I-ProHoster > Π‘Π»ΠΎΠ³ > Ukuphatha > I-Wapiti - ukuhlola isayithi ngobungozi ngokwakho

I-Wapiti - ukuhlola isayithi ngobungozi ngokwakho

I-Wapiti - ukuhlola isayithi ngobungozi ngokwakho
Ekugcineni isihloko sakhuluma ngayo Nemesida WAF Mahhala - ithuluzi lamahhala lokuvikela amawebhusayithi nama-API ekuhlaselweni kwabaduni, futhi kulokhu sinqume ukubuyekeza isithwebuli esidumile sokuba sengozini Elk.

Ukuskena iwebhusayithi ukuze uthole ubungozi kuyisilinganiso esidingekayo, esihambisana nokuhlaziywa kwekhodi yomthombo, kukuvumela ukuthi uhlole izinga lokuvikeleka kwayo ngokumelene nezinsongo zokufaka engozini. Ungakwazi ukuskena insiza yewebhu usebenzisa amathuluzi akhethekile.

I-Nikto, i-W3af (ebhalwe ku-Python 2.7, engasasekelwa) noma i-Arachni (engasasekelwa kusukela ngoFebruwari) yizixazululo ezidume kakhulu ezethulwa esigabeni samahhala. Yiqiniso, kukhona abanye, isibonelo, i-Wapiti, esanquma ukugxila kuyo.

I-Wapiti isebenza nezinhlobo ezilandelayo zobungozi:

  • ukunwetshwa kwefayela (indawo nekude, i-fopen, i-readfile);
  • imijovo (PHP / JSP / ASP / SQL umjovo kanye XPath umjovo);
  • I-XSS (I-Cross Site Scripting) (iyabonisa futhi iyaphikelela);
  • ukutholwa kanye nokwenziwa kwemiyalo (eval(), system(), passtru());
  • Imijovo ye-CRLF (ukuhlukaniswa kwempendulo ye-HTTP, ukulungiswa kweseshini);
  • XXE (ibhizinisi langaphandle le-XML) ukushumeka;
  • I-SSRF (I-Server Side Request Forgery);
  • ukusetshenziswa kwamafayela aziwayo angaba yingozi (sibonga isizindalwazi sikaNikto);
  • ubuthaka .htaccess ukucupha okungase kudlulwe;
  • ukuba khona kwamafayela ayisipele aveza ulwazi oluyimfihlo (ukudalulwa kwekhodi yomthombo);
  • I-Shellshock;
  • vula ukuqondisa kabusha;
  • izindlela ezingajwayelekile ze-HTTP ezingaxazululwa (PUT).

Izici:

  • I-HTTP, i-HTTPS kanye nokusekelwa kommeleli we-SOCKS5;
  • ukufakazela ubuqiniso kusetshenziswa izindlela ezimbalwa: Basic, Digest, Kerberos noma NTLM;
  • ikhono lokukhawulela indawo yokuskena (isizinda, ifolda, ikhasi, i-URL);
  • ukususwa okuzenzakalelayo kweyodwa yepharamitha ku-URL;
  • Izinyathelo eziningi zokuphepha ngokumelene nezihibe zokuskena ezingapheli (isibonelo: ifor, ukukhawulela amanani epharamitha);
  • ikhono lokusetha okubalulekile kokuhlola ama-URL (ngisho noma engekho endaweni yokuskena);
  • amandla okukhipha amanye ama-URL ekuskeneni nasekuhlaselweni (isibonelo: ukuphuma kwe-URL);
  • ngenisa amakhukhi (wathole usebenzisa ithuluzi le-wapiti-getcookie);
  • ikhono lokuvula/ukuvala ukuqinisekiswa kwesitifiketi se-SSL;
  • ikhono lokukhipha ama-URL ku-JavaScript (umhumushi we-JS olula kakhulu);
  • ukusebenzisana ne-HTML5;
  • izinketho ezimbalwa zokuphatha ukuziphatha kanye nemikhawulo yabaseshi;
  • ukubeka isikhathi esiphezulu senqubo yokuskena;
  • ukwengeza ezinye izihloko ze-HTTP zangokwezifiso noma ukusetha Umenzeli Womsebenzisi ngokwezifiso.

