éå»ã«
Web ãµã€ãã®è匱æ§ãã¹ãã£ã³ããããšã¯å¿ èŠãªæ段ã§ããããœãŒã¹ ã³ãŒãã®åæãšçµã¿åãããããšã§ã䟵害ã®è åšã«å¯Ÿããã»ãã¥ãªã㣠ã¬ãã«ãè©äŸ¡ã§ããŸãã å°çšããŒã«ã䜿çšã㊠Web ãªãœãŒã¹ãã¹ãã£ã³ã§ããŸãã
NiktoãW3af (Python 2.7 ã§æžãããŠããããµããŒããçµäºããŸãã)ããŸã㯠Arachni (XNUMX æ以éãµããŒããçµäºããŸãã) ã¯ãç¡æã»ã°ã¡ã³ãã§æäŸãããæã人æ°ã®ãããœãªã¥ãŒã·ã§ã³ã§ãã ãã¡ãããä»ã«ããããŸããããšãã°ãWapiti ã«çŠç¹ãåœãŠãããšã«ããŸããã
Wapiti ã¯æ¬¡ã®ã¿ã€ãã®è匱æ§ã«å¯ŸåŠããŸãã
- ãã¡ã€ã«æ¡åŒµ (ããŒã«ã«ãšãªã¢ãŒããfopenãreadfile);
- ã€ã³ãžã§ã¯ã·ã§ã³ (PHP / JSP / ASP / SQL ã€ã³ãžã§ã¯ã·ã§ã³ããã³ XPath ã€ã³ãžã§ã¯ã·ã§ã³);
- XSS (ã¯ãã¹ãµã€ã ã¹ã¯ãªããã£ã³ã°) (åå°çããã³æ°žç¶ç)ã
- ã³ãã³ã (eval()ãsystem()ãpasstru()) ã®æ€åºãšå®è¡ã
- CRLF ã€ã³ãžã§ã¯ã·ã§ã³ (HTTP å¿çåå²ãã»ãã·ã§ã³åºå®)ã
- XXE (XML å€éšãšã³ãã£ãã£) åã蟌ã¿ã
- SSRF (ãµãŒããŒãµã€ããªã¯ãšã¹ããã©ãŒãžã§ãª);
- æ¢ç¥ã®æœåšçã«å±éºãªãã¡ã€ã«ã®äœ¿çš (Nikto ããŒã¿ããŒã¹ã®ãããã§)ã
- ãã€ãã¹ã§ãã匱ã .htaccess æ§æã
- æ©å¯æ å ±ïŒãœãŒã¹ã³ãŒãã®æŒæŽ©ïŒãæããã«ããããã¯ã¢ãããã¡ã€ã«ã®ååšã
- ç ²åŒŸã·ã§ãã¯;
- ãªãŒãã³ãªãã€ã¬ã¯ãã
- 解決ã§ããéæšæºã® HTTP ã¡ãœãã (PUT)ã
ç¹åŸŽïŒ
- HTTPãHTTPSãSOCKS5 ãããã·ã®ãµããŒãã
- ããã€ãã®æ¹æ³ã䜿çšããèªèšŒ: BasicãDigestãKerberosããŸã㯠NTLMã
- ã¹ãã£ã³é å (ãã¡ã€ã³ããã©ã«ããŒãããŒãžãURL) ãå¶éããæ©èœã
- URL å ã®ãã©ã¡ãŒã¿ã® XNUMX ã€ãèªåçã«åé€ããŸãã
- ç¡éã®ã¹ãã£ã³ ã«ãŒãã«å¯Ÿããè€æ°ã®äºé²æªçœ® (äŸ: iforããã©ã¡ãŒã¿ãŒã®å€ã®å¶é)ã
- URL ãæ€æ»ããããã®åªå é äœãèšå®ããæ©èœ (URL ãã¹ãã£ã³é åã«ãªãå Žåã§ã)ã
- äžéšã® URL ãã¹ãã£ã³ãšæ»æããé€å€ããæ©èœ (äŸ: URL ãã°ã¢ãŠã)ã
- Cookie ãã€ã³ããŒãããŸã (wapiti-getcookie ããŒã«ã䜿çšããŠååŸããŸã)ã
- SSL 蚌ææžæ€èšŒãã¢ã¯ãã£ãå/éã¢ã¯ãã£ãåããæ©èœã
