欢迎光临
我们一直在努力

About w3af_api

<

div>

今天看到了一个saas产品,和作者聊了下,发现是基于w3af_api来实现的。然后自己补充了其他的类型.感觉很厉害的样子。于是跑过来看了下w3af。相关的文档在这里

w3af算的上是老牌的东西了。反正我是比较少用的,总是感觉效果没有理想的那么好。比如它的爬虫模块太久没有更新了.导致现在出现的很多动态脚本的结果没发准确抓取到。对比下

 - http://testphp.acunetix.com/ - http://testphp.acunetix.com/AJAX/ - http://testphp.acunetix.com/AJAX/index.php - http://testphp.acunetix.com/AJAX/styles.css - http://testphp.acunetix.com/Flash/ - http://testphp.acunetix.com/Flash/add.fla - http://testphp.acunetix.com/Flash/add.swf - http://testphp.acunetix.com/Mod_Rewrite_Shop/ - http://testphp.acunetix.com/Mod_Rewrite_Shop/images/1.jpg - http://testphp.acunetix.com/Mod_Rewrite_Shop/images/2.jpg - http://testphp.acunetix.com/Mod_Rewrite_Shop/images/3.jpg - http://testphp.acunetix.com/artists.php - http://testphp.acunetix.com/cart.php - http://testphp.acunetix.com/categories.php - http://testphp.acunetix.com/disclaimer.php - http://testphp.acunetix.com/guestbook.php - http://testphp.acunetix.com/hpp/ - http://testphp.acunetix.com/hpp/params.php - http://testphp.acunetix.com/images/logo.gif - http://testphp.acunetix.com/images/remark.gif - http://testphp.acunetix.com/index.php - http://testphp.acunetix.com/listproducts.php - http://testphp.acunetix.com/login.php - http://testphp.acunetix.com/product.php - http://testphp.acunetix.com/redir.php - http://testphp.acunetix.com/search.php - http://testphp.acunetix.com/secured/ - http://testphp.acunetix.com/secured/newuser.php - http://testphp.acunetix.com/secured/style.css - http://testphp.acunetix.com/showimage.php - http://testphp.acunetix.com/signup.php - http://testphp.acunetix.com/style.css - http://testphp.acunetix.com/userinfo.php

这个是它抓取到的。然后自己前几天琢磨的crawl抓到的【在抓取前先fuzz了dir。所以基本满足需求】

About-w3af_api About w3af_api

主题不在这边。主要是针对w3af_api。关于它的文档可以看这边。简答的描述下

1.启动,主要是两个方式,一个是直接运行

 $ ./w3af_api  * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)

另外一个是docker

 $ cd extras/docker/scripts/ $ ./w3af_api_docker  * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)

2.认证。可以自行更换密码的。密码默认的加密方式是sha512sum。

生成密码

 $ echo -n "secret" | sha512sum bd2b1aaf7ef4f09be9f52ce2d8d599674d81aa9d6a4421696dc4d93dd0619d682ce56b4d64a9ef097761ced99e0f67265b5f76085e5b0ee7ca4696b2ad6fe2b2  -  $ ./w3af_api -p "bd2b1aaf7ef4f09be9f52ce2d8d599674d81aa9d6a4421696dc4d93dd0619d682ce56b4d64a9ef097761ced99e0f67265b5f76085e5b0ee7ca4696b2ad6fe2b2"  * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)

也可以把账户密码等信息写入yml配置文件来加载启动。

3.api使用方式

 开始一个新的扫描 [POST] /scans/ 查看扫描状态 GET /scans/0/status 获取相关的漏洞信息使用 GET /scan/kb/ 删除相关的信息  DELETE /scans/0/ 获取扫描信息  GET  /scans/ 暂停扫描  GET /scans/0/pause 停止扫描  GET /scans/0/stop 查看扫描日志  GET /scans/0/log

实际栗子来尝试一次扫描

 import requests import json  data = {'scan_profile': file('../core/w3af/profiles/full_audit.pw3af').read(),         'target_urls': ['http://testphp.acunetix.com']}  response = requests.post('http://127.0.0.1:5000/scans/',                          data=json.dumps(data),                          headers={'content-type': 'application/json'})                           print response.text 
 scan_profile    必须包含的内容w3af扫描配置文件(文件名) target_urls      w3af要进行爬虫的url列表

About-w3af_api About w3af_api

查看扫描状态

About-w3af_api About w3af_api

查看扫描状态

About-w3af_api About w3af_api

查看相关的漏洞信息

About-w3af_api About w3af_api

具体某个漏洞的信息

About-w3af_api About w3af_api?

