W3AF:Utilisation console
Jump to navigation
Jump to search
Utilisation
Modes d'utilisation
- Mode console : w3af_console
- Mode graphique : w3af_gui
Mode console
Lancer W3AF en mode console
Pour lancer W3AF, il suffit d'entrer les commandes suivantes :
# cd /usr/local/w3af/ # ./w3af_console
Afficher l'aide
Une fois dans W3AF, il est possible d'afficher l'aide sur le répertoire courant avec la commande help :
w3af>>> help |-----------------------------------------------------------------------------| | start | Start the scan. | | plugins | Enable and configure plugins. | | exploit | Exploit the vulnerability. | | profiles | List and use scan profiles. | |-----------------------------------------------------------------------------| | http-settings | Configure the HTTP settings of the framework. | | misc-settings | Configure w3af misc settings. | | target | Configure the target URL. | |-----------------------------------------------------------------------------| | back | Go to the previous menu. | | exit | Exit w3af. | | assert | Check assertion. | |-----------------------------------------------------------------------------| | help | Display help. Issuing: help [command] , prints more | | | specific help about "command" | | version | Show w3af version information. | | keys | Display key shortcuts. | |-----------------------------------------------------------------------------|
Il est possible d'obtenir de l'aide sur un paramètre comme suit :
w3af>>> help plugins Enable and configure plugins.
Note
La touche TAB permet de compléter une commande lorsque quelques caractères sont entrés. Par exemple, si vous entrez help plu+TAB, la commande se complètera automatiquement en help plugins.
Pour entrer dans un menu, il suffit d'entrer le nom du menu comme suit :
w3af>>> http-settings
Dans les menus de configuration, les options disponibles sont les suivantes :
w3af/config:http-settings>>> help |-----------------------------------------------------------------------------| | view | List the available options and their values. | | set | Set a parameter value. | |-----------------------------------------------------------------------------| | back | Go to the previous menu. | | exit | Exit w3af. | | assert | Check assertion. | |-----------------------------------------------------------------------------|
Il est possible d'obtenir la liste des paramètres et leurs valeurs pour chaque paramètre :
w3af/config:http-settings>>> view |----------------------------------------------------------------------------| | Setting | Value | Description | |----------------------------------------------------------------------------| | timeout | 10 | The timeout for | | | | connections to the | | | | HTTP server | | headersFile | | Set the headers | | | | filename. This file | | | | has additional headers | | | | that are added to each | | | | request. | |----------------------------------------------------------------------------| | ignoreSessCookies | False | Ignore session cookies | | cookieJarFile | | Set the cookiejar | | | | filename. | |----------------------------------------------------------------------------| | maxFileSize | 400000 | Maximum file size | | userAgent | w3af.sourceforge.net | User Agent header | | maxRetrys | 2 | Maximum number of | | | | retries | |----------------------------------------------------------------------------| | byDirectoryAndExtension404 | True | Perform 404 page | | | | detection based on the | | | | knowledge found in the | | | | directory of the file | | | | AND the file extension | | always404 | | A comma separated list | | | | that determines what | | | | URLs will ALWAYS be | | | | detected as 404 pages. | | autodetect404 | False | Perform 404 page | | | | autodetection. | | byDirectory404 | False | Perform 404 page | | | | detection based on the | | | | knowledge found in the | | | | directory of the file | | 404exceptions | | A comma separated list | | | | that determines what | | | | URLs will NEVER be | | | | detected as 404 pages. | |----------------------------------------------------------------------------| | proxyPort | 8080 | Proxy TCP port | | proxyAddress | | Proxy IP address | |----------------------------------------------------------------------------| | basicAuthUser | | Set the basic | | | | authentication | | | | username for HTTP | | | | requests | | basicAuthPass | | Set the basic | | | | authentication | | | | password for HTTP | | | | requests | | basicAuthDomain | | Set the basic | | | | authentication domain | | | | for HTTP requests | |----------------------------------------------------------------------------|
Revenir au niveau inférieur
Pour revenir à un niveau inférieur de menu, utiliser la commande back.
w3af/config:http-settings>>> back w3af>>>
Modifier la valeur d'un paramètre
Pour modifier la valeur d'un paramètre, utiliser le mot clé set. L'exemple qui suit montre comment paramétrer un proxy avec authentification.
