Pakupedzisira takataura nezvazvo Nemesida WAF Free - chishandiso chemahara chekudzivirira mawebhusaiti uye APIs kubva kune hacker kurwiswa, uye mune ino takafunga kuongorora yakakurumbira vulnerability scanner. .
Kuongorora webhusaiti yekusagadzikana chiyero chinodiwa, icho, pamwe nekuongororwa kweiyo kodhi kodhi, inobvumidza iwe kuti uongorore mwero wekuchengetedza kwayo kubva mukutyisidzira kwekukanganisa. Unogona kutarisisa webhu saiti uchishandisa nyanzvi maturusi.
Nikto, W3af (yakanyorwa muPython 2.7, iyo isingachatsigirwi) kana Arachni (isisiri kutsigirwa kubva muna Kukadzi) ndiyo mhinduro dzakakurumbira dzinounzwa muchikamu chemahara. Zvechokwadi, kune vamwe, semuenzaniso, Wapiti, iyo yatakasarudza kuisa pfungwa pairi.
Wapiti inoshanda nemhando dzinotevera dzekusagadzikana:
- faira yekuwedzera (yemunharaunda uye kure, fopen, readfile);
- jekiseni (PHP / JSP / ASP / SQL jekiseni uye XPath jekiseni);
- XSS (Cross Site Scripting) (inofungidzira uye inopfuurira);
- kuona uye kuitwa kwemirairo (eval (), system (), passtru ());
- CRLF majekiseni (HTTP mhinduro kupatsanura, musangano kugadzirisa);
- XXE (XML yekunze entity) kupinza;
- SSRF (Server Side Chikumbiro Forgery);
- kushandiswa kwemafaira anozivikanwa anogona kuve nengozi (nekuda kweiyo Nikto dhatabhesi);
- isina simba .htaccess configurations inogona kudarika;
- kuvapo kwemafaira ekuchengetedza anoratidza ruzivo rwakavanzika (kuburitswa kwekodhi yekodhi);
- Shellshock;
- open redirects;
- isiri-yakajairwa HTTP nzira dzinogona kugadziriswa (PUT).
Zviratidzo:
- HTTP, HTTPS uye SOCKS5 proxy rutsigiro;
- kutendeseka uchishandisa nzira dzinoverengeka: Basic, Digest, Kerberos kana NTLM;
- kugona kudzikamisa nzvimbo yekuongorora (domain, folda, peji, URL);
- kubviswa otomatiki kweimwe yemaparamita muURL;
- dzakawanda dziviriro pamusoro pekusingaperi scan loops (muenzaniso: ifor, kudzikisira kukosha kweparameter);
- kugona kuseta zvakakosha pakuongorora maURL (kunyangwe asiri munzvimbo yekuongorora);
- kugona kusabvisa mamwe maURL kubva pakuvheneka uye kurwiswa (semuenzaniso: URL yekubuda);
- pinza makuki (vatore uchishandisa wapiti-getcookie chishandiso);
- kugona kumisa / kudzima SSL chitupa chekuongorora;
- kugona kuburitsa ma URL kubva kuJavaScript (yakareruka JS muturikiri);
- kusangana neHTML5;
- sarudzo dzinoverengeka dzekutonga maitiro evanokambaira uye zvirambidzo;
- kuseta iyo yakanyanya nguva yekuongorora maitiro;
- kuwedzera imwe tsika yeHTTP misoro kana kumisikidza tsika Mushandisi-Mumiriri.
Zvimwe zvinhu:
- kugadzira mishumo yekusagadzikana mune akasiyana mafomati (HTML, XML, JSON, TXT);
- kumbomira uye kutangazve scan kana kurwisa (session maitiro uchishandisa SQLite3 dhatabhesi);
- backlighting mune terminal kuratidza kusasimba;
- mazinga akasiyana ekutema matanda;
- Iyo inokurumidza uye iri nyore nzira yekumisa / kudzima kurwisa modules.
Kuiswa
Iyo yazvino vhezheni yeWapiti inogona kuiswa munzira mbiri:
- download source kubva kumukuru uye mhanyisa script yekuisa, yakamboisa Python3;
- uchishandisa iyo pip3 isa wapiti3 kuraira.
Mushure meizvi, Wapiti achange akagadzirira kuenda.
Kushanda nechishandiso
Kuti tiratidze basa reWapiti, tichashandisa yakanyatsogadzirirwa stand site.vulns.pentestit.ru (yemukati resource), ine hutsinye hwakasiyana-siyana (Injection, XSS, LFI/RFI) uye zvimwe zvikanganiso zvewebhu zvinoshandiswa.
