本文记录 Kali Linux 2017.1 学习使用和渗透测试的详细过程,教程为安全牛课堂里的《Kali Linux 渗透测试》课程
- w3af_console 简单使用
- w3af_console 链接:
w3af 安装并配置桌面和快速启动栏
Kali Linux渗透测试(苑房弘)076 扫描工具-w3af 身份认证
Kali Linux渗透测试(苑房弘)077 扫描工具-w3af 截断代理
plugin 简介
audit(审计):该类插件会向Crawl插件爬取出的注入点发送特制的POC数据以确认漏洞是否存在。
infrastructure(基础):这类插件用来标识有关目标系统的信息,如安装的WAF,操作系统和HTTP守护进程等。
grep(检索):这类插件会分析其他插件发送的HTTP请求和相应并识别漏洞。
evasion(绕过):通过修改由其他插件生成的HTTP请求来绕过简单的入侵检测规则。
mangle:允许修改基于正则表达式的请求和响应
auth:
Mangle:允许修改基于正则表达式的请求和响应。
bruteforce:在爬取阶段进行暴力登陆
output(输出):这类插件会将插件的数据保存到文本,xml或者是html文件中。调试的信息也会发送到输出Output插件并可保存和分析。如果启用了text_file和xml_file这两个Output插件,则这两个都会记录有Audit插件发现的任何漏洞。
crawl(爬取):通过爬取网站站点来获得新的URL地址。如果用户启用了Crawl类型的多个插件,此时将产生一个循环: A插件在第一次运行时发现了一个新的url,w3af会将其发送到插件B。如果插件B发现一个新的url则会发送到插件A。这个过程持续进行直到所有插件都已运行且无法找到更多的新信息。
Attack(攻击):如果Audit插件发现了漏洞,Attack将会进行攻击和利用,通常会在远程服务器上返回一个shell或者比如SQL注入则会获取数据库的数据。
kali 2.0 中的 w3af 的安装与配置
1. 安装
cd ~
apt-get update
apt-get install -y python-pip w3af
pip install --upgrade pip
git clone https://github.com/andresriancho/w3af.git
cd w3af
./w3af_console 乮./w3af_gui乯
apt-get build-dep python-lxml
. /tmp/w3af_dependency_install.sh
2. 升级
git pull
3. kali linux 2017.1 安装 w3af
快速启动 w3af
1. 创建桌面快捷方式(复制或者手动创建 kali-w3af.desktop 文件)
root@attacker:~# cp /usr/share/applications/kali-burpsuite.desktop /root/Desktop/
root@attacker:~# cd Desktop
root@kali:~/Desktop# cat kali-burpsuite.desktop
[Desktop Entry]
Name=burpsuite
Encoding=UTF-8
Exec=sh -c "java -jar /usr/bin/burpsuite"
Icon=kali-burpsuite.png
StartupNotify=false
Terminal=false
Type=Application
Categories=03-webapp-analysis;03-06-web-application-proxies;
X-Kali-Package=burpsuite
root@kali:~/Desktop# vim kali-w3af.desktop
[Desktop Entry]
Name=w3af
Encoding=UTF-8
Exec=sh -c "/usr/local/src/w3af/w3af_gui"
Icon=/usr/local/src/w3af/w3af/core/ui/gui/data/w3af_logo.png
StartupNotify=false
Terminal=false
Type=Application
Categories=03-webapp-analysis;03-05-web-vulnerability-scanners;
X-Kali-Package=w3af
root@attacker:~/Desktop# chmod +x kali-w3af.desktop #变成可执行文件
root@kali:~/Desktop# cp kali-w3af.desktop /usr/share/applications/
# 在启动菜单栏出现 w3af 图标快捷启动
2. 创建命令行快速启动(使用命令别名)
root@attacker:~# vim .bashrc
alias w3af_console='/usr/local/src/w3af_console'
alias w3af_gui='/usr/local/src/w3af_gui'
root@attacker:~# source .bashrc # 重新加载配置文件
root@attacker:~# w3af
w3af>>>
W3af_console 帮助
help #显示可用指令
plugin #进入 plugin 子命令
Help #显示可用指令
list audit #列出 audit 类所有插件
audit sqli xss #选择使用的 audit 插件
http-settings / misc-settings #全局配置
help #显示可用指令
view #查看可配置的参数
set #设置参数
back #回到上一级命令
Profiles
save_as self-contained #保存为完全独立的配置文件,避免配置文件和别人交换时出现字典等文件的缺失
save_as test self-contained
Target
set target http://1.1.1.1/
Start
Script
script/*.w3af
w3af_console 实操
启动帮助
root@attacker:~# w3afconsole
w3af>>> help
|----------------------------------------------------------------------------------------------------------------------------------|
| start | Start the scan. |
| 插件| 启用和配置插件。|
| 利用| 利用此漏洞。|
| 配置文件| 列出并使用扫描配置文件。|
| 清理| 在开始新的扫描之前进行清理。|
| ------------------------------------------------- -------------------------------------------------- ------------------------------- |
| help | Display help. Issuing: help [command] , prints more specific help about "command" |
| version | Show w3af version information. |
| keys | Display key shortcuts. |
|----------------------------------------------------------------------------------------------------------------------------------|
| http-settings | Configure the HTTP settings of the framework. |
| misc-settings | Configure w3af misc settings. |
| target | Configure the target URL. |
|----------------------------------------------------------------------------------------------------------------------------------|
| back | Go to the previous menu. |
| exit | Exit w3af. |
|----------------------------------------------------------------------------------------------------------------------------------|
| kb | Browse the vulnerabilities stored in the Knowledge Base |
|----------------------------------------------------------------------------------------------------------------------------------|
plugins 模块
w3af>>> plugins
w3af/plugins>>> help
|-----------------------------------------------------------------------------------------------------------------------------------|
| list | List available plugins. |
| ------------------------------------------------- -------------------------------------------------- -------------------------------- |
| 返回| 转到上一个菜单。|
| 退出| 退出w3af。|
| ------------------------------------------------- -------------------------------------------------- -------------------------------- |
| 回避| 查看,配置和启用evasion插件|
| auth | View, configure and enable auth plugins |
| grep | View, configure and enable grep plugins |
| audit | View, configure and enable audit plugins |
| bruteforce | View, configure and enable bruteforce plugins |
| output | View, configure and enable output plugins |
| crawl | View, configure and enable crawl plugins |
| infrastructure | View, configure and enable infrastructure plugins |
