简介
WMAP是一个功能丰富的Web应用程序漏洞扫描程序,最初是从名为SQLMap的工具创建的。该工具与Metasploit集成,允许我们从Metasploit框架内进行Web应用程序扫描。
拥有高效的工作流程是任何工具的重要组成部分,但在探测应用程序的漏洞时尤为重要。虽然Metasploit在开发时被认为是事实上的标准,但它也包含其他活动的模块,例如scanning。例如,WMAP,一种可在Metasploit框架内使用的Web应用程序扫描程序。
Web应用程序扫描程序是用于识别Web应用程序中存在的漏洞的工具。WMAP可以轻松保持流畅的工作流程,因为它可以在Metasploit内部工作时加载和运行
实践操作
步骤一
在运行 Metasploit 终端前,我们需要先启动用于存储扫描结果的数据库服务:root@kali:~# service postgresql start
步骤二
启动命令行终端,运行 Metasploit 控制台:root@kali:~# msfconsole
步骤三
加载WMAP
使用load wmap命令加载WMAP模块:msf > load wmap
从这里,如果我们打字?要显示Metasploit的帮助菜单,我们应该在菜单顶部看到WMAP的命令及其描述。1
2
3
4
5
6
7
8
9
10
11
12msf > ?
wmap Commands
=============
Command Description
------- -----------
wmap_modules Manage wmap modules 管理wmap模块
wmap_nodes Manage nodes 管理节点
wmap_run Test targets 测试目标
wmap_sites Manage sites 管理网站
wmap_targets Manage targets 管理目标
wmap_vulns Display web vulns 显示网页漏洞
步骤四
添加要扫描的站点
键入任何命令以显示其可用选项; 让我们从使用wmap_sites管理我们希望扫描的网站开始。1
2
3
4
5
6
7msf > wmap_sites
[*] Usage: wmap_sites [options]
-h Display this help text 显示此帮助文本
-a [url] Add site (vhost,url) 添加站点(vhost,url)
-d [ids] Delete sites (separate ids with space) 删除站点(用空格分隔id)
-l List all available sites 列出所有可用站点
-s [id] Display site structure (vhost,url|ids) (level) (unicode output true/false) 显示站点结构(vhost,url,ids)(级别)(Unicode输出真/假)
要添加站点,请使用带有-a标志的wmap_sites,后跟站点地址。1
2msf > wmap_sites -a http://192.168.126.142
[*] Site created. 站点创建
现在我们可以使用带有-l标志的wmap_sites列出可用站点1
2
3
4
5
6
7msf > wmap_sites -l
[*] Available sites
===============
Id Host Vhost Port Proto # Pages # Forms
-- ---- ----- ---- ----- ------- -------
0 192.168.126.142 192.168.126.142 80 http 0 0
步骤五
指定目标URL
接下来,我们需要使用wmap_targets设置我们要扫描的特定目标网址。1
2
3
4
5
6
7msf > wmap_targets
[*] Usage: wmap_targets [options]
-h Display this help text 显示此帮助文本
-t [urls] Define target sites (vhost1,url[space]vhost2,url) 定义目标站点(vhost1,url[space]vhost2,url)
-d [ids] Define target sites (id1, id2, id3 ...) 定义目标站点(id1,id2,id3 ......)
-c Clean target sites list 清理目标站点列表
-l List all target sites 列出所有目标站点
我们可以使用带有-t标志的wmap_targets定义目标,然后是URL。
msf > wmap_targets -t http://192.168.126.142/index.php
并使用带有-l标志的wmap_targets列出已定义的目标1
2
3
4
5
6
7msf > wmap_targets -l
[*] Defined targets
===============
Id Vhost Host Port SSL Path
-- ----- ---- ---- --- ----
0 192.168.126.142 192.168.126.142 80 false /index.php
我们现在应该很好,所以唯一要做的就是实际运行扫描仪。
步骤六
运行扫描仪
在提示符下键入wmap_run以查看此命令的选项1
2
3
4
5
6
7
8msf > wmap_run
[*] Usage: wmap_run [options]
-h Display this help text 显示此帮助文本
-t Show all enabled modules 显示所有已启用的模块
-m [regex] Launch only modules that name match provided regex. 仅启动名称匹配的模块提供正则表达式
-p [regex] Only test path defined by regex. 仅由正则表达式定义的测试路径
-e [/path/to/profile] Launch profile modules against all matched targets. 针对所有匹配的目标启动配置文件模块
(No profile file runs all enabled modules.) 没有配置文件运行所有已启用的模块
在扫描目标之前,我们可以使用带有-t标志的wmap_run列出所有已启用的模块1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64msf > wmap_run -t
[*] Testing target: 测试目标
[*] Site: 192.168.126.142 (192.168.126.142) 网站
[*] Port: 80 SSL: false 端口
============================================================
[*] Testing started. 2019-01-12 18:34:02 +0800 测试开始
[*] Loading wmap modules...