Ruzivo rwunopihwa nekuda kweruzivo chete. Usatyora mutemo!
Basic command yekuvhura scanner:
# wapiti -u <target> <options>Panguva imwecheteyo, kune rubatsiro rwakanyatsotsanangurwa nehuwandu hukuru hwesarudzo dzekutanga, semuenzaniso:
--scope - nzvimbo yekushandisa
Kana iwe ukadoma scope parameter pamwe neiyo URL inokambaira, unogona kugadzirisa nzvimbo inokambaira yesaiti nekudoma ese peji rimwe chete nemapeji ese anogona kuwanikwa pasaiti.
-s ΠΈ -x -Sarudzo dzekuwedzera kana kubvisa chaiwo maURL. Idzi sarudzo dzinobatsira kana iwe uchida kuwedzera kana kubvisa chaiyo URL panguva yekukambaira.
--skip - iyo yakatarwa parameter ine kiyi iyi ichaongororwa, asi haizorwiswa. Inobatsira kana paine chero maparameter ane njodzi anonyatso kuvharirwa panguva yekuongorora.
--verify-ssl -gonesa kana kudzima kusimbiswa kwechitupa.
Iyo Wapiti scanner ndeye modular. Nekudaro, kuvhura mamodule chaiwo, kusanganisira ayo anongobatanidzwa otomatiki apo scanner iri kushanda, unofanirwa kushandisa iyo -m switch uye kunyora iwo aunoda, akaparadzaniswa nemakoma. Kana kiyi ikasashandiswa, ipapo ese mamodule anozoshanda nekukasira. Mushanduro yakapfava ichaita seizvi:
# wapiti -u http://sites.vulns.pentestit.ru/ -m sql,xss,xxeUyu muenzaniso wekushandisa unoreva kuti tichangoshandisa SQL, XSS uye XXE modules kana tichitarisa chinangwa. Mukuwedzera, iwe unogona kusefa kushanda kwema modules zvichienderana nenzira yaunoda. Semuyenzaniso -m "xss: tora, blindsql: kutumira, xxe: kutumira". Muchiitiko chino, module xss ichashanda kune zvikumbiro zvinotumirwa uchishandisa nzira yeGET, uye module blibdsql -ku POST zvikumbiro, nezvimwe. Nenzira, kana imwe module iyo yaiverengerwa murondedzero yaisadikanwa panguva yekuongorora kana kutora nguva yakareba kwazvo, saka nekudzvanya Ctrl + C musanganiswa unogona kusvetuka uchishandisa iyo yazvino module nekusarudza chinhu chinoenderana mune inopindirana menyu.
Wapiti inotsigira kupfuudza zvikumbiro kuburikidza neproxy uchishandisa kiyi -p uye kutendeseka pane inotarirwa saiti kuburikidza neparameter -a. Iwe unogona zvakare kutsanangura rudzi rwechokwadi: Basic, Kudya, Kerberos ΠΈ NTLM. Iwo maviri ekupedzisira angangoda kuisirwa mamwe ma module. Pamusoro pezvo, iwe unogona kuisa chero misoro muzvikumbiro (kusanganisira zvekupokana Mushandisi-Mumiriri) uye nezvimwe zvakawanda.
Kuti ushandise chokwadi iwe unogona kushandisa chishandiso wapiti-getcookie. Nekubatsira kwayo tinoumba kudzayi, iyo Wapiti ichashandisa pakuongorora. Formation kudzayi waitwa nemurairo:
# wapiti-getcookie -u http://sites.vulns.pentestit.ru/login.php -c cookie.jsonTichiri kushanda tichipindirana, tinopindura mibvunzo uye tinoratidza ruzivo rwakakosha senge login, password, nezvimwe.
Izvo zvabuda ifaira riri muJSON fomati. Imwe sarudzo ndeyekuwedzera ruzivo rwese rwunodiwa kuburikidza neparameter -d:
# wapiti-getcookie - http://sites.vulns.pentestit.ru/login.php -c cookie.json -d "username=admin&password=admin&enter=submit"Mhedzisiro ichave yakafanana:
Kana tichifunga nezvekuita kukuru kwe scanner, chikumbiro chekupedzisira chekuyedza iyo web application mune yedu yaive:
# wapiti --level 1 -u http://sites.vulns.pentestit.ru/ -f html -o /tmp/vulns.html -m all --color -Ρ cookie.json --scope folder --flush-session -A 'Pentestit Scans' -p http://proxy.office.pentestit.ru:3128pakati pemamwe ma parameter:
-f ΠΈ -o - fomati uye nzira yekuchengetedza mushumo;
-m - kubatanidza mamodule ese haakurudzirwe, nekuti zvinokanganisa nguva yekuyedza uye saizi yeshumo;
--ruvara - kusimbisa kwakawanikwa kusasimba zvichienderana nekutsoropodza kwavo maererano neWapiti pachayo;
-c - kushandisa faira ne kudzayi, yakagadzirwa nekushandisa wapiti-getcookie;
--scope - kusarudza chinangwa chekurwisa. Kusarudza sarudzo folder Yese URL ichakambaira nekurwiswa, kutanga neiyo base. Iyo base URL inofanirwa kuve nemberi slash (hapana zita refaira);
--flush-session - inobvumira kudzokororwa kutariswa, umo zvakamboitika zvisingatariswe;
-A - pachake Mushandisi-Mumiriri;
-p - proxy server kero, kana zvichidikanwa.
