------------------------------| | back | Go to the previous menu. | | exit | Exit w3af. | |----------------------------------------------------------------------------------------------------------------------------------| | kb | Browse the vulnerabilities stored in the Knowledge Base | |----------------------------------------------------------------------------------------------------------------------------------| w3af>>> profiles (预定义扫描文件) w3af/profiles>>> list (显示当前可用扫描配置文件) |----------------------------------------------------------------------------------------------------------------------------------| | Profile | Description | |----------------------------------------------------------------------------------------------------------------------------------| | bruteforce | Bruteforce form or basic authentication access controls using default credentials. To run this profile, | | | set the target URL to the resource where the access control is, and then click on Start. | | audit_high_risk | Perform a scan to only identify the vulnerabilities with higher risk, like SQL Injection, OS Commanding, | | | Insecure File Uploads, etc. | | full_audit | This profile performs a full audit of the target website, using only the web_spider plugin for crawling. | | OWASP_TOP10 | The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on | | | improving the security of application software. OWASP searched for and published the ten most common | | | security flaws. This profile search for this top 10 security flaws. For more information about the | | | security flaws: http://www.owasp.org/index.php/OWASP_Top_Ten_Project . | | fast_scan | Perform a fast scan of the target site, using only a few discovery plugins and the fastest audit | | | plugins. | | empty_profile | This is an empty profile that you can use to start a new configuration from. | | web_infrastructure | Use all the available techniques in w3af to fingerprint the remote Web infrastructure. | | full_audit_spider_man | Perform a manual discovery using the spider_man plugin, and afterwards scan the site for any known | | | vulnerabilities. | | sitemap | Use different online techniques to create a fast sitemap of the target web application. This plugin will | | | only work if you've got Internet access and the target web application is being spidered by Yahoo! | |----------------------------------------------------------------------------------------------------------------------------------| w3af/profiles>>> help |----------------------------------------------------------------------------------------------------------------------------------| | use | Use a profile. | | list | List available profiles. | | save_as | Save the current configuration to a profile. | |----------------------------------------------------------------------------------------------------------------------------------| | back | Go to the previous menu. | | exit | Exit w3af. | |----------------------------------------------------------------------------------------------------------------------------------| w3af/profiles>>> save_as (先选择 plugin ,然后选择 grep、crawl等,然后在 profiles 里面 save_as 保存) 比如:w3af/profiles>>> save_as test01 Parameter missing, please see the help: Save the current configuration to a profile. Syntax: save_as PROFILE_NAME Example: save_as fast_scan Example: save_as fast_scan self-contained Please note that the save_as command will overwrite existing profiles with the same name. When the "self-contained" flag is set the profile will bundle all files referenced by the plugin configurations. This is useful for sharing custom profiles between different workstations. Disabled by default. w3af/profiles>>> use fast_scan The plugins configured by the scan profile have been enabled, and their options configured. Please set the target URL(s) and start the scan. w3af/profiles>>> back
http-settings 模块
w3af>>> help |----------------------------------------------------------------------------------------------------------------------------------| | start | Start the scan. | | plugins | Enable and configure plugins. | | exploit | Exploit the vulnerability. | | profiles | List and use scan profiles. | | cleanup | Cleanup before starting a new scan. | |----------------------------------------------------------------------------------------------------------------------------------| | help | Display help. Issuing: help [command] , prints more specific help about "command" | | version | Show w3af version information. | | keys | Display key shortcuts. | |----------------------------------------------------------------------------------------------------------------------------------| | http-settings | Configure the HTTP settings of the framework. | | misc-settings | Configure w3af misc settings. | | target | Configure the target URL. | |----------------------------------------------------------------------------------------------------------------------------------| | back | Go to the previous menu. | | exit | Exit w3af. | |----------------------------------------------------------------------------------------------------------------------------------| | kb | Browse the vulnerabilities stored in the Knowledge Base | |----------------------------------------------------------------------------------------------------------------------------------| w3af>>> http-settings (扫描 http 的配置选项) w3af/config:http-settings>>> help |----------------------------------------------------------------------------------------------------------------------------------| | view | List the available options and their values. | | set | Set a parameter value. | | save | Save the configured settings. | |----------------------------------------------------------------------------------------------------------------------------------| | back | Go to the previous menu. | | exit | Exit w3af. | |----------------------------------------------------------------------------------------------------------------------------------| w3af/config:http-settings>>> view |--------------------------------------------------------------------------------------------------------------------------------| | Setting | Value | Modified | Description | |--------------------------------------------------------------------------------------------------------------------------------| | url_parameter | | | URL parameter (http://host.tld/path;<parameter>) | | timeout | 0 | | HTTP connection timeout | | headers_file | | | HTTP headers filename which contains additional headers to be added in each | | | | | request | |--------------------------------------------------------------------------------------------------------------------------------| | cookie_jar_file | | | Cookie Jar file holding HTTP cookies | | ignore_session_cookies | False | | Ignore session cookies | |--------------------------------------------------------------------------------------------------------------------------------| | ntlm_auth_url | | | NTLM authentication domain (target domain name) | | ntlm_auth_user | | | NTLM authentication username | | ntlm_auth_passwd | | | NTLM authentication password | | ntlm_auth_domain | | | NTLM authentication domain (windows domain name) | |--------------------------------------------------------------------------------------------------------------------------------| | rand_user_agent | False | | Use random User-Agent header | | max_file_size | 400000 | | Maximum file size | | max_http_retries | 2 | | Maximum number of HTTP request retries | | user_agent | w3af.org | | User Agent header | | max_requests_per_second | 0 | | Maximum HTTP requests per second | |--------------------------------------------------------------------------------------------------------------------------------| | string_match_404 | | | Tag HTTP response as 404 if the string is found in it's body | | always_404 | | | Comma separated list of URLs which will always be detected as 404 pages | | never_404 | | | Comma separated list of URLs which will never be detected as 404 pages | |--------------------------------------------------------------------------------------------------------------------------------| | proxy_port | 8080 | | Proxy TCP port | | proxy_address | | | Proxy IP address | |--------------------------------------------------------------------------------------------------------------------------------| | basic_auth_user | | | Basic authentication username | | basic_auth_passwd | | | Basic authentication password | | basic_auth_domain | | | Basic authentication domain | |--------------------------------------------------------------------------------------------------------------------------------| w3af/config:http-settings>>> set rand_user_agent True (启动随机用户代理) w3af/config:http-settings>>> view |--------------------------------------------------------------------------------------------------------------------------------| | Setting | Value | Modified | Description | |--------------------------------------------------------------------------------------------------------------------------------| | url_parameter | | | URL parameter (http://host.tld/path;<parameter>) | | timeout | 0 | | HTTP connection timeout | | headers_file | | | HTTP headers filename which contains additional headers to be added in each | | | | | request | |--------------------------------------------------------------------------------------------------------------------------------| | cookie_jar_file | | | Cookie Jar file holding HTTP cookies | | ignore_session_cookies | False | | Ignore session cookies | |--------------------------------------------------------------------------------------------------------------------------------| | ntlm_auth_url | | | NTLM authentication domain (target domain name) | | ntlm_auth_user | | | NTLM authentication username | | ntlm_auth_passwd | | | NTLM authentication password | | ntlm_auth_domain | | | NTLM authentication domain (windows domain name) | |--------------------------------------------------------------------------------------------------------------------------------| | rand_user_agent | True | Yes | Use random User-Agent header | | max_file_size | 400000 | | Maximum file size | | max_http_retries | 2 | | Maximum number of HTTP request retries | | user_agent | w3af.org | | User Agent header | | max_requests_per_second | 0 | | Maximum HTTP requests per second | |--------------------------------------------------------------------------------------------------------------------------------| | string_match_404 | | | Tag HTTP response as 404 if the string is found in it's body | | always_404 | | | Comma separated list of URLs which will always be detected as 404 pages | | never_404 | | | Comma separated list of URLs which will never be detected as 404 pages | |--------------------------------------------------------------------------------------------------------------------------------| | proxy_port | 8080 | | Proxy TCP port | | proxy_address | | | Proxy IP address | |--------------------------------------------------------------------------------------------------------------------------------| | basic_auth_user | | | Basic authentication username | | basic_auth_passwd | | | Basic authentication password | | basic_auth_domain | | | Basic authentication domain | |--------------------------------------------------------------------------------------------------------------------------------| w3af/config:http-settings>>> back The configuration has been saved.