| mangle | View, configure and enable mangle plugins |
|-----------------------------------------------------------------------------------------------------------------------------------|
w3af/plugins>>> list auth
|---------------------------------------------------------------------------------------------------------------------------------|
| Plugin name | Status | Conf | Description |
|---------------------------------------------------------------------------------------------------------------------------------|
| detailed | | Yes | Detailed authentication plugin. |
| generic | | Yes | Generic authentication plugin. |
|---------------------------------------------------------------------------------------------------------------------------------|
w3af/plugins>>> list audit
|---------------------------------------------------------------------------------------------------------------------------------|
| Plugin name | Status | Conf | Description |
|---------------------------------------------------------------------------------------------------------------------------------|
| blind_sqli | | Yes | Identify blind SQL injection vulnerabilities. |
| buffer_overflow | | | Find buffer overflow vulnerabilities. |
| cors_origin | | Yes | Inspect if application checks that the value of the "Origin" HTTP header isconsistent |
| | | | with the value of the remote IP address/Host of the sender ofthe incoming HTTP request. |
| csrf | | | Identify Cross-Site Request Forgery vulnerabilities. |
| dav | | | Verify if the WebDAV module is properly configured. |
| eval | | Yes | Find insecure eval() usage. |
| file_upload | | Yes | Uploads a file and then searches for the file inside all known directories. |
| format_string | | | Find format string vulnerabilities. |
| frontpage | | | Tries to upload a file using frontpage extensions (author.dll). |
| generic | | Yes | Find all kind of bugs without using a fixed error database. |
| global_redirect | | | Find scripts that redirect the browser to any site. |
| htaccess_methods | | | Find misconfigurations in Apache's "<LIMIT>" configuration. |
| ldapi | | | Find LDAP injection bugs. |
| lfi | | | Find local file inclusion vulnerabilities. |
| memcachei | | | No description available for this plugin. |
| mx_injection | | | Find MX injection vulnerabilities. |
| os_commanding | | | Find OS Commanding vulnerabilities. |
| phishing_vector | | | Find phishing vectors. |
| preg_replace | | | Find unsafe usage of PHPs preg_replace. |
| redos | | | Find ReDoS vulnerabilities. |
| response_splitting | | | Find response splitting vulnerabilities. |
| rfd | | | Identify reflected file download vulnerabilities. |
| rfi | | Yes | Find remote file inclusion vulnerabilities. |
| rosetta_flash | | | Find Rosetta Flash vulnerabilities in JSONP endpoints |
| shell_shock | | | Find shell shock vulnerabilities. |
| sqli | | | Find SQL injection bugs. |
| ssi | | | Find server side inclusion vulnerabilities. |
| ssl_certificate | | Yes | Check the SSL certificate validity (if https is being used). |
| un_ssl | | | Find out if secure content can also be fetched using http. |
| websocket_hijacking | | | Detect Cross-Site WebSocket hijacking vulnerabilities. |
| xpath | | | Find XPATH injection vulnerabilities. |
| xss | | Yes | Identify cross site scripting vulnerabilities. |
| xst | | | Find Cross Site Tracing vulnerabilities. |
|---------------------------------------------------------------------------------------------------------------------------------|
w3af/plugins>>> audit xss sqli lfi (开启使用三个插件模块)
w3af/plugins>>> list audit (这时候的插件模块状态变为 enabled )
|----------------------------------------------------------------------------------------------------------------------------------|
| Plugin name | Status | Conf | Description |
|----------------------------------------------------------------------------------------------------------------------------------|
| blind_sqli | | Yes | Identify blind SQL injection vulnerabilities. |
| buffer_overflow | | | Find buffer overflow vulnerabilities. |
| cors_origin | | Yes | Inspect if application checks that the value of the "Origin" HTTP header isconsistent |
| | | | with the value of the remote IP address/Host of the sender ofthe incoming HTTP request. |
| csrf | | | Identify Cross-Site Request Forgery vulnerabilities. |
| dav | | | Verify if the WebDAV module is properly configured. |
| eval | | Yes | Find insecure eval() usage. |
| file_upload | | Yes | Uploads a file and then searches for the file inside all known directories. |
| format_string | | | Find format string vulnerabilities. |
| frontpage | | | Tries to upload a file using frontpage extensions (author.dll). |
| generic | | Yes | Find all kind of bugs without using a fixed error database. |
| global_redirect | | | Find scripts that redirect the browser to any site. |
| htaccess_methods | | | Find misconfigurations in Apache's "<LIMIT>" configuration. |
| ldapi | | | Find LDAP injection bugs. |
| lfi | Enabled | | Find local file inclusion vulnerabilities. |