Zvishoma nezve mushumo
Mhedzisiro yekuongorora inounzwa muchimiro chemushumo wakadzama pane zvese zvakawanikwa zvisingaite muHTML peji fomati, nenzira yakajeka uye iri nyore kuverenga. Chirevo chinoratidza zvikamu uye huwandu hwekusagadzikana kwakawanikwa, tsananguro yavo, zvikumbiro, mirairo ye curl they uye mazano ekuti ungavhara sei. Kuti zvive nyore kufamba, chinongedzo chinozowedzerwa kumazita echikwata, uchidzvanya paunogona kuenda kwairi:
Chinhu chakakosha chakashata chemushumo kusavapo kwemepu yewebhu yekushandisa sekudaro, pasina izvo hazvizove pachena kana kero dzese nemaparamendi zvakaongororwa. Panewo mukana wezvinyorwa zvenhema. Kwatiri, mushumo uyu unosanganisira "mafaera ekuchengetedza" uye "mafaira angangove ane ngozi." Nhamba yavo haienderane neicho chaicho, sezvo pakanga pasina mafaera akadaro paseva:
Zvimwe zvisizvo kushanda modules ichagadziriswa nekufamba kwenguva. Chimwe chidzoreso chemushumo kushaikwa kwemavara kweanowanikwa kusasimba (zvichienderana nekutsoropodza kwavo), kana kumbozvipatsanura muzvikamu. Iyo chete nzira yatinogona kunzwisisa zvisina kunanga kutsoropodza kwakawanikwa kusagadzikana ndeye kushandisa parameter --ruvara panguva yekuongorora, uye ipapo kusasimba kunowanikwa kunozopendwa nemavara akasiyana:
Asi mushumo wacho pachawo haupi mavara akadaro.
Vulnerabilities
SQLi
Iyo scanner yakatarisana nekutsvaga kweSQLi. Paunenge uchitsvaga SQL kusagadzikana pamapeji uko kutendeseka kusingadiwi, hapana matambudziko anomuka:
Izvo zvanga zvisingaite kuwana kusagadzikana pamapeji anowanikwa chete mushure mekusimbiswa, kunyangwe kushandisa zvinoshanda kudzayi, sezvo kazhinji mushure mekubudirira kwechokwadi, musangano wavo "uchaburitswa kunze" uye kudzayi zvichava zvisina maturo. Kana basa rekubvisa mvumo rakaitwa segwaro rakasiyana rine mutoro wekugadzirisa maitiro aya, zvino zvaizogoneka kuibvisa zvachose kuburikidza ne -x parameter, uye nekudaro kudzivirira kuti irege kutanga. Zvikasadaro, hazvizogoneke kusabvisa kugadzirisa kwayo. Iri harisi dambudziko kune chaiyo module, asi nechishandiso chakazara, asi nekuda kweiyo nuance, zvaisakwanisika kuona majekiseni akati wandei munzvimbo yakavharwa zviwanikwa.
XSS
Iyo scanner yakatarisana nebasa rakapihwa nemazvo uye yakawana kusagadzikana kwese kwakagadzirirwa:
LFI/RFI
Iyo scanner yakawana zvese zviri pasi pekusagadzikana:
Kazhinji, zvisinei nenhema dzakanaka uye kushayikwa kwekusagadzikana, Wapiti, sechishandiso chemahara, inoratidza mhedzisiro yakanaka yekuita. Chero zvazvingava, zvakakosha kuziva kuti scanner ine simba, inoshanduka uye inoshanda zvakasiyana-siyana, uye zvakanyanya kukosha, ndeyemahara, saka ine kodzero yekushandisa mukubatsira vatariri nevagadziri kuwana ruzivo rwekutanga nezve kuchengetedzwa kwewebhu. application.
Ramba uine hutano uye wakachengetedzwa!
Source: www.habr.com