- JavaScript ãã URL ãæœåºããæ©èœ (éåžžã«åçŽãª JS ã€ã³ã¿ãŒããªã¿ãŒ)ã
- HTML5 ãšã®å¯Ÿè©±ã
- ã¯ããŒã©ãŒã®åäœãšå¶éã管çããããã®ããã€ãã®ãªãã·ã§ã³ã
- ã¹ãã£ã³ããã»ã¹ã®æ倧æéãèšå®ããŸãã
- ã«ã¹ã¿ã HTTP ããããŒãè¿œå ããããã«ã¹ã¿ã ãŠãŒã¶ãŒ ãšãŒãžã§ã³ããèšå®ããŸãã
è¿œå æ©èœ
- ããŸããŸãªåœ¢åŒ (HTMLãXMLãJSONãTXT) ã§è匱æ§ã¬ããŒããäœæããŸãã
- ã¹ãã£ã³ãŸãã¯æ»æã®äžæåæ¢ãšåé (SQLite3 ããŒã¿ããŒã¹ã䜿çšããã»ãã·ã§ã³ ã¡ã«ããºã )ã
- è匱æ§ã匷調ããããã®ç«¯æ«ã®ããã¯ã©ã€ãã
- ããŸããŸãªã¬ãã«ã®ãã®ã³ã°ã
- æ»æã¢ãžã¥ãŒã«ãæå¹/ç¡å¹ã«ããè¿ éãã€ç°¡åãªæ¹æ³ã
ã€ã³ã¹ããŒã«
Wapiti ã®çŸåšã®ããŒãžã§ã³ã¯ 2 ã€ã®æ¹æ³ã§ã€ã³ã¹ããŒã«ã§ããŸãã
- å
¬åŒãããœãŒã¹ãããŠã³ããŒã
ÑайÑа äºåã« Python3 ãã€ã³ã¹ããŒã«ããç¶æ ã§ãã€ã³ã¹ããŒã« ã¹ã¯ãªãããå®è¡ããŸãã - pip3 install wapiti3 ã³ãã³ãã䜿çšããŸãã
ãã®åŸãã¯ããã£ã¯æºåãæŽããŸãã
ããŒã«ã®äœ¿çš
Wapiti ã®åäœãå®èšŒããããã«ãWeb ã¢ããªã±ãŒã·ã§ã³ã®ããŸããŸãªèåŒ±æ§ (ã€ã³ãžã§ã¯ã·ã§ã³ãXSSãLFI/RFI) ããã³ãã®ä»ã®æ¬ ç¹ãå«ããç¹å¥ã«çšæãããã¹ã¿ã³ã sites.vulns.pentestit.ru (å éšãªãœãŒã¹) ã䜿çšããŸãã
ãã®æ å ±ã¯æ å ±æäŸã®ã¿ãç®çãšããŠæäŸãããŠããŸãã æ³åŸãç ŽããªïŒ
ã¹ãã£ããŒãèµ·åããåºæ¬çãªã³ãã³ã:
# wapiti -u <target> <options>
åæã«ãèšå€§ãªæ°ã®èµ·åãªãã·ã§ã³ã«é¢ãã詳现ãªãã«ããçšæãããŠããŸãã次ã«äŸã瀺ããŸãã
- ç¯å² - å¿çšåé
ã¯ããŒã« URL ãšãšãã«ã¹ã³ãŒã ãã©ã¡ãŒã¿ãŒãæå®ãããšãåäžã®ããŒãžãšãµã€ãäžã§èŠã€ãããã¹ãŠã®ããŒãžã®äž¡æ¹ãæå®ããŠããµã€ãã®ã¯ããŒã«é åã調æŽã§ããŸãã
-s О -x â ç¹å®ã® URL ãè¿œå ãŸãã¯åé€ãããªãã·ã§ã³ã ãããã®ãªãã·ã§ã³ã¯ãã¯ããŒã« ããã»ã¹äžã«ç¹å®ã® URL ãè¿œå ãŸãã¯åé€ããå¿ èŠãããå Žåã«åœ¹ç«ã¡ãŸãã
- ã¹ããã â ãã®ããŒã§æå®ããããã©ã¡ãŒã¿ã¯ã¹ãã£ã³ãããŸãããæ»æãããŸããã ã¹ãã£ã³äžã«é€å€ããã®ãæé©ãªå±éºãªãã©ã¡ãŒã¿ãããå Žåã«åœ¹ç«ã¡ãŸãã