| memcachei | | | No description available for this plugin. |
| mx_injection | | | Find MX injection vulnerabilities. |
| os_commanding | | | Find OS Commanding vulnerabilities. |
| phishing_vector | | | Find phishing vectors. |
| preg_replace | | | Find unsafe usage of PHPs preg_replace. |
| redos | | | Find ReDoS vulnerabilities. |
| response_splitting | | | Find response splitting vulnerabilities. |
| rfd | | | Identify reflected file download vulnerabilities. |
| rfi | | Yes | Find remote file inclusion vulnerabilities. |
| rosetta_flash | | | Find Rosetta Flash vulnerabilities in JSONP endpoints |
| shell_shock | | | Find shell shock vulnerabilities. |
| sqli | Enabled | | Find SQL injection bugs. |
| ssi | | | Find server side inclusion vulnerabilities. |
| ssl_certificate | | Yes | Check the SSL certificate validity (if https is being used). |
| un_ssl | | | Find out if secure content can also be fetched using http. |
| websocket_hijacking | | | Detect Cross-Site WebSocket hijacking vulnerabilities. |
| xpath | | | Find XPATH injection vulnerabilities. |
| xss | Enabled | Yes | Identify cross site scripting vulnerabilities. |
| xst | | | Find Cross Site Tracing vulnerabilities. |
|----------------------------------------------------------------------------------------------------------------------------------|
w3af/plugins>>> audit all (扫描所有插件模块)
w3af/plugins>>> list audit
|----------------------------------------------------------------------------------------------------------------------------------|
| Plugin name | Status | Conf | Description |
|----------------------------------------------------------------------------------------------------------------------------------|
| blind_sqli | Enabled | Yes | Identify blind SQL injection vulnerabilities. |
| buffer_overflow | Enabled | | Find buffer overflow vulnerabilities. |
| cors_origin | Enabled | Yes | Inspect if application checks that the value of the "Origin" HTTP header isconsistent |
| | | | with the value of the remote IP address/Host of the sender ofthe incoming HTTP request. |
| csrf | Enabled | | Identify Cross-Site Request Forgery vulnerabilities. |
| dav | Enabled | | Verify if the WebDAV module is properly configured. |
| eval | Enabled | Yes | Find insecure eval() usage. |
| file_upload | Enabled | Yes | Uploads a file and then searches for the file inside all known directories. |
| format_string | Enabled | | Find format string vulnerabilities. |
| frontpage | Enabled | | Tries to upload a file using frontpage extensions (author.dll). |
| generic | Enabled | Yes | Find all kind of bugs without using a fixed error database. |
| global_redirect | Enabled | | Find scripts that redirect the browser to any site. |
| htaccess_methods | Enabled | | Find misconfigurations in Apache's "<LIMIT>" configuration. |
| ldapi | Enabled | | Find LDAP injection bugs. |
| lfi | Enabled | | Find local file inclusion vulnerabilities. |
| memcachei | Enabled | | No description available for this plugin. |
| mx_injection | Enabled | | Find MX injection vulnerabilities. |
| os_commanding | Enabled | | Find OS Commanding vulnerabilities. |
| phishing_vector | Enabled | | Find phishing vectors. |
| preg_replace | Enabled | | Find unsafe usage of PHPs preg_replace. |
| redos | Enabled | | Find ReDoS vulnerabilities. |
| response_splitting | Enabled | | Find response splitting vulnerabilities. |
| rfd | Enabled | | Identify reflected file download vulnerabilities. |
| rfi | Enabled | Yes | Find remote file inclusion vulnerabilities. |
| rosetta_flash | Enabled | | Find Rosetta Flash vulnerabilities in JSONP endpoints |
| shell_shock | Enabled | | Find shell shock vulnerabilities. |
| sqli | Enabled | | Find SQL injection bugs. |
| ssi | Enabled | | Find server side inclusion vulnerabilities. |
| ssl_certificate | Enabled | Yes | Check the SSL certificate validity (if https is being used). |
| un_ssl | Enabled | | Find out if secure content can also be fetched using http. |
| websocket_hijacking | Enabled | | Detect Cross-Site WebSocket hijacking vulnerabilities. |
| xpath | Enabled | | Find XPATH injection vulnerabilities. |
| xss | Enabled | Yes | Identify cross site scripting vulnerabilities. |
| xst | Enabled | | Find Cross Site Tracing vulnerabilities. |
|----------------------------------------------------------------------------------------------------------------------------------|
w3af/plugins>>> grep all
w3af/plugins>>> crawl web_spider
w3af/plugins>>> list crawl
|---------------------------------------------------------------------------------------------------------------------------------|
| Plugin name | Status | Conf | Description |
|---------------------------------------------------------------------------------------------------------------------------------|
| archive_dot_org | | Yes | Search archive.org to find new pages in the target site. |
| bing_spider | | Yes | Search Bing to get a list of new URLs |
| content_negotiation | | Yes | Use content negotiation to find new resources. |