[*] 39 wmap enabled modules loaded.
[*]
=[ SSL testing ]= SSL测试
============================================================
[*] Target is not SSL. SSL modules disabled. 目标不是SSL。模糊测试已禁用
[*]
=[ Web Server testing ]= web服务器测试
============================================================
[*] Module auxiliary/scanner/http/http_version
[*] Module auxiliary/scanner/http/open_proxy
[*] Module auxiliary/admin/http/tomcat_administration
[*] Module auxiliary/admin/http/tomcat_utf8_traversal
[*] Module auxiliary/scanner/http/drupal_views_user_enum
[*] Module auxiliary/scanner/http/frontpage_login
[*] Module auxiliary/scanner/http/host_header_injection
[*] Module auxiliary/scanner/http/options
[*] Module auxiliary/scanner/http/robots_txt
[*] Module auxiliary/scanner/http/scraper
[*] Module auxiliary/scanner/http/svn_scanner
[*] Module auxiliary/scanner/http/trace
[*] Module auxiliary/scanner/http/vhost_scanner
[*] Module auxiliary/scanner/http/webdav_internal_ip
[*] Module auxiliary/scanner/http/webdav_scanner
[*] Module auxiliary/scanner/http/webdav_website_content
[*]
=[ File/Dir testing ]=
============================================================
[*] Module auxiliary/scanner/http/backup_file
[*] Module auxiliary/scanner/http/brute_dirs
[*] Module auxiliary/scanner/http/copy_of_file
[*] Module auxiliary/scanner/http/dir_listing
[*] Module auxiliary/scanner/http/dir_scanner
[*] Module auxiliary/scanner/http/dir_webdav_unicode_bypass
[*] Module auxiliary/scanner/http/file_same_name_dir
[*] Module auxiliary/scanner/http/files_dir
[*] Module auxiliary/scanner/http/http_put
[*] Module auxiliary/scanner/http/ms09_020_webdav_unicode_bypass
[*] Module auxiliary/scanner/http/prev_dir_same_name_file
[*] Module auxiliary/scanner/http/replace_ext
[*] Module auxiliary/scanner/http/soap_xml
[*] Module auxiliary/scanner/http/trace_axd
[*] Module auxiliary/scanner/http/verb_auth_bypass
[*]
=[ Unique Query testing ]=
============================================================
[*] Module auxiliary/scanner/http/blind_sql_query
[*] Module auxiliary/scanner/http/error_sql_injection
[*] Module auxiliary/scanner/http/http_traversal
[*] Module auxiliary/scanner/http/rails_mass_assignment
[*] Module exploit/multi/http/lcms_php_exec
[*]
=[ Query testing ]=
============================================================
[*]
=[ General testing ]=
============================================================
[*] Done.
有一些不同类别的模块,包括用于目录测试,查询测试,Web服务器测试和SSL测试的模块,尽管我们可以看到我们的目标不使用SSL,因此这些模块被禁用。要获得任何给定模块的详细说明,请使用info命令,后跟列出的模块的完整路径。例如1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25msf > info auxiliary/scanner/http/http_version
Name: HTTP Version Detection
Module: auxiliary/scanner/http/http_version
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
hdm <x@hdm.io>
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host
Description:
Display version information about each system.
回到扫描。让我们使用带有-e标志的wmap_run开始扫描,该标志将运行所有模块而不是指定的模块。根据目标站点和已启用模块的数量,扫描可能需要相当长的时间才能完成。完成后,扫描将显示完成所需的时间1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52msf > wmap_run -e
[*] Using ALL wmap enabled modules.
[-] NO WMAP NODES DEFINED. Executing local modules
[*] Testing target:
[*] Site: 192.168.126.142 (192.168.126.142)
[*] Port: 80 SSL: false
============================================================
[*] Testing started. 2019-01-12 18:41:14 +0800
[*]
=[ SSL testing ]=
============================================================
[*] Target is not SSL. SSL modules disabled.