--verify-ssl â 蚌ææžã®æ€èšŒãæå¹ãŸãã¯ç¡å¹ã«ããŸãã
Wapiti ã¹ãã£ãã¯ã¢ãžã¥ãŒã«åŒã§ãã ãã ããã¹ãã£ããŒã®å®è¡äžã«èªåçã«æ¥ç¶ãããã¢ãžã¥ãŒã«ãªã©ãç¹å®ã®ã¢ãžã¥ãŒã«ãèµ·åããã«ã¯ã-m ã¹ã€ããã䜿çšããå¿
èŠãªã¢ãžã¥ãŒã«ãã«ã³ãã§åºåã£ãŠãªã¹ãããå¿
èŠããããŸãã ããŒã䜿çšãããªãå Žåããã¹ãŠã®ã¢ãžã¥ãŒã«ãããã©ã«ãã§åäœããŸãã æãåçŽãªããŒãžã§ã³ã§ã¯æ¬¡ã®ããã«ãªããŸãã
# wapiti -u http://sites.vulns.pentestit.ru/ -m sql,xss,xxe
ãã®äœ¿çšäŸã¯ãã¿ãŒã²ãããã¹ãã£ã³ãããšãã« SQLãXSSãããã³ XXE ã¢ãžã¥ãŒã«ã®ã¿ã䜿çšããããšãæå³ããŸãã ããã«ãç®çã®æ¹æ³ã«å¿ããŠã¢ãžã¥ãŒã«ã®æäœããã£ã«ã¿ãªã³ã°ã§ããŸãã äŸãã° -m âxss: ååŸãblindsql: postãxxe: postâã ãã®å Žåãã¢ãžã¥ãŒã«ã¯ xss GET ã¡ãœãããšã¢ãžã¥ãŒã«ã䜿çšããŠéä¿¡ããããªã¯ãšã¹ãã«é©çšãããŸãã ããªããSQL - POSTãªã¯ãšã¹ããªã©ã¡ãªã¿ã«ããªã¹ãã«å«ãŸããŠããã¢ãžã¥ãŒã«ãã¹ãã£ã³äžã«äžèŠã ã£ãå ŽåããŸãã¯éåžžã«é·ãæéããããå Žåã¯ãCtrl+C ã®çµã¿åãããæŒããŠå¯Ÿè©±åã¡ãã¥ãŒã§å¯Ÿå¿ããé ç®ãéžæããçŸåšã®ã¢ãžã¥ãŒã«ã®äœ¿çšãã¹ãããã§ããŸãã
Wapiti ã¯ãããŒã䜿çšãããããã·çµç±ã®ãªã¯ãšã¹ãã®åãæž¡ãããµããŒãããŸã -p ãã©ã¡ãŒã¿ãä»ããã¿ãŒã²ãããµã€ãã§ã®èªèšŒ -aã èªèšŒã¿ã€ããæå®ããããšãã§ããŸãã åºæ¬, ãã€ãžã§ã¹ã, Kerberos О NTLMã æåŸã® XNUMX ã€ã¯è¿œå ã®ã¢ãžã¥ãŒã«ã®ã€ã³ã¹ããŒã«ãå¿ èŠã«ãªãå ŽåããããŸãã ããã«ããªã¯ãšã¹ãã«ä»»æã®ããã㌠(ä»»æã®ããããŒãå«ã) ãæ¿å ¥ã§ããŸãã ãŠãŒã¶ãšãŒãžã§ã³ãïŒããã³ã¯ããã«ã
èªèšŒã䜿çšããã«ã¯ãããŒã«ã䜿çšã§ããŸã ã¯ããã£ã²ããã¯ãããŒã ãã®å©ããåããŠç§ãã¡ã¯åœ¢æããŸã ã¯ãããŒãWapiti ãã¹ãã£ã³ãããšãã«äœ¿çšããŸãã 圢æ ã¯ãã㌠次ã®ã³ãã³ãã§å®äºããŸãã
# wapiti-getcookie -u http://sites.vulns.pentestit.ru/login.php -c cookie.json
ã€ã³ã¿ã©ã¯ãã£ãã«äœæ¥ããªããã質åã«çãããã°ã€ã³ããã¹ã¯ãŒããªã©ã®å¿ èŠãªæ å ±ãæå®ããŸãã
åºå㯠JSON 圢åŒã®ãã¡ã€ã«ã§ãã å¥ã®ãªãã·ã§ã³ã¯ããã©ã¡ãŒã¿ãéããŠå¿ èŠãªæ å ±ããã¹ãŠè¿œå ããããšã§ãã -d:
# wapiti-getcookie - http://sites.vulns.pentestit.ru/login.php -c cookie.json -d "username=admin&password=admin&enter=submit"
çµæã¯æ¬¡ã®ããã«ãªããŸãã
ã¹ãã£ããŒã®äž»ãªæ©èœãèæ ®ããå Žåããã®å Žåã® Web ã¢ããªã±ãŒã·ã§ã³ããã¹ãããããã®æçµãªã¯ãšã¹ãã¯æ¬¡ã®ãšããã§ããã
# wapiti --level 1 -u http://sites.vulns.pentestit.ru/ -f html -o /tmp/vulns.html -m all --color -Ñ cookie.json --scope folder --flush-session -A 'Pentestit Scans' -p http://proxy.office.pentestit.ru:3128
ä»ã®ãã©ã¡ãŒã¿ã®äžã§ã¯ã次ã®ãšããã§ãã
-f О -o â ã¬ããŒããä¿åããããã®åœ¢åŒãšãã¹ã
-m â ãã¹ãŠã®ã¢ãžã¥ãŒã«ãæ¥ç¶ããããšã¯ãå§ãã§ããŸããã ãã¹ãæéãšã¬ããŒãã®ãµã€ãºã«åœ±é¿ããŸãã
- è² â Wapiti èªäœã«ãããšãçºèŠãããè匱æ§ããã®é倧床ã«å¿ããŠåŒ·èª¿è¡šç€ºããŸãã
-c - ãã¡ã€ã«ã䜿çšãã ã¯ãããŒãã䜿çšããŠçæ ã¯ããã£ã²ããã¯ãããŒ;
- ç¯å² â æ»æ察象ã®éžæã ãªãã·ã§ã³ã®éžæ ãã©ã«ã ãã¹ãŠã® URL ã¯ãããŒã¹ã® URL ããé ã«ã¯ããŒã«ãããæ»æãããŸãã ããŒã¹ URL ã«ã¯ã¹ã©ãã·ã¥ãå¿ èŠã§ã (ãã¡ã€ã«åã¯äžèŠã§ã)ã
--ãã©ãã·ã¥ã»ãã·ã§ã³ â 以åã®çµæãèæ ®ãããªãç¹°ãè¿ãã¹ãã£ã³ãå¯èœã«ãªããŸãã
-A - èªåã® ãŠãŒã¶ãšãŒãžã§ã³ã;
-p â å¿ èŠã«å¿ããŠããããã· ãµãŒããŒã®ã¢ãã¬ã¹ã
ã¬ããŒãã«ã€ããŠå°ã
ã¹ãã£ã³çµæã¯ãæ€åºããããã¹ãŠã®è匱æ§ã«é¢ãã詳现ãªã¬ããŒãã®åœ¢åŒã§ HTML ããŒãžåœ¢åŒã§ãæ確ã§èªã¿ããã圢åŒã§è¡šç€ºãããŸãã ã¬ããŒãã«ã¯ãèŠã€ãã£ãè匱æ§ã®ã«ããŽãªãšæ°ããã®èª¬æããªã¯ãšã¹ããã³ãã³ãã瀺ãããŸãã curl éãæ¹ã®ãã³ããã ããã²ãŒã·ã§ã³ã容æã«ããããã«ãã«ããŽãªåã«ãªã³ã¯ãè¿œå ãããã¯ãªãã¯ãããšãã®ã«ããŽãªã«ç§»åã§ããŸãã
ãã®ã¬ããŒãã®é倧ãªæ¬ ç¹ã¯ãWeb ã¢ããªã±ãŒã·ã§ã³ ãããèªäœãååšããªãããšã§ããWeb ã¢ããªã±ãŒã·ã§ã³ ãããããªããšããã¹ãŠã®ã¢ãã¬ã¹ãšãã©ã¡ãŒã¿ãåæããããã©ãããæ確ã«ãªããŸããã 誀æ€ç¥ã®å¯èœæ§ããããŸãã ç§ãã¡ã®å Žåãã¬ããŒãã«ã¯ãããã¯ã¢ãã ãã¡ã€ã«ããšãæœåšçã«å±éºãªãã¡ã€ã«ããå«ãŸããŸãã ãµãŒããŒäžã«ãã®ãããªãã¡ã€ã«ãååšããªãã£ãããããã®æ°ã¯çŸå®ã®ãã®ã§ã¯ãããŸããã