| digit_sum | | Yes | Take an URL with a number (index2.asp) and try to find related |
| | | | files(index1.asp, index3.asp). |
| dir_file_bruter | | Yes | Finds Web server directories and files by bruteforcing. |
| dot_listing | | | Search for .listing files and extracts new filenames from it. |
| dwsync_xml | | | Search Dream Waver Sync file (dwsync.xml) and extract referenced files. |
| find_backdoors | | | Find web backdoors and web shells. |
| find_captchas | | | Identify captcha images on web pages. |
| find_dvcs | | | Search Git, Mercurial (HG), Bazaar (BZR), Subversion (SVN) and CVSrepositories |
| | | | and checks for files containing |
| genexus_xml | | | Analyze the execute.xml and DeveloperMenu.xml files and find new URLs |
| ghdb | | Yes | Search Google for vulnerabilities in the target site. |
| google_spider | | Yes | Search google using google API to get new URLs |
| import_results | | Yes | Import HTTP requests found by output.export_requests and Burp |
| oracle_discovery | | | Find Oracle applications on the remote web server. |
| phishtank | | | Search the phishtank.com database to determine if your server is (or was)being |
| | | | used in phishing scams. |
| phpinfo | | | Search PHP Info file and if it finds it will determine the version of PHP. |
| pykto | | Yes | A nikto port to python. |
| ria_enumerator | | Yes | Fingerprint Rich Internet Apps - Google Gears Manifest files, Silverlight and |
| | | | Flash. |
| robots_txt | | | Analyze the robots.txt file and find new URLs |
| sitemap_xml | | | Analyze the sitemap.xml file and find new URLs |
| spider_man | | Yes | SpiderMan is a local proxy that will collect new URLs. |
| url_fuzzer | | Yes | Try to find backups, and other related files. |
| urllist_txt | | | Analyze the urllist.txt file and find new URLs |
| user_dir | | | Identify user directories like "http://test/~user/" and infer the remote OS. |
| web_diff | | Yes | Compare a local directory with a remote URL path. |
| web_spider | Enabled | Yes | Crawl the web application. |
| wordnet | | Yes | Use the wordnet lexical database to find new URLs. |
| wordpress_enumerate_users | | | Finds users in a WordPress installation. |
| wordpress_fingerprint | | | Finds the version of a WordPress installation. |
| wordpress_fullpathdisclosure | | | Try to find the path where the WordPress is installed |
| wsdl_finder | | | Find web service definitions files. |
|---------------------------------------------------------------------------------------------------------------------------------|
w3af/plugins>>> back (插件选好之后,回到第一级目录)
profiles 模块
w3af>>> help
|----------------------------------------------------------------------------------------------------------------------------------|
| start | Start the scan. |
| plugins | Enable and configure plugins. |
| exploit | Exploit the vulnerability. |
| profiles | List and use scan profiles. |
| cleanup | Cleanup before starting a new scan. |
|----------------------------------------------------------------------------------------------------------------------------------|
| help | Display help. Issuing: help [command] , prints more specific help about "command" |
| version | Show w3af version information. |
| keys | Display key shortcuts. |
|----------------------------------------------------------------------------------------------------------------------------------|
| http-settings | Configure the HTTP settings of the framework. |
| misc-settings | Configure w3af misc settings. |
| target | Configure the target URL. |
|----------------------------------------------------------------------------------------------------------------------------------|
| back | Go to the previous menu. |
| exit | Exit w3af. |
|----------------------------------------------------------------------------------------------------------------------------------|
| kb | Browse the vulnerabilities stored in the Knowledge Base |
|----------------------------------------------------------------------------------------------------------------------------------|
w3af>>> profiles (预定义扫描文件)
w3af/profiles>>> list (显示当前可用扫描配置文件)
|----------------------------------------------------------------------------------------------------------------------------------|
| Profile | Description |
|----------------------------------------------------------------------------------------------------------------------------------|
| bruteforce | Bruteforce form or basic authentication access controls using default credentials. To run this profile, |
| | set the target URL to the resource where the access control is, and then click on Start. |
| audit_high_risk | Perform a scan to only identify the vulnerabilities with higher risk, like SQL Injection, OS Commanding, |
| | Insecure File Uploads, etc. |
| full_audit | This profile performs a full audit of the target website, using only the web_spider plugin for crawling. |
| OWASP_TOP10 | The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on |
| | improving the security of application software. OWASP searched for and published the ten most common |