 {   "attributes": {     "db": "MySQL database",     "error": "mysql_"   },   "cwe_ids": [     "89"   ],   "cwe_urls": [     "https://cwe.mitre.org/data/definitions/89.html"   ],   "desc": "SQL injection in a MySQL database was found at: /"http://testphp.acunetix.com/userinfo.php/", using HTTP method POST. The sent post-data was: /"uname=a%27b%22c%27d%22&pass=FrAmE30./" which modifies the /"uname/" parameter.",   "fix_effort": 50,   "fix_guidance": "The only proven method to prevent against SQL injection attacks while still maintaining full application functionality is to use parameterized queries (also known as prepared statements). When utilising this method of querying the database, any value supplied by the client will be handled as a string value rather than part of the SQL query./n/nAdditionally, when utilising parameterized queries, the database engine will automatically check to make sure the string being used matches that of the column. For example, the database engine will check that the user supplied input is an integer if the database column is configured to contain integers.",   "highlight": [     "mysql_"   ],   "href": "/scans/0/kb/29",   "id": 29,   "long_description": "Due to the requirement for dynamic content of today's web applications, many rely on a database backend to store data that will be called upon and processed by the web application (or other programs). Web applications retrieve data from the database by using Structured Query Language (SQL) queries./n/nTo meet demands of many developers, database servers (such as MSSQL, MySQL, Oracle etc.) have additional built-in functionality that can allow extensive control of the database and interaction with the host operating system itself. An SQL injection occurs when a value originating from the client's request is used within a SQL query without prior sanitisation. This could allow cyber-criminals to execute arbitrary SQL code and steal data or use the additional functionality of the database server to take control of more server components./n/nThe successful exploitation of a SQL injection can be devastating to an organisation and is one of the most commonly exploited web application vulnerabilities./n/nThis injection was detected as the tool was able to cause the server to respond to the request with a database related error.",   "name": "SQL injection",   "owasp_top_10_references": [     {       "link": "https://www.owasp.org/index.php/Top_10_2013-A1",       "owasp_version": "2013",       "risk_id": 1     }   ],   "plugin_name": "sqli",   "references": [     {       "title": "SecuriTeam",       "url": "http://www.securiteam.com/securityreviews/5DP0N1P76E.html"     },     {       "title": "Wikipedia",       "url": "http://en.wikipedia.org/wiki/SQL_injection"     },     {       "title": "OWASP",       "url": "https://www.owasp.org/index.php/SQL_Injection"     },     {       "title": "WASC",       "url": "http://projects.webappsec.org/w/page/13246963/SQL%20Injection"     },     {       "title": "W3 Schools",       "url": "http://www.w3schools.com/sql/sql_injection.asp"     },     {       "title": "UnixWiz",       "url": "http://unixwiz.net/techtips/sql-injection.html"     }   ],   "response_ids": [     1494   ],   "severity": "High",   "tags": [     "web",     "sql",     "injection",     "database",     "error"   ],   "traffic_hrefs": [     "/scans/0/traffic/1494"   ],   "uniq_id": "82f91e8c-759b-43b9-82cb-59ff9a38a836",   "url": "http://testphp.acunetix.com/userinfo.php",   "var": "uname",   "vulndb_id": 45,   "wasc_ids": [],   "wasc_urls": [] }

感觉有这些差不多了。可以开始扫描,暂停,停止,删除。还能获取到具体的某个漏洞细节以及修复方案。加上api独有的特效,是可以做分布式的.

