当前位置: 首页 > 工具软件 > WMAP > 使用案例 >

WMAP

朱经武
2023-12-01

https://www.cnblogs.com/comdodo/p/5324492.html

WMap是一个集成于Metasploit框架中用于测试Web脆弱性的工具,在使用之前,你需要先创建一个数据库连接用于存放扫描的数据、结果,然后加载wmap插件,当你不清楚命令有哪些时,可以使用help命令进行查看帮助。

msf > load wmap

.-.-.-..-.-.-..—..—.

| | | || | | || | || |-‘

-----'-‘-‘-‘-^-'-‘

[WMAP 1.5.1] ===  et [  ] metasploit.com 2012

[*]Successfully loaded plugin: wmap

msf > help

wmap Commands

=============

    Command       Description

    ——-       ———–

    wmap_modules  Manage wmap modules

    wmap_nodes    Manage nodes

    wmap_run      Test targets

    wmap_sites    Manage sites

    wmap_targets  Manage targets

    wmap_vulns    Display web vulns

…snip…


在真正运行扫描之前,需要先使用wmap_sites的-a选项添加一个URL进行扫描,添加了之后你可以使用wmap_sites -l命令查看可用的目标。

msf > wmap_sites -h

[*]  Usage: wmap_targets [options]

    -h        Display this help text

    -a [url]  Add site (vhost,url)

    -l        List all available sites

    -s [id]   Display site structure (vhost,url|ids) (level)

msf > wmap_sites -a http://172.16.194.172

[*] Site created.

msf > wmap_sites -l

[*] Available sites

===============

     Id  Host            Vhost           Port  Proto  # Pages  # Forms

     —  —-            —–           —-  —–  ——-  ——-

     0   172.16.194.172  172.16.194.172  80    http   0        0

然后,将站点添加到“目标”中去,使用wmap_targets命令的-t选项;

msf > wmap_targets -h

[*]Usage: wmap_targets [options]

    -h         Display this help text

    -t [urls]    Define target sites (vhost1,url[space]vhost2,url)

    -d [ids]    Define target sites (id1, id2, id3 …)

    -c         Clean target sites list

    -l          List all target sites

msf > wmap_targets -t http://172.16.194.172/mutillidae/index.php


Once added, we can view our list of targets by using the ‘-l’ switch from the console. 
 

msf > wmap_targets -l

[*] Defined targets

===============

     Id  Vhost           Host            Port  SSL    Path

     —  —–           —-            —-  —    —-

     0   172.16.194.172  172.16.194.172  80    false    /mutillidae/index.php


Using the “wmap_run” command will scan the target system. 
 

msf > wmap_run -h

[*]Usage: wmap_run [options]

    -h                        Display this help text

    -t                        Show all enabled modules

    -m [regex]                Launch only modules that name match provided regex.

    -p [regex]                Only test path defined by regex.

    -e [/path/to/profile]     Launch profile modules against all matched targets.

                              (No profile file runs all enabled modules.)


We first using the “-t” switch to list the modules that will be used to scan the remote system. (使用 wmap_run -l 命令可以列出我们将要使用的扫描模块!)
 

msf > wmap_run -t

[*] Testing target:

[*]     Site: 192.168.1.100 (192.168.1.100)

[*]     Port: 80 SSL: false

[*] ============================================================

[*] Testing started. 2012-01-16 15:46:42 -0500

[*] =[ SSL testing ]=

[*] ============================================================

[*] Target is not SSL. SSL modules disabled.

[*] =[ Web Server testing ]=

[*] ============================================================[*] Loaded auxiliary/admin/http/contentkeeper_fileaccess …[*] Loaded auxiliary/admin/http/tomcat_administration …[*]Loaded auxiliary/admin/http/tomcat_utf8_traversal …[*] Loaded auxiliary/admin/http/trendmicro_dlp_traversal …

..snip…

msf >


All that remains now is to actually run the scan against our target URL. 
 

msf > wmap_run -e

[*] Using ALL wmap enabled modules.

[-] NO WMAP NODES DEFINED. Executing local modules

[*] Testing target:

[*]     Site: 172.16.194.172 (172.16.194.172)

[*]     Port: 80 SSL: false

============================================================

[*] Testing started. 2012-06-27 09:29:13 -0400

[*] =[ SSL testing ]=

============================================================

[*] Target is not SSL. SSL modules disabled.

[*] =[ Web Server testing ]=

============================================================

[*] Module auxiliary/scanner/http/http_version

[*] 172.16.194.172:80 Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 )

[*] Module auxiliary/scanner/http/open_proxy

[*] Module auxiliary/scanner/http/robots_txt

..snip…..snip…..snip…

[*] Module auxiliary/scanner/http/soap_xml

[*] Path: /

[*] Server 172.16.194.172:80 returned HTTP 404 for /.  Use a different one.

[*] Module auxiliary/scanner/http/trace_axd

[*] Path: /

[*] Module auxiliary/scanner/http/verb_auth_bypass

[*]

=[ Unique Query testing ]=

============================================================

[*] Module auxiliary/scanner/http/blind_sql_query

[*] Module auxiliary/scanner/http/error_sql_injection

[*] Module auxiliary/scanner/http/http_traversal

[*] Module auxiliary/scanner/http/rails_mass_assignment

[*] Module exploit/multi/http/lcms_php_exec

[*]

=[ Query testing ]=

============================================================

[*]

=[ General testing ]=

============================================================

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Launch completed in 212.01512002944946 seconds.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

[*]

Done.