Valeur des paramètres avant la modification :
|----------------------------------------------------------------------------| | proxyPort | 8080 | Proxy TCP port | | proxyAddress | | Proxy IP address | |----------------------------------------------------------------------------| | basicAuthUser | | Set the basic | | | | authentication | | | | username for HTTP | | | | requests | | basicAuthPass | | Set the basic | | | | authentication | | | | password for HTTP | | | | requests | | basicAuthDomain | | Set the basic | | | | authentication domain | | | | for HTTP requests | |----------------------------------------------------------------------------|
Modification de la valeur des paramètres :
w3af/config:http-settings>>> set proxyPort 3128 w3af/config:http-settings>>> set proxyAddress 192.168.1.1 w3af/config:http-settings>>> set basicAuthUser myuser To properly configure the basic authentication settings, you should also set the auth domain. If you are unsure, you can set it to the target domain name. w3af/config:http-settings>>> set basicAuthPass myP4ssw0rd To properly configure the basic authentication settings, you should also set the auth domain. If you are unsure, you can set it to the target domain name. w3af/config:http-settings>>> set basicAuthDomain aldeid.com
Note
Vous remarquerez que les éventuelles dépendances entre les paramètre sont signalées par un message spécifique.
Valeur des paramètres après la modification :
|----------------------------------------------------------------------------| | proxyPort | 3128 | Proxy TCP port | | proxyAddress | 192.168.1.1 | Proxy IP address | |----------------------------------------------------------------------------| | basicAuthUser | myuser | Set the basic | | | | authentication | | | | username for HTTP | | | | requests | | basicAuthPass | myP4ssw0rd | Set the basic | | | | authentication | | | | password for HTTP | | | | requests | | basicAuthDomain | aldeid.com | Set the basic | | | | authentication domain | | | | for HTTP requests | |----------------------------------------------------------------------------|
Sélectionner et paramétrer des plugins
Obtenir des informations sur un plugin
Pour obtenir des informations complémentaires sur un plugin, utilisez le mot clé desc :
w3af/plugins>>> audit desc blindSqli
This plugin finds blind SQL injections.
Two configurable parameters exist:
- equAlgorithm
- equalLimit
The equAlgorithm parameter configures how the comparison of pages is done, the options for equAlgorithm are:
- stringEq
- setIntersection
The classic way of matching two strings is "stringEq" , in Python this is "string1 == string2" , but other ways have been
developed for sites that have changing banners and random data on their HTML response. "setIntersection" will create
two different sets with the words inside the two HTML responses, and do an intersection. If number of words that are
in the intersection set divided by the total words are more than "equalLimit", then the responses are equal.
Sélectionner des plugins
Rendez-vous dans le menu plugins
w3af>>> plugins
Puis utilisez l'aide afin de lister les familles de plugins
w3af/plugins>>> help |-----------------------------------------------------------------------------| | list | List available plugins. | |-----------------------------------------------------------------------------| | back | Go to the previous menu. | | exit | Exit w3af. | | assert | Check assertion. | |-----------------------------------------------------------------------------| | grep | View, configure and enable grep plugins | | mangle | View, configure and enable mangle plugins | | output | View, configure and enable output plugins | | evasion | View, configure and enable evasion plugins | | bruteforce | View, configure and enable bruteforce plugins | | discovery | View, configure and enable discovery plugins | | audit | View, configure and enable audit plugins | |-----------------------------------------------------------------------------|
Pour obtenir la liste des plugins associés à la famille de plugins retenue, utilisez le mot clé list :
w3af/plugins>>> list audit |----------------------------------------------------------------------------| | Plugin name | Status | Conf | Description | |----------------------------------------------------------------------------| | LDAPi | | | Find LDAP injection bugs. | | blindSqli | | Yes | Find blind SQL injection | | | | | vulnerabilities. | | buffOverflow | | | Find buffer overflow vulnerabilities. | | dav | | | Verify if the WebDAV module is | | | | | properly configured. | | eval | | Yes | Find insecure eval() usage. | | fileUpload | | Yes | Uploads a file and then searches for | | | | | the file inside all known directories. | | formatString | | | Find format string vulnerabilities. | | frontpage | | Yes | Tries to upload a file using frontpage | | | | | extensions (author.dll). | | generic | | Yes | Find all kind of bugs without using a | | | | | fixed database of errors. | | globalRedirect | | | Find scripts that redirect the browser | | | | | to any site. | | htaccessMethods | | | Find misconfigurations in the | | | | | "<LIMIT>" configuration of Apache. | | localFileInclude | | | Find local file inclusion | | | | | vulnerabilities. | | mxInjection | | | Find MX injection vulnerabilities. | | osCommanding | | | Find OS Commanding vulnerabilities. | | phishingVector | | | Find phishing vectors. | | preg_replace | | | Find unsafe usage of PHPs | | | | | preg_replace. | | remoteFileInclude | | Yes | Find remote file inclusion | | | | | vulnerabilities. | | responseSplitting | | | Find response splitting | | | | | vulnerabilities. | | sqli | | | Find SQL injection bugs. | | ssi | | | Find server side inclusion | | | | | vulnerabilities. | | sslCertificate | | | Check the SSL certificate validity( if | | | | | https is being used ). | | unSSL | | | Find out if secure content can also be | | | | | fetched using http. | | xpath | | | Find XPATH injection vulnerabilities. | | xsrf | | | Find the easiest to exploit xsrf | | | | | vulnerabilities. | | xss | | Yes | Find cross site scripting | | | | | vulnerabilities. | | xst | | | Find Cross Site Tracing | | | | | vulnerabilities. | |----------------------------------------------------------------------------|
Enfin, pour sélectionner des plugins, utilisez la commande suivante :
w3af/plugins>>> audit LDAPi,blindSqli,buffOverflow w3af/plugins>>> audit |----------------------------------------------------------------------------| | Plugin name | Status | Conf | Description | |----------------------------------------------------------------------------| | LDAPi | Enabled | | Find LDAP injection bugs. | | blindSqli | Enabled | Yes | Find blind SQL injection | | | | | vulnerabilities. | | buffOverflow | Enabled | | Find buffer overflow vulnerabilities. | | dav | | | Verify if the WebDAV module is | | | | | properly configured. | | eval | | Yes | Find insecure eval() usage. | | fileUpload | | Yes | Uploads a file and then searches for | | | | | the file inside all known | | | | | directories. | ...