misc-settings (杂项设置)模块
w3af>>> help |----------------------------------------------------------------------------------------------------------------------------------| | start | Start the scan. | | plugins | Enable and configure plugins. | | exploit | Exploit the vulnerability. | | profiles | List and use scan profiles. | | cleanup | Cleanup before starting a new scan. | |----------------------------------------------------------------------------------------------------------------------------------| | help | Display help. Issuing: help [command] , prints more specific help about "command" | | version | Show w3af version information. | | keys | Display key shortcuts. | |----------------------------------------------------------------------------------------------------------------------------------| | http-settings | Configure the HTTP settings of the framework. | | misc-settings | Configure w3af misc settings. | | target | Configure the target URL. | |----------------------------------------------------------------------------------------------------------------------------------| | back | Go to the previous menu. | | exit | Exit w3af. | |----------------------------------------------------------------------------------------------------------------------------------| | kb | Browse the vulnerabilities stored in the Knowledge Base | |----------------------------------------------------------------------------------------------------------------------------------| w3af>>> misc-settings (杂项设置) w3af/config:misc-settings>>> view |---------------------------------------------------------------------------------------------------------------------------------| | Setting | Value | Modified | Description | |---------------------------------------------------------------------------------------------------------------------------------| | msf_location | /opt/metasploit3/bin/ | | Full path of Metasploit framework binary directory | | | | | (/opt/metasploit3/bin/ in most linux installs) | |---------------------------------------------------------------------------------------------------------------------------------| | interface | ppp0 | | Local interface name to use when sniffing, doing reverse | | | | | connections, etc. | | local_ip_address | 10.10.10.128 | | Local IP address to use when doing reverse connections | |---------------------------------------------------------------------------------------------------------------------------------| | max_discovery_time | 120 | | Maximum crawl time (minutes) | | stop_on_first_exception | False | | Stop scan after first unhandled exception | |---------------------------------------------------------------------------------------------------------------------------------| | form_id_action | exclude | | Define the form_id_list filter behaviour | | non_targets | | | A comma separated list of URLs that w3af should ignore | | form_id_list | [] | | Filter forms to scan using form IDs | |---------------------------------------------------------------------------------------------------------------------------------| | fuzz_url_filenames | False | | Indicates if w3af plugins will send fuzzed file names in order to | | | | | find vulnerabilities | | fuzz_url_parts | False | | Indicates if w3af plugins will send fuzzed URL parts in order to | | | | | find vulnerabilities | | fuzzable_headers | | | A list with all fuzzable header names | | fuzzed_files_extension | gif | | Indicates the extension to use when fuzzing file content | | form_fuzzing_mode | tmb | | Indicates what HTML form combo values w3af plugins will use: all, | | | | | tb, tmb, t, b | | fuzz_form_files | True | | Indicates if w3af plugins will send payloads in the content of | | | | | multipart/post form files. | | fuzz_cookies | False | | Indicates if w3af plugins will use cookies as a fuzzable parameter | |---------------------------------------------------------------------------------------------------------------------------------| w3af/config:misc-settings>>> help |----------------------------------------------------------------------------------------------------------------------------------| | view | List the available options and their values. | | set | Set a parameter value. | | save | Save the configured settings. | |----------------------------------------------------------------------------------------------------------------------------------| | back | Go to the previous menu. | | exit | Exit w3af. | |----------------------------------------------------------------------------------------------------------------------------------| w3af/config:misc-settings>>> back The configuration has been saved.
target 模块
w3af>>> help |----------------------------------------------------------------------------------------------------------------------------------| | start | Start the scan. | | plugins | Enable and configure plugins. | | exploit | Exploit the vulnerability. | | profiles | List and use scan profiles. | | cleanup | Cleanup before starting a new scan. | |----------------------------------------------------------------------------------------------------------------------------------| | help | Display help. Issuing: help [command] , prints more specific help about "command" | | version | Show w3af version information. | | keys | Display key shortcuts. | |----------------------------------------------------------------------------------------------------------------------------------| | http-settings | Configure the HTTP settings of the framework. | | misc-settings | Configure w3af misc settings. | | target | Configure the target URL. | |----------------------------------------------------------------------------------------------------------------------------------| | back | Go to the previous menu. | | exit | Exit