Izici ezingeziwe:

  • ukudala imibiko yokuba sengozini ngamafomethi ahlukahlukene (HTML, XML, JSON, TXT);
  • ukumisa isikhashana bese uqalisa kabusha ukuskena noma ukuhlasela (indlela yeseshini kusetshenziswa imininingwane egciniwe ye-SQLite3);
  • ukukhanya okungemuva kutheminali ukuze kugqanyiswe ubungozi;
  • amazinga ahlukene okugawula;
  • Indlela esheshayo nelula yokwenza kusebenze/uvale amamojula okuhlasela.

setting

Inguqulo yamanje ye-Wapiti ingafakwa ngezindlela ezi-2:

  • landa umthombo kusikhulu isiza futhi usebenzise iskripthi sokufaka, ufake iPython3 ngaphambilini;
  • usebenzisa i-pip3 yokufaka umyalo we-wapiti3.

Ngemva kwalokhu, u-Wapiti uzobe elungele ukuhamba.

Ukusebenza ngethuluzi

Ukuze sibonise umsebenzi we-Wapiti, sizosebenzisa indawo yokuma elungiselelwe ngokukhethekile.vulns.pentestit.ru (insiza yangaphakathi), equkethe ubuthakathaka obuhlukahlukene (Umjovo, i-XSS, i-LFI/RFI) nokunye ukushiyeka kwezinhlelo zokusebenza zewebhu.

Ulwazi luhlinzekwe ngezinjongo zokwaziswa kuphela. Ungaphuli umthetho!

Umyalo oyisisekelo wokuqalisa isithwebuli:

# wapiti -u <target> <options>

Ngasikhathi sinye, kunosizo oluningiliziwe ngenani elikhulu lezinketho zokuqalisa, ngokwesibonelo:

--ububanzi - indawo yesicelo
Uma ucacisa ipharamitha yesikophu kanye ne-URL yokucaca, ungalungisa indawo ecacayo yesayithi ngokucacisa womabili ikhasi elilodwa nawo wonke amakhasi angatholakala kusayithi.

-s ΠΈ -x β€” ongakhetha kukho ukwengeza noma ukususa ama-URL athile. Lezi zinketho ziwusizo uma udinga ukwengeza noma ukususa i-URL ethile phakathi nenqubo yokucaca.

--yeqa β€” ipharamitha eshiwo ngalo khiye izoskenwa, kodwa ngeke ihlaselwe. Iwusizo uma kukhona amapharamitha ayingozi angafakwa kangcono ngesikhathi sokuskena.

--qinisekisa-ssl - vumela noma vala ukuqinisekiswa kwesitifiketi.
Isikena se-Wapiti siyimodular. Kodwa-ke, ukuze uqalise amamojula athile, kuhlanganise nalawo axhumeke ngokuzenzakalelayo ngenkathi isithwebuli sisebenza, udinga ukusebenzisa i- -m switch bese uklelisa owadingayo, ahlukaniswe ngokhefana. Uma ukhiye ungasetshenziswa, wonke amamojula azosebenza ngokuzenzakalelayo. Enguqulweni elula izobukeka kanje:

# wapiti -u http://sites.vulns.pentestit.ru/ -m sql,xss,xxe

Lesi sibonelo sokusetshenziswa sisho ukuthi sizosebenzisa kuphela amamojula e-SQL, XSS kanye ne-XXE lapho siskena ithagethi. Ngaphezu kwalokho, ungakwazi ukuhlunga ukusebenza kwamamojula kuye ngendlela oyifunayo. Ngokwesibonelo -m β€œxss: get, blindsql: post, xxe: post”. Kulokhu, module xss izosebenza ezicelweni ezithunyelwe kusetshenziswa indlela ye-GET, kanye nemojula blibdsql β€” UKUTHUMELA izicelo, njll. Ngendlela, uma enye imojula eyayifakwe ohlwini yayingadingeki ngesikhathi sokuskena noma ithatha isikhathi eside kakhulu, khona-ke ngokucindezela inhlanganisela ye-Ctrl + C ungakwazi ukweqa usebenzisa imojula yamanje ngokukhetha into ehambisanayo kumenyu esebenzayo.

