Wapiti - duba shafi don rashin lahani da kansa

A karshe labarin mukayi magana akai Nemesida WAF Free - kayan aiki kyauta don kare gidajen yanar gizo da APIs daga hare-haren hacker, kuma a cikin wannan mun yanke shawarar yin bitar sanannen na'urar daukar hotan takardu masu rauni. Elk.

Binciken gidan yanar gizon don rashin lahani shine ma'auni mai mahimmanci, wanda, tare da nazarin lambar tushe, yana ba ku damar tantance matakin tsaronsa daga barazanar sulhu. Kuna iya bincika albarkatun yanar gizo ta amfani da kayan aiki na musamman.

Nikto, W3af (an rubuta a Python 2.7, wanda ba a tallafawa) ko Arachni (ba a tallafawa tun Fabrairu) sune mafi mashahuri mafita waɗanda aka gabatar a cikin sashin kyauta. Tabbas, akwai wasu, misali, Wapiti, wanda muka yanke shawarar mayar da hankali a kai.

Wapiti yana aiki tare da nau'ikan lahani masu zuwa:

• fadada fayil (na gida da na nesa, fopen, readfile);
• injections (PHP / JSP / ASP / SQL injection da XPath injections);
• XSS (Rubutun Rubutun Rubutun Giciye) (mai nuni da juriya);
• ganowa da aiwatar da umarni (eval(), system(), passtru());
• CRLF injections (Rarraba amsawar HTTP, daidaitawar zaman);
• XXE (HML na waje mahaɗan) haɗawa;
• SSRF (Buƙatar Jarumin Sabar Server);
• amfani da sanannun fayiloli masu haɗari masu haɗari (godiya ga bayanan Nikto);
• raunana .htaccess saituna waɗanda za a iya kewaye;
• kasancewar fayilolin ajiya waɗanda ke bayyana bayanan sirri (bayyana lambar tushe);
• Shellshock;
• buɗaɗɗen turawa;
• hanyoyin HTTP marasa daidaituwa waɗanda za a iya warware su (PUT).

Ayyukan:

• HTTP, HTTPS da SOCKS5 goyon bayan wakili;
• tabbatarwa ta amfani da hanyoyi da yawa: Basic, Digest, Kerberos ko NTLM;
• ikon iyakance yankin dubawa (yanki, babban fayil, shafi, URL);
• cirewar atomatik ɗaya daga cikin sigogi a cikin URL;
• matakan kiyayewa da yawa game da madaukai na duba marasa iyaka (misali: ifor, iyakance ƙima don siga);
• ikon saita fifiko don bincika URLs (ko da ba a cikin yankin dubawa);
• ikon keɓance wasu URLs daga dubawa da kai hari (misali: adireshin URL);
• shigo da kukis (samu su ta amfani da kayan aikin wapiti-getcookie);
• ikon kunnawa / kashe tabbacin takardar shaidar SSL;
• da ikon cire URLs daga JavaScript (mai fassarar JS mai sauƙi);
• hulɗa tare da HTML5;
• zaɓuɓɓuka da yawa don sarrafa halayen rarrafe da hani;
• saita iyakar lokaci don tsarin dubawa;
• ƙara wasu kanun labarai na HTTP na al'ada ko kafa wakilin mai amfani na al'ada.

Featuresarin fasali:

• ƙirƙirar rahotanni masu rauni a cikin nau'i daban-daban (HTML, XML, JSON, TXT);
• dakatarwa da ci gaba da dubawa ko hari (na'urar zama ta amfani da bayanan SQLite3);
• hasken baya a cikin tasha don nuna rashin ƙarfi;
• matakai daban-daban na katako;
• Hanya mai sauri da sauƙi don kunna / kashe kayan hari.

saitin

Za a iya shigar da sigar Wapiti na yanzu ta hanyoyi biyu:

• zazzage tushen daga hukuma shafi da kuma gudanar da rubutun shigarwa, bayan shigar da Python3 a baya;
• ta amfani da pip3 shigar wapiti3 umurnin.

Bayan wannan, Wapiti zai kasance a shirye don tafiya.

Yin aiki tare da kayan aiki

Don nuna aikin Wapiti, za mu yi amfani da shirye-shirye na musamman sites.vulns.pentestit.ru (albarkatun ciki), dauke da lahani daban-daban (Injection, XSS, LFI/RFI) da sauran gazawar aikace-aikacen yanar gizo.

An bayar da bayanin don dalilai na bayanai kawai. Kar ku karya doka!

