前言
w3af (web application attack and audit framework)
- 基于python开发
- 发现和利用所有web应用程序漏洞
- 比较重量级
功能有:
- audit(审计):该类插件会向Crawl插件爬取出的注入点发送特制的POC数据以确认漏洞是否存在。
- infrastructure(基础):这类插件用来标识有关目标系统的信息,如安装的WAF,操作系统和HTTP守护进程等。
- grep(检索):这类插件会分析其他插件发送的HTTP请求和相应并识别漏洞。
- evasion(绕过):通过修改由其他插件生成的HTTP请求来绕过简单的入侵检测规则。
- mangle:允许修改基于正则表达式的请求和响应
- auth:身份认证
- Mangle:允许修改基于正则表达式的请求和响应。
- bruteforce:在爬取阶段进行暴力登陆
- output(输出):这类插件会将插件的数据保存到文本,xml或者是html文件中。调试的信息也会发送到输出Output插件并可保存和分析。如果启用了text_file和xml_file这两个Output插件,则这两个都会记录有Audit插件发现的任何漏洞。
- crawl(爬取):通过爬取网站站点来获得新的URL地址。如果用户启用了Crawl类型的多个插件,此时将产生一个循环: A插件在第一次运行时发现了一个新的url,w3af会将其发送到插件B。如果插件B发现一个新的url则会发送到插件A。这个过程持续进行直到所有插件都已运行且无法找到更多的新信息。
- Attack(攻击):如果Audit插件发现了漏洞,Attack将会进行攻击和利用,通常会在远程服务器上返回一个shell或者比如SQL注入则会获取数据库的数据。
1、安装
安装可参考
https://blog.csdn.net/kevinhanser/article/details/78010003
https://blog.csdn.net/deng_xj/article/details/87753112
2、基础
help帮助界面
root@attacker:~# w3afconsole
w3af>>> help
|----------------------------------------------------------------------------------------------------------------------------------|
| start | Start the scan. |
| plugins | Enable and configure plugins. |
| exploit | Exploit the vulnerability. |
| profiles | List and use scan profiles. |
| cleanup | Cleanup before starting a new scan. |
| ------------------------------------------------- -------------------------------------------------- ------------------------------- |
| help | Display help. Issuing: help [command] , prints more specific help about "command" |
| version | Show w3af version information. |
| keys | Display key shortcuts. |
|----------------------------------------------------------------------------------------------------------------------------------|
| http-settings | Configure the HTTP settings of the framework. |
| misc-settings | Configure w3af misc settings. |
| target | Configure the target URL. |
|----------------------------------------------------------------------------------------------------------------------------------|
| back | Go to the previous menu. |
| exit | Exit w3af. |
|----------------------------------------------------------------------------------------------------------------------------------|
| kb | Browse the vulnerabilities stored in the Knowledge Base |
|----------------------------------------------------------------------------------------------------------------------------------|
plugins 插件
w3af>>> plugins
w3af/plugins>>> help
|-----------------------------------------------------------------------------------------------------------------------------------|
| list | List available plugins. |
| ------------------------------------------------- -------------------------------------------------- -------------------------------- |
| 返回| 转到上一个菜单。|
| 退出| 退出w3af。|
| ------------------------------------------------- -------------------------------------------------- -------------------------------- |
| 回避| 查看,配置和启用evasion插件|
| auth | View, configure and enable auth plugins |
| grep | View, configure and enable grep plugins |
| audit | View, configure and enable audit plugins |
| bruteforce | View, configure and enable bruteforce plugins |
| output | View, configure and enable output plugins |
| crawl | View, configure and enable crawl plugins |
| infrastructure | View, configure and enable infrastructure plugins |
| mangle | View, configure and enable mangle plugins |
|-----------------------------------------------------------------------------------------------------------------------------------|
w3af/plugins>>> list auth
|---------------------------------------------------------------------------------------------------------------------------------|
| Plugin name | Status | Conf | Description |
|---------------------------------------------------------------------------------------------------------------------------------|
| detailed | | Yes | Detailed authentication plugin. |
| generic | | Yes | Generic authentication plugin. |
|---------------------------------------------------------------------------------------------------------------------------------|
w3af/plugins>>> list audit
|---------------------------------------------------------------------------------------------------------------------------------|
| Plugin name | Status | Conf | Description |
|---------------------------------------------------------------------------------------------------------------------------------|
