Pomaliza tinakambirana Nemesida WAF Free - chida chaulere chotchinjiriza mawebusayiti ndi ma API ku ziwopsezo za owononga, ndipo mu ichi tidaganiza zowunikiranso scanner yodziwika bwino .
Kusanthula tsamba lawebusayiti pazowopsa ndi gawo lofunikira, lomwe, limodzi ndi kusanthula kwa code source, limakupatsani mwayi wowunika momwe chitetezo chake chikuwopsezedwa. Mutha kusanthula tsamba lawebusayiti pogwiritsa ntchito zida zapadera.
Nikto, W3af (yolembedwa mu Python 2.7, yomwe siinagwiritsidwenso ntchito) kapena Arachni (yosagwiritsidwanso ntchito kuyambira February) ndi mayankho otchuka kwambiri omwe amaperekedwa mu gawo laulere. Inde, pali ena, mwachitsanzo, Wapiti, omwe tinaganiza kuti tiganizirepo.
Wapiti amagwira ntchito ndi zofooka zotsatirazi:
- kukula kwa fayilo (kwapafupi ndi kutali, fopen, readfile);
- jakisoni (jekeseni wa PHP / JSP / ASP / SQL ndi jekeseni wa XPath);
- XSS (Cross Site Scripting) (yowunikira komanso yolimbikira);
- kuzindikira ndi kutsata malamulo (eval (), system (), passtru ());
- jakisoni wa CRLF (kugawanika kwa mayankho a HTTP, kukonza gawo);
- XXE (XML yakunja) kuyika;
- SSRF (Server Side Request Forgery);
- kugwiritsa ntchito mafayilo odziwika omwe angakhale oopsa (chifukwa cha database ya Nikto);
- ofooka .htaccess masinthidwe omwe angalambalale;
- kukhalapo kwa mafayilo osunga zobwezeretsera omwe amawulula zinsinsi (kuwululidwa kwa code code);
- Zipolopolo;
- mayendedwe otsegula;
- njira zosagwirizana ndi HTTP zomwe zitha kuthetsedwa (PUT).
Zida:
- HTTP, HTTPS ndi SOCKS5 wothandizira wothandizira;
- kutsimikizika pogwiritsa ntchito njira zingapo: Basic, Digest, Kerberos kapena NTLM;
- Kutha kuchepetsa malo ojambulira (domain, foda, tsamba, URL);
- kuchotseratu chimodzi mwa magawo mu URL;
- njira zingapo zodzitetezera motsutsana ndi malupu osatha (mwachitsanzo: ifor, kuchepetsa mtengo wa parameter);
- Kutha kuyika patsogolo pakuwunika ma URL (ngakhale sali pamalo ojambulira);
- Kutha kusiya ma URL ena kuti asafufuze ndikuwukira (mwachitsanzo: kulowa ulalo);
- lowetsani ma cookie (atengereni pogwiritsa ntchito chida cha wapiti-getcookie);
- kuthekera koyambitsa / kuyimitsa chitsimikiziro cha satifiketi ya SSL;
- kuthekera kochotsa ma URL ku JavaScript (womasulira wosavuta wa JS);
- kulumikizana ndi HTML5;
- zosankha zingapo zowongolera machitidwe okwawa ndi zoletsa;
- kukhazikitsa nthawi yochuluka ya ndondomeko ya sikani;
- kuwonjezera mitu ina ya HTTP kapena kukhazikitsa Wothandizira Wogwiritsa.
Zowonjezera:
- kupanga malipoti osatetezeka m'njira zosiyanasiyana (HTML, XML, JSON, TXT);
- kuyimitsa ndikuyambiranso sikani kapena kuwukira (machitidwe agawo pogwiritsa ntchito nkhokwe za SQLite3);
- kuyatsa mu terminal kuti muwonetse zofooka;
- mitundu yosiyanasiyana ya mitengo;
- Njira yachangu komanso yosavuta yotsegulira / kuyimitsa ma module owukira.
kolowera
Mtundu waposachedwa wa Wapiti ukhoza kukhazikitsidwa m'njira ziwiri:
- tsitsani gwero kuchokera kwa mkulu ndikuyendetsa script yoyika, mutayika Python3;
- pogwiritsa ntchito pip3 install wapiti3 command.
Zitatha izi, Wapiti adzakhala okonzeka kupita.
Kugwira ntchito ndi chida
Kuti tiwonetse ntchito ya Wapiti, tidzagwiritsa ntchito malo okonzedwa mwapadera a site.vulns.pentestit.ru (internal resource), yomwe ili ndi zovuta zosiyanasiyana (Injection, XSS, LFI/RFI) ndi zofooka zina za mapulogalamu a pa intaneti.