 import pika import requests import json import sys import time import sqlalchemy as db from sqlalchemy.ext.declarative import declarative_base from sqlalchemy.orm import sessionmaker import os  # database stuffs Base = declarative_base()  # scan class Scan(Base):     __tablename__ = 'scans'     id = db.Column(db.Integer, primary_key = True)     relative_id = db.Column(db.Integer)     description = db.Column(db.Text)     target_url = db.Column(db.String(128))     start_time = db.Column(db.Time)     scan_time = db.Column(db.Time, nullable=True)     profile = db.Column(db.String(32))     status = db.Column(db.String(32))     deleted = db.Column(db.Boolean, default=False)     run_instance = db.Column(db.Unicode(128))     num_vulns = db.Column(db.Integer)     vulns = db.orm.relationship("Vulnerability", back_populates="scan")     user_id = db.Column(db.String(40))      def __repr__(self):         return '<Scan %d>' % self.id  # vuln class Vulnerability(Base):     __tablename__ = 'vulns'     id = db.Column(db.Integer, primary_key = True)     relative_id = db.Column(db.Integer) # relative to scans     stored_json = db.Column(db.Text) # inefficient, might fix later     deleted = db.Column(db.Boolean, default=False)     false_positive = db.Column(db.Boolean, default=False)     scan_id = db.Column(db.Integer, db.ForeignKey('scans.id'))     scan = db.orm.relationship("Scan", back_populates="vulns")      def __init__(self, id, json, scan_id):         self.relative_id = id         self.stored_json = json         self.scan_id = scan_id      def __repr__(self):         return '<Vuln %d>' % self.id  engine = db.create_engine(os.environ.get('SQLALCHEMY_CONN_STRING')) Session = sessionmaker(bind=engine) sess = Session()  credentials = pika.PlainCredentials(os.environ.get('TASKQUEUE_USER'), os.environ.get('TASKQUEUE_PASS')) con = pika.BlockingConnection(pika.ConnectionParameters(host=os.environ.get('TASKQUEUE_HOST'),credentials=credentials))  channelTask = con.channel() channelTask.queue_declare(queue='task', durable=True)  channelResult = con.channel() channelResult.queue_declare(queue='result')  # URL to w3af REST API interface instance server = sys.argv[1]  vul_cnt = 0  def freeServer(sv, href):     r = requests.delete(sv + href)     print r.text  def isFree(sv):     r = requests.get(sv + '/scans/')     print r.text     items = json.loads(r.text)['items']     if len(items) == 0:         return True     # number of items > 0     item = items[0]     if item['status'] == 'Stopped':         freeServer(sv, item['href'])         return True     return False  def sendTaskDone(server, href):     data = {}     data['server'] = server     data['href'] = href     message = json.dumps(data)     channelResult.basic_publish(exchange='',                         routing_key='result',                         body=message)  def scann(target):     data = {'scan_profile': file('../core/w3af/profiles/full_audit.pw3af').read(),         'target_urls': [target]}     response = requests.post(server + '/scans/',                         data=json.dumps(data),                         headers={'content-type': 'application/json'})      print response.status_code     print response.data     print response.headers  def getVul(sv, href):     r = requests.get(sv + href)     #db.insert(r.text)  def getVulsList(sv, href):     global vul_cnt     r = requests.get(sv + href + 'kb')     vuls = json.loads(r.text)['items']     l = len(vuls)     if l > vuls_cnt:         for vul in vuls:             if vul['id'] >= vul_cnt:                 getVul(sv, vul['href'])     vul_cnt = l          # on receiving message def callback(ch, method, properties, body):     print('Get message %s', body)     task = json.loads(body)     scann(task['target'])     task_done = False     time.sleep(1)     step = 0     last_vuln_len = 0     sv = server     scan = sess.query(Scan).filter_by(id=task['scan_id']).first()     # tell gateway server that the task is loaded on this instance     scan.run_instance = server     while True:         # update scan status; check if freed         list_scans = json.loads(requests.get(sv + '/scans/').text)['items'] # currently just 1         if (len(list_scans) == 0): # freed             break         currentpath = list_scans[0]['href']         # update vuln list         r = requests.get(sv + currentpath + '/kb/')         items = json.loads(r.text)['items']          for i in xrange(last_vuln_len, len(items)):             v = Vulnerability(i+1, requests.get(sv + items[i]['href']).text, task['scan_id'])             sess.add(v)             sess.commit()             scan.num_vulns += 1         last_vuln_len = len(items)         scan.status = list_scans[0]['status']         sess.commit()         if scan.status == 'Stopped' and not task_done:             task_done = True             requests.delete(sv + currentpath)         step += 1         if step == 9:             con.process_data_events() # MQ heartbeat             step = 0         time.sleep(5) # avoid over consumption     # TODO: send mails to list when the scan is stopped or completed     print 'DOne'     ch.basic_ack(delivery_tag=method.delivery_tag) #print getServerStatus(server)   channelTask.basic_qos(prefetch_count=1) channelTask.basic_consume(callback, queue='task')  print '[*] Waiting for message'  channelTask.start_consuming()

 

未经允许不得转载:杂术馆 » About w3af_api
分享到: 更多 (0)