w3af. | |----------------------------------------------------------------------------------------------------------------------------------| | kb | Browse the vulnerabilities stored in the Knowledge Base | |----------------------------------------------------------------------------------------------------------------------------------| w3af>>> target w3af/config:target>>> help |----------------------------------------------------------------------------------------------------------------------------------| | view | List the available options and their values. | | set | Set a parameter value. | | save | Save the configured settings. | |----------------------------------------------------------------------------------------------------------------------------------| | back | Go to the previous menu. | | exit | Exit w3af. | |----------------------------------------------------------------------------------------------------------------------------------| w3af/config:target>>> set target http://10.10.10.129 w3af/config:target>>> view |-----------------------------------------------------------------------------------------------------------------------------------| | Setting | Value | Modified | Description | |-----------------------------------------------------------------------------------------------------------------------------------| | target_framework | unknown | | Target programming framework (unknown/php/asp/asp.net/java/jsp/cfm/ruby/perl) | | target | http://10.10.10.129 | Yes | A comma separated list of URLs | | target_os | unknown | | Target operating system (unknown/unix/windows) | |-----------------------------------------------------------------------------------------------------------------------------------| w3af/config:target>>> back The configuration has been saved. 配置完成,可以保存为配置文件 w3af>>> profiles w3af/profiles>>> save_as test01 Profile saved. w3af/profiles>>> back
启动
配置完成就可以启动扫描了
w3af>>> help
|———————————————————————————————————————————-|
| start | Start the scan. |
| plugins | Enable and configure plugins. |
| exploit | Exploit the vulnerability. |
| profiles | List and use scan profiles. |
| cleanup | Cleanup before starting a new scan. |
|———————————————————————————————————————————-|
| help | Display help. Issuing: help [command] , prints more specific help about “command” |
| version | Show w3af version information. |
| keys | Display key shortcuts. |
|———————————————————————————————————————————-|
| http-settings | Configure the HTTP settings of the framework. |
| misc-settings | Configure w3af misc settings. |
| target | Configure the target URL. |
|———————————————————————————————————————————-|
| back | Go to the previous menu. |
| exit | Exit w3af. |
|———————————————————————————————————————————-|
| kb | Browse the vulnerabilities stored in the Knowledge Base |
|———————————————————————————————————————————-|
w3af>>> start脚本文件
root@attacker:~# cd /usr/local/src/
root@attacker:/usr/local/src# ls
circle.yml libjavascriptcoregtk-1.0-0_2.4.11-3_amd64.deb python-support_1.0.15_all.deb scripts w3af_api w3afgui
doc libwebkitgtk-1.0-0_2.4.11-3_amd64.deb python-webkit_1.1.8-3_amd64.deb tools w3afconsole w3af_gui
extras profiles README.md w3af w3af_console wXf-master
root@attacker:/usr/local/src# cd scripts/
root@attacker:/usr/local/src/scripts# ls
allowed_methods.w3af file_upload_shell.w3af profile-fast_scan.w3af
all.w3af frontpage_version.w3af remote_file_include_local_ws.w3af
auth_detailed.w3af header_fuzzing.w3af remote_file_include_proxy.w3af
bing_spider.w3af html_output.w3af remote_file_include_shell.w3af
blind_sqli_detection.w3af list_all_plugins.w3af remote_file_include_shell-xss.w3af
cookie_fuzzing.w3af local_file_include-payload.w3af remote_file_include_w3af_site.w3af
cross_domain.w3af local_file_include.w3af spider_man.w3af
csrf.w3af login_brute_form_GET.w3af sqli.w3af
dav_shell.w3af login_brute_password_only.w3af sqlmap_exploit_int.w3af
detect_transparent_proxy.w3af mangle_request.w3af targets_from_file.w3af
digit_sum.w3af mangle_response.w3af web_spider-ignore_regex.w3af
eval_shell.w3af os_commanding-lnx-vdaemon.w3af web_spider-only_forward.w3af
eval.w3af os_commanding-lnx-w3afAgent.w3af web_spider.w3af
exploit_all.w3af os_commanding_shell.w3af xss_simple.w3af
exploit_fast.w3af os_commanding.w3af xss_stored.w3af
filename_xss.w3af php_sca-payload.w3af
root@attacker:/usr/local/src/scripts# cat sqli.w3af
# This is a demo of the attack plugin sql_shell
plugins
output console,text_file
output config text_file
set output_file output-w3af.txt
set verbose True
back
output config console
set verbose False
back
audit sqli
crawl web_spider
crawl config web_spider
set only_forward True
back
grep path_disclosure
back
target
set target http://moth/w3af/audit/sql_injection/select/sql_injection_string.php?name=andres
back
start
bug-report
details 0
back
exit
root@attacker:/usr/local/src# ./w3afconsole -s ./scripts/sqli.w3af
w3af>>> plugins
w3af/plugins>>> output console,text_file
w3af/plugins>>> output config text_file
w3af/plugins/output/config:text_file>>> set output_file output-w3af.txt
w3af/plugins/output/config:text_file>>> set verbose True
w3af/plugins/output/config:text_file>>> back
The configuration has been saved.
w3af/plugins>>> output config console
w3af/plugins/output/config:console>>> set verbose False
w3af/plugins/output/config:console>>> back
The configuration has been saved.
w3af/plugins>>> audit sqli
w3af/plugins>>> crawl web_spider
w3af/plugins>>> crawl config web_spider
w3af/plugins/crawl/config:web_spider>>> set only_forward True
w3af/plugins/crawl/config:web_spider>>> back
The configuration has been saved.
w3af/plugins>>> grep path_disclosure
w3af/plugins>>> back
w3af>>> target
w3af/config:target>>> set target http://moth/w3af/audit/sql_injection/select/sql_injection_string.php?name=andres
w3af/config:target>>> back
The configuration has been saved.
w3af>>> start