| | security flaws. This profile search for this top 10 security flaws. For more information about the |
| | security flaws: http://www.owasp.org/index.php/OWASP_Top_Ten_Project . |
| fast_scan | Perform a fast scan of the target site, using only a few discovery plugins and the fastest audit |
| | plugins. |
| empty_profile | This is an empty profile that you can use to start a new configuration from. |
| web_infrastructure | Use all the available techniques in w3af to fingerprint the remote Web infrastructure. |
| full_audit_spider_man | Perform a manual discovery using the spider_man plugin, and afterwards scan the site for any known |
| | vulnerabilities. |
| sitemap | Use different online techniques to create a fast sitemap of the target web application. This plugin will |
| | only work if you've got Internet access and the target web application is being spidered by Yahoo! |
|----------------------------------------------------------------------------------------------------------------------------------|
w3af/profiles>>> help
|----------------------------------------------------------------------------------------------------------------------------------|
| use | Use a profile. |
| list | List available profiles. |
| save_as | Save the current configuration to a profile. |
|----------------------------------------------------------------------------------------------------------------------------------|
| back | Go to the previous menu. |
| exit | Exit w3af. |
|----------------------------------------------------------------------------------------------------------------------------------|
w3af/profiles>>> save_as (先选择 plugin ,然后选择 grep、crawl等,然后在 profiles 里面 save_as 保存)
比如:w3af/profiles>>> save_as test01
Parameter missing, please see the help:
Save the current configuration to a profile.
Syntax: save_as PROFILE_NAME
Example: save_as fast_scan
Example: save_as fast_scan self-contained
Please note that the save_as command will overwrite existing profiles with the
same name.
When the "self-contained" flag is set the profile will bundle all files referenced
by the plugin configurations. This is useful for sharing custom profiles between
different workstations. Disabled by default.
w3af/profiles>>> use fast_scan
The plugins configured by the scan profile have been enabled, and their options configured.
Please set the target URL(s) and start the scan.
w3af/profiles>>> back
http-settings 模块
w3af>>> help
|----------------------------------------------------------------------------------------------------------------------------------|
| start | Start the scan. |
| plugins | Enable and configure plugins. |
| exploit | Exploit the vulnerability. |
| profiles | List and use scan profiles. |
| cleanup | Cleanup before starting a new scan. |
|----------------------------------------------------------------------------------------------------------------------------------|
| help | Display help. Issuing: help [command] , prints more specific help about "command" |
| version | Show w3af version information. |
| keys | Display key shortcuts. |
|----------------------------------------------------------------------------------------------------------------------------------|
| http-settings | Configure the HTTP settings of the framework. |
| misc-settings | Configure w3af misc settings. |
| target | Configure the target URL. |
|----------------------------------------------------------------------------------------------------------------------------------|
| back | Go to the previous menu. |
| exit | Exit w3af. |
|----------------------------------------------------------------------------------------------------------------------------------|
| kb | Browse the vulnerabilities stored in the Knowledge Base |
|----------------------------------------------------------------------------------------------------------------------------------|
w3af>>> http-settings (扫描 http 的配置选项)
w3af/config:http-settings>>> help
|----------------------------------------------------------------------------------------------------------------------------------|
| view | List the available options and their values. |
| set | Set a parameter value. |
| save | Save the configured settings. |
|----------------------------------------------------------------------------------------------------------------------------------|
| back | Go to the previous menu. |
| exit | Exit w3af. |
|----------------------------------------------------------------------------------------------------------------------------------|
w3af/config:http-settings>>> view
|--------------------------------------------------------------------------------------------------------------------------------|
| Setting | Value | Modified | Description |
|--------------------------------------------------------------------------------------------------------------------------------|
| url_parameter | | | URL parameter (http://host.tld/path;<parameter>) |
| timeout | 0 | | HTTP connection timeout |