Zambiri zimaperekedwa pazambiri zokha. Osaphwanya lamulo!
Lamulo loyambira kukhazikitsa scanner:
# wapiti -u <target> <options>Nthawi yomweyo, pali chithandizo chatsatanetsatane chokhala ndi zosankha zingapo zoyambira, mwachitsanzo:
--gawo - malo ofunsira
Ngati mungatchule kuchuluka kwake pamodzi ndi ulalo wa crawl, mutha kusintha malo okwawa a tsambali potchula tsamba limodzi ndi masamba onse omwe angapezeke patsambalo.
-s ΠΈ -x - zosankha zowonjezera kapena kuchotsa ma URL enieni. Zosankha izi ndizothandiza mukafuna kuwonjezera kapena kuchotsa ulalo winawake panthawi yakukwawa.
--dumpha - gawo lomwe lili ndi funguloli lidzafufuzidwa, koma silidzawukiridwa. Zothandiza ngati pali magawo owopsa omwe amachotsedwa bwino pakusanthula.
--verify-ssl - yambitsani kapena kuletsa chitsimikiziro cha satifiketi.
Scanner ya Wapiti ndi modular. Komabe, kuti mutsegule ma module apadera, kuphatikiza omwe amangolumikizidwa pomwe scanner ikugwira ntchito, muyenera kugwiritsa ntchito -m switch ndikulemba zomwe mukufuna, zolekanitsidwa ndi ma koma. Ngati fungulo silikugwiritsidwa ntchito, ndiye kuti ma module onse azigwira ntchito mwachisawawa. Mu mtundu wosavuta udzawoneka motere:
# wapiti -u http://sites.vulns.pentestit.ru/ -m sql,xss,xxeChitsanzo chogwiritsa ntchito ichi chikutanthauza kuti tidzangogwiritsa ntchito ma module a SQL, XSS ndi XXE posanthula chandamale. Kuphatikiza apo, mutha kusefa magwiridwe antchito a ma module kutengera njira yomwe mukufuna. Mwachitsanzo -m "xss: pezani, blindsql: positi, xxe: positi". Pankhaniyi, module xss idzagwira ntchito pazopempha zotumizidwa pogwiritsa ntchito njira ya GET, ndi gawo blibdsql - ku POST zopempha, ndi zina. Mwa njira, ngati gawo lina lomwe linaphatikizidwa pamndandandawo silinali lofunikira pakusanthula kapena limatenga nthawi yayitali, ndiye kuti mwa kukanikiza kuphatikiza Ctrl + C mutha kudumpha pogwiritsa ntchito gawo lomwe lilipo posankha chinthu chofananira mumenyu yolumikizana.
Wapiti imathandizira kupititsa zopempha kudzera pa proxy pogwiritsa ntchito kiyi -p ndi kutsimikizika pa malo omwe mukufuna kudzera pa parameter -a. Mukhozanso kufotokoza mtundu wotsimikizira: Basic, Digest, Kerberos ΠΈ NTLM. Awiri omaliza angafunike kukhazikitsa ma module owonjezera. Kuphatikiza apo, mutha kuyika mitu iliyonse pazofunsira (kuphatikiza zongosintha Wogwiritsa Ntchito) ndi zina zambiri.
Kuti mugwiritse ntchito kutsimikizika mutha kugwiritsa ntchito chida wapiti-getcookie. Ndi chithandizo chake timapanga keke, yomwe Wapiti adzagwiritsa ntchito posanthula. Mapangidwe keke mwachita ndi lamulo:
# wapiti-getcookie -u http://sites.vulns.pentestit.ru/login.php -c cookie.jsonTikugwira ntchito molumikizana, timayankha mafunso ndikuwonetsa zofunikira monga kulowa, mawu achinsinsi, ndi zina zambiri:
Zotsatira zake ndi fayilo mumtundu wa JSON. Njira ina ndikuwonjezera zonse zofunika kudzera pa parameter -d:
# wapiti-getcookie - http://sites.vulns.pentestit.ru/login.php -c cookie.json -d "username=admin&password=admin&enter=submit"Zotsatira zake zidzakhala zofanana:
Poganizira magwiridwe antchito a scanner, pempho lomaliza loyesa kugwiritsa ntchito tsamba lathu linali:
# wapiti --level 1 -u http://sites.vulns.pentestit.ru/ -f html -o /tmp/vulns.html -m all --color -Ρ cookie.json --scope folder --flush-session -A 'Pentestit Scans' -p http://proxy.office.pentestit.ru:3128pakati pa magawo ena:
-f ΠΈ -o - mtundu ndi njira yosungira lipoti;
-m - kulumikiza ma module onse sikuvomerezeka, chifukwa zidzakhudza nthawi yoyesera ndi kukula kwa lipoti;
--mtundu - Onetsani zofooka zomwe zapezeka kutengera kutsutsa kwawo malinga ndi Wapiti yemweyo;
-c - kugwiritsa ntchito fayilo ndi keke, zopangidwa pogwiritsa ntchito wapiti-getcookie;
--gawo - kusankha chandamale cha kuwukira. Kusankha njira foda URL iliyonse idzakwawa ndikuwukiridwa, kuyambira yoyambira. Ulalo woyambira uyenera kukhala ndi slash yakutsogolo (palibe dzina lafayilo);
--flush-session - amalola kusanthula mobwerezabwereza, momwe zotsatira zam'mbuyo sizidzaganiziridwa;
-A - mwini Wogwiritsa Ntchito;
-p - adilesi ya seva ya proxy, ngati kuli kofunikira.