| blind_sqli | | Yes | Identify blind SQL injection vulnerabilities. |
| buffer_overflow | | | Find buffer overflow vulnerabilities. |
| cors_origin | | Yes | Inspect if application checks that the value of the "Origin" HTTP header isconsistent |
| | | | with the value of the remote IP address/Host of the sender ofthe incoming HTTP request. |
| csrf | | | Identify Cross-Site Request Forgery vulnerabilities. |
| dav | | | Verify if the WebDAV module is properly configured. |
| eval | | Yes | Find insecure eval() usage. |
| file_upload | | Yes | Uploads a file and then searches for the file inside all known directories. |
| format_string | | | Find format string vulnerabilities. |
| frontpage | | | Tries to upload a file using frontpage extensions (author.dll). |
| generic | | Yes | Find all kind of bugs without using a fixed error database. |
| global_redirect | | | Find scripts that redirect the browser to any site. |
| htaccess_methods | | | Find misconfigurations in Apache's "<LIMIT>" configuration. |
| ldapi | | | Find LDAP injection bugs. |
| lfi | | | Find local file inclusion vulnerabilities. |
| memcachei | | | No description available for this plugin. |
| mx_injection | | | Find MX injection vulnerabilities. |
| os_commanding | | | Find OS Commanding vulnerabilities. |
| phishing_vector | | | Find phishing vectors. |
| preg_replace | | | Find unsafe usage of PHPs preg_replace. |
| redos | | | Find ReDoS vulnerabilities. |
| response_splitting | | | Find response splitting vulnerabilities. |
| rfd | | | Identify reflected file download vulnerabilities. |
| rfi | | Yes | Find remote file inclusion vulnerabilities. |
| rosetta_flash | | | Find Rosetta Flash vulnerabilities in JSONP endpoints |
| shell_shock | | | Find shell shock vulnerabilities. |
| sqli | | | Find SQL injection bugs. |
| ssi | | | Find server side inclusion vulnerabilities. |
| ssl_certificate | | Yes | Check the SSL certificate validity (if https is being used). |
| un_ssl | | | Find out if secure content can also be fetched using http. |
| websocket_hijacking | | | Detect Cross-Site WebSocket hijacking vulnerabilities. |
| xpath | | | Find XPATH injection vulnerabilities. |
| xss | | Yes | Identify cross site scripting vulnerabilities. |
| xst | | | Find Cross Site Tracing vulnerabilities. |
|---------------------------------------------------------------------------------------------------------------------------------|
w3af/plugins>>> audit xss sqli lfi #开启使用三个插件模块
w3af/plugins>>> list audit #这时候的插件模块状态变为 enabled
|----------------------------------------------------------------------------------------------------------------------------------|
| Plugin name | Status | Conf | Description |
|----------------------------------------------------------------------------------------------------------------------------------|
| blind_sqli | | Yes | Identify blind SQL injection vulnerabilities. |
| buffer_overflow | | | Find buffer overflow vulnerabilities. |
| cors_origin | | Yes | Inspect if application checks that the value of the "Origin" HTTP header isconsistent |
| | | | with the value of the remote IP address/Host of the sender ofthe incoming HTTP request. |
| csrf | | | Identify Cross-Site Request Forgery vulnerabilities. |
| dav | | | Verify if the WebDAV module is properly configured. |
| eval | | Yes | Find insecure eval() usage. |
| file_upload | | Yes | Uploads a file and then searches for the file inside all known directories. |
| format_string | | | Find format string vulnerabilities. |
| frontpage | | | Tries to upload a file using frontpage extensions (author.dll). |
| generic | | Yes | Find all kind of bugs without using a fixed error database. |
| global_redirect | | | Find scripts that redirect the browser to any site. |
| htaccess_methods | | | Find misconfigurations in Apache's "<LIMIT>" configuration. |
| ldapi | | | Find LDAP injection bugs. |
| lfi | Enabled | | Find local file inclusion vulnerabilities. |
| memcachei | | | No description available for this plugin. |
| mx_injection | | | Find MX injection vulnerabilities. |
| os_commanding | | | Find OS Commanding vulnerabilities. |
| phishing_vector | | | Find phishing vectors. |
| preg_replace | | | Find unsafe usage of PHPs preg_replace. |
| redos | | | Find ReDoS vulnerabilities. |
| response_splitting | | | Find response splitting vulnerabilities.