ãããããæ£ããåäœããªãã¢ãžã¥ãŒã«ã¯æéã®çµéãšãšãã«ä¿®æ£ãããã§ãããã ãã®ã¬ããŒãã®ãã XNUMX ã€ã®æ¬ ç¹ã¯ãèŠã€ãã£ãè匱æ§ã®è²ä»ã (é倧床ã«å¿ããŠ) ãæ¬ åŠããŠããããšããŸãã¯å°ãªããšãã«ããŽãªãŒã«åé¡ãããŠããªãããšã§ãã èŠã€ãã£ãè匱æ§ã®é倧æ§ãéæ¥çã«ç解ã§ããå¯äžã®æ¹æ³ã¯ããã©ã¡ãŒã¿ã䜿çšããããšã§ãã - è² ã¹ãã£ã³äžã«ãèŠã€ãã£ãè匱æ§ãããŸããŸãªè²ã§è¡šç€ºãããŸãã
ããããå ±åæžèªäœã«ã¯ãã®ãããªè²ä»ãã¯ç€ºãããŠããªãã
è匱æ§
SQLi
ã¹ãã£ããŒã¯éšåçã« SQLi æ€çŽ¢ã«å¯Ÿå¿ããŸããã èªèšŒãå¿ èŠãªãããŒãžã§ SQL ã®è匱æ§ãæ€çŽ¢ããå Žåãåé¡ã¯çºçããŸããã
æå¹ãªæ¹æ³ã䜿çšããŠããèªèšŒåŸã«ã®ã¿ã¢ã¯ã»ã¹ã§ããããŒãžã®è匱æ§ãèŠã€ããããšã¯ã§ããŸããã§ããã ã¯ãããŒãã»ãšãã©ã®å ŽåãèªèšŒãæåããåŸãã»ãã·ã§ã³ã¯ããã°ã¢ãŠããããã ã¯ãã㌠ç¡å¹ãšãªããŸãã èªèšŒè§£é€æ©èœããã®æé ã®åŠçãæ åœããå¥åã®ã¹ã¯ãªãããšããŠå®è£ ãããŠããå Žåã-x ãã©ã¡ãŒã¿ãŒã䜿çšããŠèªèšŒè§£é€æ©èœãå®å šã«é€å€ããããã«ãã£ãŠããªã¬ãŒãããã®ãé²ãããšãã§ããŸãã ããããªããšããã®åŠçãé€å€ã§ããªããªããŸãã ããã¯ç¹å®ã®ã¢ãžã¥ãŒã«ã®åé¡ã§ã¯ãªããããŒã«å šäœã®åé¡ã§ããããã®ãã¥ã¢ã³ã¹ã®ãããéãããããªãœãŒã¹é åã§ã®è€æ°ã®ã€ã³ãžã§ã¯ã·ã§ã³ãæ€åºã§ããŸããã§ããã
XSS
ã¹ãã£ããŒã¯æå®ãããã¿ã¹ã¯ã«å®ç§ã«å¯ŸåŠããæºåããããã¹ãŠã®è匱æ§ãæ€åºããŸããã
LFI/RFI
ã¹ãã£ããŒã¯ãæ ¹æ¬çãªè匱æ§ããã¹ãŠçºèŠããŸããã
äžè¬ã«ã誀æ€ç¥ãè匱æ§ã®æ¬ èœã«ãããããããWapiti ã¯ç¡æããŒã«ãšããŠãããªãè¯å¥œãªããã©ãŒãã³ã¹çµæã瀺ããŠããŸãã ãããã«ãããã¹ãã£ããŒã¯éåžžã«åŒ·åã§ãæè»æ§ããããå€æ©èœã§ããããšããããŠæãéèŠãªããšã«ãã¹ãã£ããŒã¯ç¡æã§ããããã管çè ãéçºè ã Web ã®ã»ãã¥ãªã㣠ã¹ããŒã¿ã¹ã«é¢ããåºæ¬æ å ±ãååŸããããã«äœ¿çšããæš©å©ãããããšãèªèãã䟡å€ããããŸããå¿çšã
å¥åº·ãç¶æããä¿è·ãããŠãã ãã!
åºæïŒ habr.com