| headers_file | | | HTTP headers filename which contains additional headers to be added in each |
| | | | request |
|--------------------------------------------------------------------------------------------------------------------------------|
| cookie_jar_file | | | Cookie Jar file holding HTTP cookies |
| ignore_session_cookies | False | | Ignore session cookies |
|--------------------------------------------------------------------------------------------------------------------------------|
| ntlm_auth_url | | | NTLM authentication domain (target domain name) |
| ntlm_auth_user | | | NTLM authentication username |
| ntlm_auth_passwd | | | NTLM authentication password |
| ntlm_auth_domain | | | NTLM authentication domain (windows domain name) |
|--------------------------------------------------------------------------------------------------------------------------------|
| rand_user_agent | False | | Use random User-Agent header |
| max_file_size | 400000 | | Maximum file size |
| max_http_retries | 2 | | Maximum number of HTTP request retries |
| user_agent | w3af.org | | User Agent header |
| max_requests_per_second | 0 | | Maximum HTTP requests per second |
|--------------------------------------------------------------------------------------------------------------------------------|
| string_match_404 | | | Tag HTTP response as 404 if the string is found in it's body |
| always_404 | | | Comma separated list of URLs which will always be detected as 404 pages |
| never_404 | | | Comma separated list of URLs which will never be detected as 404 pages |
|--------------------------------------------------------------------------------------------------------------------------------|
| proxy_port | 8080 | | Proxy TCP port |
| proxy_address | | | Proxy IP address |
|--------------------------------------------------------------------------------------------------------------------------------|
| basic_auth_user | | | Basic authentication username |
| basic_auth_passwd | | | Basic authentication password |
| basic_auth_domain | | | Basic authentication domain |
|--------------------------------------------------------------------------------------------------------------------------------|
w3af/config:http-settings>>> set rand_user_agent True (启动随机用户代理)
w3af/config:http-settings>>> view
|--------------------------------------------------------------------------------------------------------------------------------|
| Setting | Value | Modified | Description |
|--------------------------------------------------------------------------------------------------------------------------------|
| url_parameter | | | URL parameter (http://host.tld/path;<parameter>) |
| timeout | 0 | | HTTP connection timeout |
| headers_file | | | HTTP headers filename which contains additional headers to be added in each |
| | | | request |
|--------------------------------------------------------------------------------------------------------------------------------|
| cookie_jar_file | | | Cookie Jar file holding HTTP cookies |
| ignore_session_cookies | False | | Ignore session cookies |
|--------------------------------------------------------------------------------------------------------------------------------|
| ntlm_auth_url | | | NTLM authentication domain (target domain name) |
| ntlm_auth_user | | | NTLM authentication username |
| ntlm_auth_passwd | | | NTLM authentication password |
| ntlm_auth_domain | | | NTLM authentication domain (windows domain name) |
|--------------------------------------------------------------------------------------------------------------------------------|
| rand_user_agent | True | Yes | Use random User-Agent header |
| max_file_size | 400000 | | Maximum file size |
| max_http_retries | 2 | | Maximum number of HTTP request retries |
| user_agent | w3af.org | | User Agent header |
| max_requests_per_second | 0 | | Maximum HTTP requests per second |
|--------------------------------------------------------------------------------------------------------------------------------|
| string_match_404 | | | Tag HTTP response as 404 if the string is found in it's body |
| always_404 | | | Comma separated list of URLs which will always be detected as 404 pages |
| never_404 | | | Comma separated list of URLs which will never be detected as 404 pages |
|--------------------------------------------------------------------------------------------------------------------------------|
| proxy_port | 8080 | | Proxy TCP port |
| proxy_address | | | Proxy IP address |
|--------------------------------------------------------------------------------------------------------------------------------|
| basic_auth_user | | | Basic authentication username |
| basic_auth_passwd | | | Basic authentication password |
| basic_auth_domain | | | Basic authentication domain |
|--------------------------------------------------------------------------------------------------------------------------------|
w3af/config:http-settings>>> back
The configuration has been saved.
