seo优化_前端开发_渗透技术什么是WMAP?
WMAP是功能丰富的Web应用程序漏洞扫描程序,最初是通过名为SQLMap的工具创建的。该工具与Metasploit集成在一起,使我们能够从Metasploit框架内进行Web应用程序扫描。
使用WMAP进行漏洞扫描
首先,我们首先创建一个新数据库来存储WMAP扫描结果,加载wmap插件,然后运行 help 以查看哪些新命令可供我们使用。
msf > load wmap
.-.-.-..-.-.-..---..---.
| | | || | | || | || |-'
`-----'`-'-'-'`-^-'`-'
[WMAP 1.5.1] === et [ ] metasploit.com 2012
[*] Successfully loaded plugin: wmap
msf > help
wmap Commands
=============
Command Description
------- -----------
wmap_modules Manage wmap modules
wmap_nodes Manage nodes
wmap_run Test targets
wmap_sites Manage sites
wmap_targets Manage targets
wmap_vulns Display web vulns
...snip...
在运行Web应用程序扫描之前,我们首先需要通过将 -a 传递给wmap_sites来添加新的目标URL 。然后,运行wmap_sites -l将打印出可用的目标。
msf > wmap_sites -h
[*] Usage: wmap_targets [options]
-h Display this help text
-a [url] Add site (vhost,url)
-l List all available sites
-s [id] Display site structure (vhost,url|ids) (level)
msf > wmap_sites -a http://172.16.194.172
[*] Site created.
msf > wmap_sites -l
[*] Available sites
===============
Id Host Vhost Port Proto # Pages # Forms
-- ---- ----- ---- ----- ------- -------
0 172.16.194.172 172.16.194.172 80 http 0 0
接下来,我们使用wmap_targets将站点添加为目标。
msf > wmap_targets -h [*] Usage: wmap_targets [options] -h Display this help text -t [urls] Define target sites (vhost1,url[space]vhost2,url) -d [ids] Define target sites (id1, id2, id3 ...) -c Clean target sites list -l List all target sites msf > wmap_targets -t http://172.16.194.172/mutillidae/index.php
添加后,我们可以使用控制台中的-l开关查看目标列表。
msf > wmap_targets -l
[*] Defined targets
===============
Id Vhost Host Port SSL Path
-- ----- ---- ---- --- ----
0 172.16.194.172 172.16.194.172 80 false /mutillidae/index.php
使用wmap_run命令将扫描目标系统。
msf > wmap_run -h [*] Usage: wmap_run [options] -h Display this help text -t Show all enabled modules -m [regex] Launch only modules that name match provided regex. -p [regex] Only test path defined by regex. -e [/path/to/profile] Launch profile modules against all matched targets. (No profile file runs all enabled modules.)
我们首先使用-t开关列出将用于扫描远程系统的模块。
msf > wmap_run -t [*] Testing target: [*] Site: 192.168.1.100 (192.168.1.100) [*] Port: 80 SSL: false [*] ============================================================ [*] Testing started. 2012-01-16 15:46:42 -0500 [*] =[ SSL testing ]= [*] ============================================================ [*] Target is not SSL. SSL modules disabled. [*] =[ Web Server testing ]= [*] ============================================================ [*] Loaded auxiliary/admin/http/contentkeeper_fileaccess ... [*] Loaded auxiliary/admin/http/tomcat_administration ... [*] Loaded auxiliary/admin/http/tomcat_utf8_traversal ... [*] Loaded auxiliary/admin/http/trendmicro_dlp_traversal ... ...snip... msf >
现在剩下的就是对我们的目标URL实际运行WMAP扫描。
msf > wmap_run -e [*] Using ALL wmap enabled modules. [-] NO WMAP NODES DEFINED. Executing local modules [*] Testing target: [*] Site: 172.16.194.172 (172.16.194.172) [*] Port: 80 SSL: false ============================================================ [*] Testing started. 2012-06-27 09:29:13 -0400 [*] =[ SSL testing ]= ============================================================ [*] Target is not SSL. SSL modules disabled. [*] =[ Web Server testing ]= ============================================================ [*] Module auxiliary/scanner/http/http_version [*] 172.16.194.172:80 Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 ) [*] Module auxiliary/scanner/http/open_proxy [*] Module auxiliary/scanner/http/robots_txt ...snip... ...snip... ...snip... [*] Module auxiliary/scanner/http/soap_xml [*] Path: / [*] Server 172.16.194.172:80 returned HTTP 404 for /. Use a different one. [*] Module auxiliary/scanner/http/trace_axd [*] Path: / [*] Module auxiliary/scanner/http/verb_auth_bypass [*] =[ Unique Query testing ]= ============================================================ [*] Module auxiliary/scanner/http/blind_sql_query [*] Module auxiliary/scanner/http/error_sql_injection [*] Module auxiliary/scanner/http/http_traversal [*] Module auxiliary/scanner/http/rails_mass_assignment [*] Module exploit/multi/http/lcms_php_exec [*] =[ Query testing ]= ============================================================ [*] =[ General testing ]= ============================================================ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Launch completed in 212.01512002944946 seconds. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ [*] Done.
扫描完成执行后,我们看一下数据库,看看WMAP是否找到了感兴趣的东西。
msf > wmap_vulns -l [*] + [172.16.194.172] (172.16.194.172): scraper / [*] scraper Scraper [*] GET Metasploitable2 - Linux [*] + [172.16.194.172] (172.16.194.172): directory /dav/ [*] directory Directory found. [*] GET Res code: 200 [*] + [172.16.194.172] (172.16.194.172): directory /cgi-bin/ [*] directory Directoy found. [*] GET Res code: 403 ...snip... msf >
查看以上输出,我们可以看到WMAP报告了一个漏洞。正在运行的外伤将为我们列出详细信息。
msf > vulns [*] Time: 2012-01-16 20:58:49 UTC Vuln: host=172.16.2.207 port=80 proto=tcp name=auxiliary/scanner/http/options refs=CVE-2005-3398,CVE-2005-3498,OSVDB-877,BID-11604,BID-9506,BID-9561 msf >
由于我们使用WMAP进行漏洞扫描,因此我们现在可以使用这些结果来收集有关所报告漏洞的更多信息。作为测试者,我们希望进一步调查每个发现,并确定是否存在潜在的攻击方法。
