metasploit中php_cgi,METASPLOIT使用WMAP网络扫描仪

什么是WMAP？

WMAP是功能丰富的Web应用程序漏洞扫描程序，最初是通过名为SQLMap的工具创建的。该工具与Metasploit集成在一起，使我们能够从Metasploit框架内进行Web应用程序扫描。

使用WMAP进行漏洞扫描

首先，我们首先创建一个新数据库来存储WMAP扫描结果，加载wmap插件，然后运行 help 以查看哪些新命令可供我们使用。

msf > load wmap

.-.-.-..-.-.-..---..---.

| | | || | | || | || |-'

`-----'`-'-'-'`-^-'`-'

[WMAP 1.5.1] === et [ ] metasploit.com 2012

[*] Successfully loaded plugin: wmap

msf > help

wmap Commands

=============

Command Description

------- -----------

wmap_modules Manage wmap modules

wmap_nodes Manage nodes

wmap_run Test targets

wmap_sites Manage sites

wmap_targets Manage targets

wmap_vulns Display web vulns

...snip...

在运行Web应用程序扫描之前，我们首先需要通过将 -a传递给wmap_sites来添加新的目标URL 。然后，运行wmap_sites -l将打印出可用的目标。

msf > wmap_sites -h

[*] Usage: wmap_targets [options]

-h Display this help text

-a [url] Add site (vhost,url)

-l List all available sites

-s [id] Display site structure (vhost,url|ids) (level)

msf > wmap_sites -a http://172.16.194.172

[*] Site created.

msf > wmap_sites -l

[*] Available sites

===============

Id Host Vhost Port Proto # Pages # Forms

-- ---- ----- ---- ----- ------- -------

0 172.16.194.172 172.16.194.172 80 http 0 0

接下来，我们使用wmap_targets将站点添加为目标。

msf > wmap_targets -h

[*] Usage: wmap_targets [options]

-h Display this help text

-t [urls]Define target sites (vhost1,url[space]vhost2,url)

-d [ids]Define target sites (id1, id2, id3 ...)

-c Clean target sites list

-l List all target sites

msf > wmap_targets -t http://172.16.194.172/mutillidae/index.php

添加后，我们可以使用控制台中的-l开关查看目标列表。

msf > wmap_targets -l

[*] Defined targets

===============

Id Vhost Host Port SSL Path

-- ----- ---- ---- --- ----

0 172.16.194.172 172.16.194.172 80 false/mutillidae/index.php

使用wmap_run命令将扫描目标系统。

msf > wmap_run -h

[*] Usage: wmap_run [options]

-h Display this help text

-t Show all enabled modules

-m [regex] Launch only modules that name match provided regex.

-p [regex] Only test path defined by regex.

-e [/path/to/profile] Launch profile modules against all matched targets.

(No profile file runs all enabled modules.)

我们首先使用-t开关列出将用于扫描远程系统的模块。

msf > wmap_run -t

[*] Testing target:

[*] Site: 192.168.1.100 (192.168.1.100)

[*] Port: 80 SSL: false

[*] ============================================================

[*] Testing started. 2012-01-16 15:46:42 -0500

[*]

=[ SSL testing ]=

[*] ============================================================

[*] Target is not SSL. SSL modules disabled.

[*]

=[ Web Server testing ]=

[*] ============================================================

[*] Loaded auxiliary/admin/http/contentkeeper_fileaccess ...

[*] Loaded auxiliary/admin/http/tomcat_administration ...

[*] Loaded auxiliary/admin/http/tomcat_utf8_traversal ...

[*] Loaded auxiliary/admin/http/trendmicro_dlp_traversal ...

...snip...

msf >

现在剩下的就是对我们的目标URL实际运行WMAP扫描。

msf > wmap_run -e

[*] Using ALL wmap enabled modules.

[-] NO WMAP NODES DEFINED. Executing local modules

[*] Testing target:

[*] Site: 172.16.194.172 (172.16.194.172)

[*] Port: 80 SSL: false

============================================================

[*] Testing started. 2012-06-27 09:29:13 -0400

[*]

=[ SSL testing ]=

============================================================

[*] Target is not SSL. SSL modules disabled.

[*]

=[ Web Server testing ]=

============================================================

[*] Module auxiliary/scanner/http/http_version

[*] 172.16.194.172:80 Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 )

[*] Module auxiliary/scanner/http/open_proxy

[*] Module auxiliary/scanner/http/robots_txt

...snip...

...snip...

...snip...

[*] Module auxiliary/scanner/http/soap_xml

[*] Path: /

[*] Server 172.16.194.172:80 returned HTTP 404 for /. Use a different one.

[*] Module auxiliary/scanner/http/trace_axd

[*] Path: /

[*] Module auxiliary/scanner/http/verb_auth_bypass

[*]

=[ Unique Query testing ]=

============================================================

[*] Module auxiliary/scanner/http/blind_sql_query

[*] Module auxiliary/scanner/http/error_sql_injection

[*] Module auxiliary/scanner/http/http_traversal

[*] Module auxiliary/scanner/http/rails_mass_assignment

[*] Module exploit/multi/http/lcms_php_exec

[*]

=[ Query testing ]=

============================================================

[*]

=[ General testing ]=

============================================================

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Launch completed in 212.01512002944946 seconds.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

[*] Done.

扫描完成执行后，我们看一下数据库，看看WMAP是否找到了感兴趣的东西。

msf > wmap_vulns -l

[*] + [172.16.194.172] (172.16.194.172): scraper /

[*] scraper Scraper

[*] GET Metasploitable2 - Linux

[*] + [172.16.194.172] (172.16.194.172): directory /dav/

[*] directory Directory found.

[*] GET Res code: 200

[*] + [172.16.194.172] (172.16.194.172): directory /cgi-bin/

[*] directory Directoy found.

[*] GET Res code: 403

...snip...

msf >

查看以上输出，我们可以看到WMAP报告了一个漏洞。正在运行的外伤将为我们列出详细信息。

msf > vulns

[*] Time: 2012-01-16 20:58:49 UTC Vuln: host=172.16.2.207 port=80 proto=tcp name=auxiliary/scanner/http/options refs=CVE-2005-3398,CVE-2005-3498,OSVDB-877,BID-11604,BID-9506,BID-9561

msf >

由于我们使用WMAP进行漏洞扫描，因此我们现在可以使用这些结果来收集有关所报告漏洞的更多信息。作为测试者，我们希望进一步调查每个发现，并确定是否存在潜在的攻击方法。