misc-settings (杂项设置)模块
w3af>>> help
|----------------------------------------------------------------------------------------------------------------------------------|
| start | Start the scan. |
| plugins | Enable and configure plugins. |
| exploit | Exploit the vulnerability. |
| profiles | List and use scan profiles. |
| cleanup | Cleanup before starting a new scan. |
|----------------------------------------------------------------------------------------------------------------------------------|
| help | Display help. Issuing: help [command] , prints more specific help about "command" |
| version | Show w3af version information. |
| keys | Display key shortcuts. |
|----------------------------------------------------------------------------------------------------------------------------------|
| http-settings | Configure the HTTP settings of the framework. |
| misc-settings | Configure w3af misc settings. |
| target | Configure the target URL. |
|----------------------------------------------------------------------------------------------------------------------------------|
| back | Go to the previous menu. |
| exit | Exit w3af. |
|----------------------------------------------------------------------------------------------------------------------------------|
| kb | Browse the vulnerabilities stored in the Knowledge Base |
|----------------------------------------------------------------------------------------------------------------------------------|
w3af>>> misc-settings (杂项设置)
w3af/config:misc-settings>>> view
|---------------------------------------------------------------------------------------------------------------------------------|
| Setting | Value | Modified | Description |
|---------------------------------------------------------------------------------------------------------------------------------|
| msf_location | /opt/metasploit3/bin/ | | Full path of Metasploit framework binary directory |
| | | | (/opt/metasploit3/bin/ in most linux installs) |
|---------------------------------------------------------------------------------------------------------------------------------|
| interface | ppp0 | | Local interface name to use when sniffing, doing reverse |
| | | | connections, etc. |
| local_ip_address | 10.10.10.128 | | Local IP address to use when doing reverse connections |
|---------------------------------------------------------------------------------------------------------------------------------|
| max_discovery_time | 120 | | Maximum crawl time (minutes) |
| stop_on_first_exception | False | | Stop scan after first unhandled exception |
|---------------------------------------------------------------------------------------------------------------------------------|
| form_id_action | exclude | | Define the form_id_list filter behaviour |
| non_targets | | | A comma separated list of URLs that w3af should ignore |
| form_id_list | [] | | Filter forms to scan using form IDs |
|---------------------------------------------------------------------------------------------------------------------------------|
| fuzz_url_filenames | False | | Indicates if w3af plugins will send fuzzed file names in order to |
| | | | find vulnerabilities |
| fuzz_url_parts | False | | Indicates if w3af plugins will send fuzzed URL parts in order to |
| | | | find vulnerabilities |
| fuzzable_headers | | | A list with all fuzzable header names |
| fuzzed_files_extension | gif | | Indicates the extension to use when fuzzing file content |
| form_fuzzing_mode | tmb | | Indicates what HTML form combo values w3af plugins will use: all, |
| | | | tb, tmb, t, b |
| fuzz_form_files | True | | Indicates if w3af plugins will send payloads in the content of |
| | | | multipart/post form files. |
| fuzz_cookies | False | | Indicates if w3af plugins will use cookies as a fuzzable parameter |
|---------------------------------------------------------------------------------------------------------------------------------|
w3af/config:misc-settings>>> help
|----------------------------------------------------------------------------------------------------------------------------------|
| view | List the available options and their values. |
| set | Set a parameter value. |
| save | Save the configured settings. |
|----------------------------------------------------------------------------------------------------------------------------------|
| back | Go to the previous menu. |
| exit | Exit w3af. |
|----------------------------------------------------------------------------------------------------------------------------------|
w3af/config:misc-settings>>> back
The configuration has been saved.
target 模块
w3af>>> help
|----------------------------------------------------------------------------------------------------------------------------------|
| start | Start the scan. |
| plugins | Enable and configure plugins. |
| exploit | Exploit the vulnerability. |
| profiles | List and use scan profiles. |
| cleanup | Cleanup before starting a new scan. |
|----------------------------------------------------------------------------------------------------------------------------------|
| help | Display help. Issuing: help [command] , prints more specific help about "command" |
| version | Show w3af version information. |
| keys | Display key shortcuts. |
|----------------------------------------------------------------------------------------------------------------------------------|
| http-settings | Configure the HTTP settings of the framework. |
| misc-settings | Configure w3af misc settings. |
| target | Configure the target URL. |
|----------------------------------------------------------------------------------------------------------------------------------|
| back | Go to the previous menu. |
| exit | Exit w3af. |
|----------------------------------------------------------------------------------------------------------------------------------|
| kb | Browse the vulnerabilities stored in the Knowledge Base |
|----------------------------------------------------------------------------------------------------------------------------------|
w3af>>> target
w3af/config:target>>> help
|----------------------------------------------------------------------------------------------------------------------------------|
| view | List the available options and their values. |
| set | Set a parameter value. |
| save | Save the configured settings. |
|----------------------------------------------------------------------------------------------------------------------------------|
| back | Go to the previous menu. |
| exit | Exit w3af. |
|----------------------------------------------------------------------------------------------------------------------------------|
w3af/config:target>>> set target http://10.10.10.129
w3af/config:target>>> view
|-----------------------------------------------------------------------------------------------------------------------------------|
| Setting | Value | Modified | Description |
|-----------------------------------------------------------------------------------------------------------------------------------|
| target_framework | unknown | | Target programming framework (unknown/php/asp/asp.net/java/jsp/cfm/ruby/perl) |
| target | http://10.10.10.129 | Yes | A comma separated list of URLs |
| target_os | unknown | | Target operating system (unknown/unix/windows) |
|-----------------------------------------------------------------------------------------------------------------------------------|
w3af/config:target>>> back
The configuration has been saved.