[*]
=[ Web Server testing ]=
============================================================
[*] Module auxiliary/scanner/http/http_version
[+] 192.168.126.142:80 Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45 ( Powered by PHP/5.4.45 )
[*] Module auxiliary/scanner/http/open_proxy
[*] Module auxiliary/admin/http/tomcat_administration
[*] Module auxiliary/admin/http/tomcat_utf8_traversal
[*] Attempting to connect to 192.168.126.142:80
[+] No File(s) found
[*] Module auxiliary/scanner/http/drupal_views_user_enum
[-] 192.168.126.142 does not appear to be vulnerable, will not continue
[*] Module auxiliary/scanner/http/frontpage_login
[*] 192.168.126.142:80 - http://192.168.126.142/ may not support FrontPage Server Extensions
[*] Module auxiliary/scanner/http/host_header_injection
[*] Module auxiliary/scanner/http/options
[*] Module auxiliary/scanner/http/robots_txt
[*] Module auxiliary/scanner/http/scraper
[+] [192.168.126.142] / [upload-labs]
[*] Module auxiliary/scanner/http/svn_scanner
[*] Using code '404' as not found.
[*] Module auxiliary/scanner/http/trace
[*] Module auxiliary/scanner/http/vhost_scanner
[*] >> Exception during launch from auxiliary/scanner/http/vhost_scanner: The following options failed to validate: DOMAIN.
[*] Module auxiliary/scanner/http/webdav_internal_ip
[*] Module auxiliary/scanner/http/webdav_scanner
[*] 192.168.126.142 (Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45) WebDAV disabled.
[*] Module auxiliary/scanner/http/webdav_website_content
[*]
=[ File/Dir testing ]=
============================================================
[*] Module auxiliary/scanner/http/backup_file
[*] Module auxiliary/scanner/http/brute_dirs
[*] Path: /
[*] Using code '404' as not found.
[+] Found http://192.168.126.142:80/js/ 403
[+] Found http://192.168.126.142:80/aux/ 403
[+] Found http://192.168.126.142:80/con/ 403
[+] Found http://192.168.126.142:80/css/ 403
步骤七
解释结果
最后,我们可以输入wmap_vulns -l命令来显示扫描结果。1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34msf > wmap_vulns -l
[*] + [192.168.126.142] (192.168.126.142): scraper /
[*] scraper Scraper
[*] GET upload-labs
[*] + [192.168.126.142] (192.168.126.142): directory /aux/
[*] directory Directory found.
[*] GET Res code: 403
[*] + [192.168.126.142] (192.168.126.142): directory /con/
[*] directory Directory found.
[*] GET Res code: 403
[*] + [192.168.126.142] (192.168.126.142): directory /nul/
[*] directory Directory found.
[*] GET Res code: 403
[*] + [192.168.126.142] (192.168.126.142): directory /prn/
[*] directory Directory found.
[*] GET Res code: 403
[*] + [192.168.126.142] (192.168.126.142): directory /.../
[*] directory Directoy found.
[*] GET Res code: 403
[*] + [192.168.126.142] (192.168.126.142): directory /css/
[*] directory Directoy found.
[*] GET Res code: 403
[*] + [192.168.126.142] (192.168.126.142): directory /doc/
[*] directory Directoy found.
[*] GET Res code: 403
[*] + [192.168.126.142] (192.168.126.142): directory /img/
[*] directory Directoy found.
[*] GET Res code: 403
[*] + [192.168.126.142] (192.168.126.142): directory /js/
[*] directory Directoy found.
[*] GET Res code: 403
[*] + [192.168.126.142] (192.168.126.142): directory /upload/
[*] directory Directoy found.
[*] GET Res code: 403
我们可以看到它发现了一些可能值得进一步调查的可能有趣的目录:
/ cgi-bin /目录允许执行脚本并直接在服务器上执行类似控制台的功能。
/ phpMyAdmin /目录是MySQL数据库系统的开源管理工具。
/ dav /目录允许用户远程协作和执行Web创作活动。
WMAP可能不会像其他Web应用程序漏洞扫描程序那样返回详细结果,但这些信息可以成为探索不同攻击途径的有用起点。事实上,这个扫描仪可以从Metasploit框架中轻松加载和使用,这使它成为了解如何使用的有用工具。
总结
Metasploit是一个功能强大的工具,不仅可以用于开发,还具有大量其他模块,可以直接在框架内加载和运行,使其成为渗透测试和道德黑客攻击的绝对强大。
在本教程中,我们学习了如何快速启动和运行Metasploit的数据库系统,以及如何使用WMAP插件扫描Web应用程序中的漏洞。这只是Metasploit框架中许多非常有用的模块之一,每天都有更多的模块可以满足各地白帽的需求。