Pang'ono ndi lipoti
Zotsatira za sikanizo zimaperekedwa ngati lipoti latsatanetsatane pazowopsa zonse zomwe zapezeka mumtundu wa masamba a HTML, mu mawonekedwe omveka bwino komanso osavuta kuwerenga. Lipotilo liwonetsa magulu ndi kuchuluka kwa ziwopsezo zomwe zapezeka, mafotokozedwe awo, zopempha, malamulo a kupiringa ndi malangizo amomwe mungawatseke. Kuti muzitha kuyenda mosavuta, ulalo udzawonjezedwa kumagulu amagulu, ndikudina komwe mungapiteko:
Choyipa chachikulu cha lipotili ndikuti palibe mapu ogwiritsira ntchito intaneti, popanda zomwe sizingadziwike ngati ma adilesi ndi magawo onse adawunikidwa. Palinso kuthekera kwa zabwino zabodza. Kwa ife, lipotilo limaphatikizapo "mafayilo osunga zobwezeretsera" ndi "mafayilo omwe angakhale oopsa." Chiwerengero chawo sichikugwirizana ndi zenizeni, popeza panalibe mafayilo otere pa seva:
Mwinamwake ma modules olakwika adzakonzedwa pakapita nthawi. Choyipa chinanso cha lipotili ndi kusowa kwa utoto wa zofooka zomwe zapezeka (kutengera kutsutsa kwawo), kapena kuzigawa m'magulu. Njira yokhayo yomwe tingamvetsetsere mosadukiza zachiwopsezo chopezeka ndikugwiritsa ntchito parameter --mtundu pakupanga sikani, ndiye kuti zofooka zomwe zapezeka zidzajambulidwa mumitundu yosiyanasiyana:
Koma lipotilo silimapereka mitundu yotere.
Zowopsa
SQLi
Sikinayi idalimbana pang'ono ndi kusaka kwa SQLi. Mukasaka zovuta za SQL pamasamba omwe kutsimikizika sikufunikira, palibe zovuta zomwe zimabuka:
Sizinali zotheka kupeza chiwopsezo pamasamba opezeka pokhapokha atatsimikiziridwa, ngakhale kugwiritsa ntchito zovomerezeka keke, popeza nthawi zambiri pambuyo potsimikizika bwino, gawo lawo "lidzatulutsidwa" ndi keke adzakhala opanda mphamvu. Ngati ntchito yochotsa chilolezo idakhazikitsidwa ngati script yosiyana yomwe imayang'anira njirayi, ndiye kuti zitha kuchotsedwa kwathunthu kudzera pa -x parameter, ndikuletsa kuti isayambike. Kupanda kutero, sikungatheke kusiya kukonza kwake. Ili si vuto ndi gawo linalake, koma ndi chida chonsecho, koma chifukwa cha nuance iyi, sikunali kotheka kuzindikira majekeseni angapo pamalo otsekedwa.
XSS
Chojambuliracho chinathana ndi ntchito yomwe wapatsidwa mwangwiro ndikupeza zovuta zonse zomwe zakonzedwa:
LFI/RFI
Scanner idapeza zovuta zonse:
Kawirikawiri, ngakhale kuti ali ndi zifukwa zabodza komanso zofooka zomwe zikusowa, Wapiti, monga chida chaulere, amasonyeza zotsatira zabwino kwambiri. Mulimonsemo, ndikofunikira kuzindikira kuti scanner ndi yamphamvu kwambiri, yosinthika komanso yogwira ntchito zambiri, ndipo koposa zonse, ndi yaulere, chifukwa chake ili ndi ufulu wogwiritsidwa ntchito pothandizira oyang'anira ndi omanga kupeza zidziwitso zoyambira zachitetezo cha intaneti. ntchito.
Khalani athanzi komanso otetezedwa!
Source: www.habr.com