配置完成,可以保存为配置文件
w3af>>> profiles
w3af/profiles>>> save_as test01
Profile saved.
w3af/profiles>>> back
启动
配置完成就可以启动扫描了
w3af>>> help
|———————————————————————————————————————————-|
| start | Start the scan. |
| plugins | Enable and configure plugins. |
| exploit | Exploit the vulnerability. |
| profiles | List and use scan profiles. |
| cleanup | Cleanup before starting a new scan. |
|———————————————————————————————————————————-|
| help | Display help. Issuing: help [command] , prints more specific help about “command” |
| version | Show w3af version information. |
| keys | Display key shortcuts. |
|———————————————————————————————————————————-|
| http-settings | Configure the HTTP settings of the framework. |
| misc-settings | Configure w3af misc settings. |
| target | Configure the target URL. |
|———————————————————————————————————————————-|
| back | Go to the previous menu. |
| exit | Exit w3af. |
|———————————————————————————————————————————-|
| kb | Browse the vulnerabilities stored in the Knowledge Base |
|———————————————————————————————————————————-|
w3af>>> start
脚本文件
root@attacker:~# cd /usr/local/src/
root@attacker:/usr/local/src# ls
circle.yml libjavascriptcoregtk-1.0-0_2.4.11-3_amd64.deb python-support_1.0.15_all.deb scripts w3af_api w3afgui
doc libwebkitgtk-1.0-0_2.4.11-3_amd64.deb python-webkit_1.1.8-3_amd64.deb tools w3afconsole w3af_gui
extras profiles README.md w3af w3af_console wXf-master
root@attacker:/usr/local/src# cd scripts/
root@attacker:/usr/local/src/scripts# ls
allowed_methods.w3af file_upload_shell.w3af profile-fast_scan.w3af
all.w3af frontpage_version.w3af remote_file_include_local_ws.w3af
auth_detailed.w3af header_fuzzing.w3af remote_file_include_proxy.w3af
bing_spider.w3af html_output.w3af remote_file_include_shell.w3af
blind_sqli_detection.w3af list_all_plugins.w3af remote_file_include_shell-xss.w3af
cookie_fuzzing.w3af local_file_include-payload.w3af remote_file_include_w3af_site.w3af
cross_domain.w3af local_file_include.w3af spider_man.w3af
csrf.w3af login_brute_form_GET.w3af sqli.w3af
dav_shell.w3af login_brute_password_only.w3af sqlmap_exploit_int.w3af
detect_transparent_proxy.w3af mangle_request.w3af targets_from_file.w3af
digit_sum.w3af mangle_response.w3af web_spider-ignore_regex.w3af
eval_shell.w3af os_commanding-lnx-vdaemon.w3af web_spider-only_forward.w3af
eval.w3af os_commanding-lnx-w3afAgent.w3af web_spider.w3af
exploit_all.w3af os_commanding_shell.w3af xss_simple.w3af
exploit_fast.w3af os_commanding.w3af xss_stored.w3af
filename_xss.w3af php_sca-payload.w3af
root@attacker:/usr/local/src/scripts# cat sqli.w3af
# This is a demo of the attack plugin sql_shell
plugins
output console,text_file
output config text_file
set output_file output-w3af.txt
set verbose True
back
output config console
set verbose False
back
audit sqli
crawl web_spider
crawl config web_spider
set only_forward True
back
grep path_disclosure
back
target
set target http://moth/w3af/audit/sql_injection/select/sql_injection_string.php?name=andres
back
start
bug-report
details 0
back
exit
root@attacker:/usr/local/src# ./w3afconsole -s ./scripts/sqli.w3af
w3af>>> plugins
w3af/plugins>>> output console,text_file
w3af/plugins>>> output config text_file
w3af/plugins/output/config:text_file>>> set output_file output-w3af.txt
w3af/plugins/output/config:text_file>>> set verbose True
w3af/plugins/output/config:text_file>>> back
The configuration has been saved.
w3af/plugins>>> output config console
w3af/plugins/output/config:console>>> set verbose False
w3af/plugins/output/config:console>>> back
The configuration has been saved.
w3af/plugins>>> audit sqli
w3af/plugins>>> crawl web_spider
w3af/plugins>>> crawl config web_spider
w3af/plugins/crawl/config:web_spider>>> set only_forward True
w3af/plugins/crawl/config:web_spider>>> back
The configuration has been saved.
w3af/plugins>>> grep path_disclosure
w3af/plugins>>> back
w3af>>> target
w3af/config:target>>> set target http://moth/w3af/audit/sql_injection/select/sql_injection_string.php?name=andres
w3af/config:target>>> back
The configuration has been saved.
w3af>>> start