在扫描执行完了之后,我们可以查看一下数据库中是否存在一些可用的东西—漏洞!

msf > wmap_vulns -l

[*] + [172.16.194.172] (172.16.194.172): scraper /

[*]     scraper Scraper

[*]     GET Metasploitable2 – Linux

[*] + [172.16.194.172] (172.16.194.172): directory /dav/

[*]     directory Directory found.

[*]     GET Res code: 200

[*] + [172.16.194.172] (172.16.194.172): directory /cgi-bin/

[*]     directory Directoy found.

[*]     GET Res code: 403

…snip…

msf >


可以使用 vulns 命令可以查看更详细的信息!
 

msf > vulns

[*]Time: 2012-01-16 20:58:49 UTC Vuln: host=172.16.2.207 port=80 proto=tcp name=auxiliary/scanner/http/options refs=CVE-2005-3398,CVE-2005-3498,OSVDB-877,BID-11604,BID-9506,BID-9561

We can now use this information to gather further information on the reported vulnerability. As pentesters, we would want to investigate each finding further and identify if there are potential methods for attack.

来源: <http://www.offensive-security.com/metasploit-unleashed/WMAP_Web_Scanner>


总结一下使用wmap的具体步骤:

 

  • 进入Metasploit(在这之前最好先运行:service postgresql start && service metasploit start 命令开启这两个基础服务);
  • 然后连接数据库(db_connect){其实应该是默认连接的,但是估计是因为我之前没有注意,在哪个地方翻了个错误,导致后来都得手动连接};
  • 之后加载wmap插件(load wmap);
  • 添加站点:wmap_sites -a URL
  • 列为目标:wmap_targets -t URL
  • 先是将要执行的扫描模块:wmap_run -t
  • 执行扫描:wmap_run -e
  • 在扫描完成之后显示是否存在可利用漏洞:wmap_vulns -l(若要查看更详细的信息,则使用vulns命令)

msf > load wmap

.-.-.-..-.-.-..—..—.

| | | || | | || | || |-‘

-----'-‘-‘-‘-^-'-‘

[WMAP 1.5.1] ===  et [  ] metasploit.com 2012

[*] Successfully loaded plugin: wmap

msf > help

wmap Commands

=============

    Command       Description

    ——-       ———–

    wmap_modules  Manage wmap modules

    wmap_nodes    Manage nodes

    wmap_run      Test targets

    wmap_sites    Manage sites

    wmap_targets  Manage targets

    wmap_vulns    Display web vulns

Core Commands

=============

    Command       Description

    ——-       ———–

    ?             Help menu

    back          Move back from the current context

    banner        Display an awesome metasploit banner

    cd            Change the current working directory

    color         Toggle color

    connect       Communicate with a host

    exit          Exit the console

    go_pro        Launch Metasploit web GUI

    grep          Grep the output of another command

    help          Help menu

    info          Displays information about one or more module

    irb           Drop into irb scripting mode

    jobs          Displays and manages jobs

    kill          Kill a job

    load          Load a framework plugin

    loadpath      Searches for and loads modules from a path

    makerc        Save commands entered since start to a file

    popm          Pops the latest module off the stack and makes it active

    previous      Sets the previously loaded module as the current module

    pushm         Pushes the active or list of modules onto the module stack

    quit          Exit the console

    reload_all    Reloads all modules from all defined module paths

    resource      Run the commands stored in a file

    route         Route traffic through a session

    save          Saves the active datastores

    search        Searches module names and descriptions

    sessions      Dump session listings and display information about sessions

    set           Sets a variable to a value

    setg          Sets a global variable to a value

    show          Displays modules of a given type, or all modules

    sleep         Do nothing for the specified number of seconds

    spool         Write console output into a file as well the screen

    threads       View and manipulate background threads

    unload        Unload a framework plugin

    unset         Unsets one or more variables

    unsetg        Unsets one or more global variables

    use           Selects a module by name

    version       Show the framework and console library version numbers

Database Backend Commands

=========================

    Command           Description

    ——-           ———–

    creds             List all credentials in the database

    db_connect        Connect to an existing database

    db_disconnect     Disconnect from the current database instance

    db_export         Export a file containing the contents of the database

    db_import         Import a scan result file (filetype will be auto-detected)

    db_nmap           Executes nmap and records the output automatically

    db_rebuild_cache  Rebuilds the database-stored module cache

    db_status         Show the current database status

    hosts             List all hosts in the database

    loot              List all loot in the database

    notes             List all notes in the database

    services          List all services in the database

    vulns             List all vulnerabilities in the database

    workspace         Switch between database workspaces

msf > wmap_

wmap_modules  wmap_nodes    wmap_run      wmap_sites    wmap_targets  wmap_vulns   

msf > wmap_sites -a http://www.dvssc.com/

[-] Unable to create site

msf > wmap_sites -a 10.10.10.129

[-] Unable to create site

msf > wmap_sites -a http://10.10.10.129

[-] Unable to create site

msf > wmap_sites -a http://210.21.21.21

[-] Unable to create site

msf > wmap_sites -a http://210.21.21.21/

[-] Unable to create site

msf > wmap_sites -h

[*] Usage: wmap_sites [options]

   -h        Display this help text

   -a [url]  Add site (vhost,url)

   -d [ids]  Delete sites (separate ids with space)

   -l        List all available sites

   -s [id]   Display site structure (vhost,url|ids) (level)

所以,总的来说wmap的利用流程就是:

  wmap_sites -a http://192.168.10.11

  wmap_sites -l

  wmap_targets -t http://192.168.10.11/mutillidae/index.php

  wmap_targets -t

  wmap_run -t

  wmap_run -e

 类似资料:

相关阅读

相关文章

相关问答