Babban umarni don ƙaddamar da na'urar daukar hotan takardu:

# wapiti -u <target> <options>

A lokaci guda, akwai cikakken taimako tare da ɗimbin zaɓuɓɓukan ƙaddamarwa, misali:

--sanyi - yankin aikace-aikace
Idan ka ƙididdige sigina tare da rarrafe URL, za ka iya daidaita yankin rarrafe na rukunin ta hanyar tantance shafi ɗaya da duk shafukan da za a iya samu a rukunin yanar gizon.

-s и -x - zaɓuɓɓuka don ƙara ko cire takamaiman URLs. Waɗannan zaɓuɓɓukan suna da amfani lokacin da kuke buƙatar ƙara ko cire takamaiman URL yayin aikin rarrafe.

--tsalle - za a bincika ƙayyadadden siga mai wannan maɓalli, amma ba za a kai hari ba. Yana da amfani idan akwai wasu sigogi masu haɗari waɗanda aka fi cire su yayin dubawa.

--tabbatar-ssl - kunna ko musaki tabbacin takaddun shaida.
Na'urar daukar hotan takardu ta Wapiti ta zamani ce. Koyaya, don ƙaddamar da takamaiman kayayyaki, gami da waɗanda aka haɗa ta atomatik yayin da na'urar daukar hotan takardu ke gudana, kuna buƙatar amfani da maɓalli na -m kuma jera waɗanda kuke buƙata, waɗanda aka ware ta waƙafi. Idan ba a yi amfani da maɓalli ba, to duk kayayyaki za su yi aiki ta tsohuwa. A cikin mafi sauki sigar zai yi kama da haka:

# wapiti -u http://sites.vulns.pentestit.ru/ -m sql,xss,xxe

Wannan misalin amfani yana nufin cewa za mu yi amfani da kayan aikin SQL, XSS da XXE ne kawai lokacin da ake duba abin da aka sa a gaba. Bugu da kari, za ka iya tace aiki na kayayyaki dangane da hanyar da ake so. Misali -m "xss: samu, blindsql: post, xxe: post". A wannan yanayin, da module xss za a yi amfani da buƙatun da aka aiko ta amfani da hanyar GET, da tsarin blibdsql - zuwa buƙatun POST, da sauransu. Af, idan ba a buƙatar wasu nau'ikan da aka haɗa a cikin jerin ba yayin dubawa ko ɗaukar lokaci mai tsawo, to ta danna haɗin Ctrl + C zaku iya tsallake ta amfani da na'urar ta yanzu ta zaɓi abin da ya dace a cikin menu na mu'amala.

Wapiti yana goyan bayan ƙaddamar da buƙatun ta hanyar wakili ta amfani da maɓalli -p da kuma tabbatarwa akan wurin da aka yi niyya ta hanyar siga -a. Hakanan zaka iya tantance nau'in tantancewa: Na asali, Narke, Kerberos и NTLM. Biyu na ƙarshe na iya buƙatar shigar da ƙarin kayayyaki. Bugu da kari, zaku iya saka kowane kanun labarai cikin buƙatun (ciki har da sabani Mai amfani) da dai sauransu.

Don amfani da tabbaci, zaku iya amfani da kayan aiki wapit-getcookie. Da taimakonsa muka samar kuki, wanda Wapiti zai yi amfani da shi lokacin dubawa. Samuwar kuki yi tare da umarnin:

# wapiti-getcookie -u http://sites.vulns.pentestit.ru/login.php -c cookie.json

Yayin aiki tare, muna amsa tambayoyi kuma muna nuna mahimman bayanai kamar shiga, kalmar sirri, da sauransu:

Fitowar fayil ne a tsarin JSON. Wani zaɓi shine ƙara duk mahimman bayanai ta hanyar siga -d:

# wapiti-getcookie - http://sites.vulns.pentestit.ru/login.php -c cookie.json -d "username=admin&password=admin&enter=submit"

Sakamakon zai kasance kamar haka:

Lokacin yin la'akari da babban aikin na'urar daukar hotan takardu, buƙatar ƙarshe don gwada aikace-aikacen yanar gizo a cikin yanayinmu shine:

# wapiti --level 1 -u http://sites.vulns.pentestit.ru/ -f html -o /tmp/vulns.html -m all --color -с cookie.json --scope folder --flush-session -A 'Pentestit Scans' -p http://proxy.office.pentestit.ru:3128

inda a tsakanin sauran sigogi:

-f и -o - tsari da hanya don adana rahoton;

-m - haɗa dukkan kayayyaki ba a ba da shawarar ba, saboda zai shafi lokacin gwaji da girman rahoton;

--launi - Haɓaka gano raunin da ya danganci mahimmancin su bisa ga Wapiti da kanta;

-c - amfani da fayil tare da kuki, generated ta amfani wapit-getcookie;

--sanyi - zabar makasudin kai hari. Zaɓin zaɓi babban fayil Kowane URL za a ja jiki da kai hari, farawa daga tushe. Tushen URL dole ne ya sami slash na gaba (babu sunan fayil);

--zama-shafi - yana ba da damar yin bincike akai-akai, wanda ba za a yi la'akari da sakamakon da ya gabata ba;

-A - nasa Mai amfani;

-p - adireshin uwar garken wakili, idan ya cancanta.

Kadan game da rahoton

Ana gabatar da sakamakon binciken ta hanyar cikakken rahoto kan duk rashin lahani da aka samu a cikin tsarin shafin HTML, a cikin tsari mai sauƙi da sauƙin karantawa. Rahoton zai nuna nau'ikan da adadin raunin da aka samu, kwatancensu, buƙatun su, umarni don Curl da shawarwari kan yadda ake rufe su. Don sauƙin kewayawa, za a ƙara hanyar haɗi zuwa sunayen rukuni, danna abin da zaku iya zuwa gare ta:

Babban rashin lahani na rahoton shine rashin taswirar aikace-aikacen yanar gizo kamar haka, idan ba tare da wanda ba zai bayyana ba ko an yi nazarin duk adireshi da sigogi. Har ila yau, akwai yuwuwar samun sakamako na karya. A cikin yanayinmu, rahoton ya haɗa da "fayilolin madadin" da "fayil ɗin masu yuwuwar haɗari." Lambar su ba ta dace da gaskiya ba, tunda babu irin waɗannan fayiloli akan sabar:

Wataƙila za a gyara kayan aikin da ba daidai ba akan lokaci. Wani koma baya na rahoton shine rashin canza launi na raunin da aka samu (dangane da mahimmancinsu), ko aƙalla raba su zuwa rukuni. Hanya daya tilo da zamu iya fahimtar mahimmancin raunin da aka samu a kaikaice shine ta amfani da siga --launi yayin dubawa, sa'an nan kuma raunin da aka samu za a yi launin launi daban-daban:

Amma rahoton da kansa bai samar da irin wannan launi ba.

Rashin lahani

SQLi

Na'urar daukar hotan takardu ta dan jimre da binciken SQLi. Lokacin neman raunin SQL akan shafukan da ba a buƙatar tantancewa, babu matsala ta taso:

Ba zai yiwu a sami rauni a kan shafukan da ake samun dama ba bayan an tantancewa, ko da amfani da inganci kuki, Tun da mafi kusantar bayan ingantaccen ingantaccen aiki, za a “fitar da zaman su” kuma kuki zai zama mara inganci. Idan an aiwatar da aikin ba da izini azaman rubutun daban da ke da alhakin sarrafa wannan hanya, to zai yiwu a cire shi gaba ɗaya ta hanyar ma'aunin -x, kuma ta haka ne zai hana shi tadawa. In ba haka ba, ba zai yiwu a cire sarrafa shi ba. Wannan ba matsala ba ne tare da takamaiman tsari, amma tare da kayan aiki gaba ɗaya, amma saboda wannan nuance, ba a iya gano allura da yawa a cikin rufaffiyar albarkatu ba.

XSS

Na'urar daukar hotan takardu ta yi jimre da aikin da aka bayar da kyau kuma ya gano dukkan lahanin da aka shirya:

LFI/RFI

Na'urar daukar hotan takardu ta gano duk rashin lahani:

Gabaɗaya, duk da halayen ƙarya da rashin lahani, Wapiti, azaman kayan aiki kyauta, yana nuna kyakkyawan sakamako mai kyau. A kowane hali, yana da daraja a gane cewa na'urar daukar hotan takardu tana da ƙarfi sosai, sassauƙa da multifunctional, kuma mafi mahimmanci, kyauta ne, don haka yana da hakkin a yi amfani da shi wajen taimaka wa masu gudanarwa da masu haɓakawa samun mahimman bayanai game da matsayin tsaro na gidan yanar gizo. aikace-aikace.

Kasance lafiya da kariya!

source: www.habr.com