I-Wapiti isekela ukudlulisa izicelo ngommeleli kusetshenziswa ukhiye -p kanye nokuqinisekisa endaweni okuqondiwe kuyo ngokusebenzisa ipharamitha -a. Ungaphinda ucacise uhlobo lokuqinisekisa: Okuyisisekelo, Ukudla, I-Kerberos ΠΈ I-NTLM. Okubili kokugcina kungase kudinge ukufakwa kwamamojula engeziwe. Ngaphezu kwalokho, ungafaka noma yiziphi izihloko ezicelweni (okuhlanganisa nokungasho lutho Umsebenzisi-Umenzeli) nokunye okuningi.

Ukusebenzisa ukuqinisekiswa ungasebenzisa ithuluzi wapiti-getcookie. Ngosizo lwayo siyakha Ikhukhi, i-Wapiti ezoyisebenzisa lapho iskena. Ukwakheka Ikhukhi kwenziwe ngomyalo:

# wapiti-getcookie -u http://sites.vulns.pentestit.ru/login.php -c cookie.json

Ngenkathi sisebenza ngokuhlanganyela, siphendula imibuzo futhi sibonise ulwazi oludingekayo njengokungena ngemvume, iphasiwedi, njll.:

I-Wapiti - ukuhlola isayithi ngobungozi ngokwakho

Okukhiphayo kuyifayela elikufomethi ye-JSON. Enye inketho ukwengeza lonke ulwazi oludingekayo ngepharamitha -d:

# wapiti-getcookie - http://sites.vulns.pentestit.ru/login.php -c cookie.json -d "username=admin&password=admin&enter=submit"

Umphumela uzofana:

I-Wapiti - ukuhlola isayithi ngobungozi ngokwakho

Lapho kucutshungulwa ukusebenza okuyinhloko kwesithwebuli, isicelo sokugcina sokuhlola uhlelo lokusebenza lwewebhu esimweni sethu kwaba:

# wapiti --level 1 -u http://sites.vulns.pentestit.ru/ -f html -o /tmp/vulns.html -m all --color -с cookie.json --scope folder --flush-session -A 'Pentestit Scans' -p http://proxy.office.pentestit.ru:3128

kuphi phakathi kwamanye amapharamitha:

-f ΠΈ -o - ifomethi nendlela yokugcina umbiko;

-m - ukuxhuma wonke amamojula akunconywa, ngoba izothinta isikhathi sokuhlola kanye nosayizi wombiko;

--umbala - gqamisa ubungozi obutholakele ngokuya ngokugxeka kwabo ngokuya nge-Wapiti uqobo;

-c - usebenzisa ifayela nge Ikhukhi, ekhiqizwa ngokusebenzisa wapiti-getcookie;

--ububanzi β€” ukukhetha ilitshe lokuhlasela. Ukukhetha inketho ifolda Yonke i-URL izocaca futhi ihlaselwe, kuqala ngesisekelo. I-URL yesisekelo kufanele ibe nokushelela phambili (alikho igama lefayela);

--flush-seshini - ivumela ukuskena okuphindaphindiwe, lapho imiphumela yangaphambilini ingeke inakwe;

-A - umnikazi Umsebenzisi-Umenzeli;

-p β€” ikheli leseva elibamba, uma kunesidingo.

Okuncane mayelana nombiko

Umphumela wokuskena uvezwa ngendlela yombiko onemininingwane yakho konke ubungozi obutholakele ngefomethi yekhasi le-HTML, ngendlela ecacile nefundeka kalula. Umbiko uzokhombisa izigaba nenombolo yobungozi obutholakele, izincazelo zabo, izicelo, imiyalo yazo i-curl namathiphu okuthi ungawavala kanjani. Ukuze kube lula ukuzulazula, isixhumanisi sizokwengezwa emagameni esigaba, uchofoza ongaya kuso:

I-Wapiti - ukuhlola isayithi ngobungozi ngokwakho

Ububi obukhulu bombiko ukungabikho kwemephu yesicelo sewebhu njengoba kunjalo, ngaphandle kwalokho ngeke kucace ukuthi wonke amakheli namapharamitha ahlaziywe yini. Kukhona futhi amathuba okuba nemibono engamanga. Esimweni sethu, umbiko uhlanganisa "amafayela ekhophi yasenqolobaneni" kanye "namafayela okungenzeka abe yingozi." Inombolo yabo ayihambisani neqiniso, njengoba bekungekho amafayela anjalo kuseva:

I-Wapiti - ukuhlola isayithi ngobungozi ngokwakho

Mhlawumbe amamojula asebenza ngokungalungile azolungiswa ngokuhamba kwesikhathi. Esinye isici esibi sombiko ukuntuleka kombala kobungozi obutholakele (kuye ngokuthi bubucayi kangakanani), noma okungenani ukuhlukaniswa ngezigaba. Okuwukuphela kwendlela esingaqonda ngayo ngokungaqondile ukubaluleka kokuba sengozini okutholiwe ukusebenzisa ipharamitha --umbala ngesikhathi sokuskena, bese ubungozi obutholakele buzofakwa imibala ngemibala ehlukene:

I-Wapiti - ukuhlola isayithi ngobungozi ngokwakho

Kodwa umbiko ngokwawo awunikezi umbala onjalo.

Ukuba sengozini

I-SQLi

Iskena sibhekane kancane nosesho lwe-SQLi. Uma useshela ubungozi be-SQL emakhasini lapho ukuqinisekiswa kungadingeki khona, azikho izinkinga eziphakamayo:

I-Wapiti - ukuhlola isayithi ngobungozi ngokwakho

Akwenzekanga ukuthola ukuba sengozini emakhasini okufinyeleleka kuphela ngemva kokuqinisekisa, ngisho nokusebenzisa okuvumelekile Ikhukhi, njengoba cishe ngemva kokuqinisekisa ngempumelelo, iseshini yabo "izokhishwa" futhi Ikhukhi izoba engavumelekile. Uma umsebenzi wokukhipha igunya ubuqaliswe njengeskripthi esihlukile esinomthwalo wokucubungula le nqubo, bekungenzeka ukuthi ikhishwe ngokuphelele ngepharamitha -x, futhi ngaleyo ndlela ivimbele ukuthi ingacupha. Uma kungenjalo, ngeke kwenzeke ukukhipha ukucubungula kwayo. Lokhu akuyona inkinga nge-module ethile, kodwa ngethuluzi lilonke, kodwa ngenxa yalesi nuance, kwakungenakwenzeka ukuthola imijovo eminingana endaweni yensiza evaliwe.

I-XSS

Isithwebuli sibhekane nomsebenzi onikeziwe kahle futhi sathola bonke ubungozi obulungisiwe:

I-Wapiti - ukuhlola isayithi ngobungozi ngokwakho

I-LFI/RFI

Isikena sithole bonke ubungozi obukhona:

I-Wapiti - ukuhlola isayithi ngobungozi ngokwakho

Ngokuvamile, naphezu kokuhle okungamanga kanye nokukhubazeka okungekho, i-Wapiti, njengethuluzi lamahhala, ibonisa imiphumela emihle kakhulu yokusebenza. Kunoma yikuphi, kufanelekile ukuqaphela ukuthi isithwebuli sinamandla impela, siyaguquguquka futhi sisebenza ngezinto eziningi, futhi okubaluleke kakhulu, simahhala, ngakho sinelungelo lokusetshenziselwa ukusiza abalawuli nabathuthukisi ukuthola ulwazi oluyisisekelo mayelana nesimo sokuphepha sewebhu. isicelo.

Hlala unempilo futhi uvikelekile!

Source: www.habr.com

Engeza amazwana