Note
Remarquez que la mention Enabled apparaît devant les plugins sélectionnés, dans la colonne Status.
Paramétrer des plugins
Note
Seuls les plugins pour lesquels la mention Yes figure dans la colonne Conf sont paramétrables.
Pour paramétrer un plugin, utilisez le mot clé config :
w3af/plugins>>> audit config blindSqli
Tout comme pour le paramétrage de W3AF, utiliser les options :
- view : pour voir la valeur des paramètres
- set : Pour modifier la valeur d'un paramètre
L'exemple suivant montre comment modifier le paramètre checkStored du plugin xss :
w3af/plugins>>> audit config xss w3af/plugins/audit/config:xss>>> view |-----------------------------------------------------------------------------| | Setting | Value | Description | |-----------------------------------------------------------------------------| | numberOfChecks | 3 | Set the amount of checks to perform for each | | | | fuzzable parameter. Valid numbers: 1 to 14 | | checkStored | True | Identify stored cross site scripting | | | | vulnerabilities | |-----------------------------------------------------------------------------| w3af/plugins/audit/config:xss>>> set checkStored False w3af/plugins/audit/config:xss>>> view |-----------------------------------------------------------------------------| | Setting | Value | Description | |-----------------------------------------------------------------------------| | numberOfChecks | 3 | Set the amount of checks to perform for each | | | | fuzzable parameter. Valid numbers: 1 to 14 | | checkStored | False | Identify stored cross site scripting | | | | vulnerabilities | |-----------------------------------------------------------------------------|
Paramétrer et lancer le scan
Spécifier la cible
Avant d'exécuter le scan, spécifiez la cible comme suit :
w3af>>> target w3af/config:target>>> help |-----------------------------------------------------------------------------| | view | List the available options and their values. | | set | Set a parameter value. | |-----------------------------------------------------------------------------| | back | Go to the previous menu. | | exit | Exit w3af. | | assert | Check assertion. | |-----------------------------------------------------------------------------| w3af/config:target>>> view |------------------------------------------------------------------------------| | Setting | Value | Description | |------------------------------------------------------------------------------| | targetOS | unknown | Target operating system (unknown/unix/windows) | | targetFramework | unknown | Target programming framework | | | | (unknown/php/asp/asp.net/java/jsp/cfm/ruby/perl) | | target | | A comma separated list of URLs | |------------------------------------------------------------------------------| w3af/config:target>>> set target http://www.aldeid.com/ w3af/config:target>>> view |---------------------------------------------------------------------------------------------| | Setting | Value | Description | |---------------------------------------------------------------------------------------------| | targetOS | unknown | Target operating system (unknown/unix/windows) | | targetFramework | unknown | Target programming framework | | | | (unknown/php/asp/asp.net/java/jsp/cfm/ruby/perl) | | target | http://www.aldeid.com/ | A comma separated list of URLs | |---------------------------------------------------------------------------------------------|
Lancer le scan
Revenez au menu principal :
w3af/config:target>>> back
Enfin, exécutez le scan :
w3af>>> start Auto-enabling plugin: grep.error500 Found 2 URLs and 2 different points of injection. The list of URLs is: - http://www.aldeid.com/ - http://www.aldeid.com/index.php The list of fuzzable requests is: - http://www.aldeid.com/ | Method: GET - http://www.aldeid.com/index.php | Method: GET | Parameters: (search, title) Starting blindSqli plugin execution. ...
Découverte et exploitation de vulnérabilités
Découverte de vulnérabilité
Soit le code PHP suivant :
<html>
<body>
<?php
if(isset($_POST['v'])){
$v=$_POST["v"];
exec("grep $v /etc/passwd",$r);
echo("<pre style=\"border:solid 2px #ff0000;
background:#eeeeee;\">");
print_r($r);
echo("</pre>");
}
?>
<form method="post" action="index.php">
<input type="text" name="v" value="<?php
if(isset($_POST['v'])) { echo($_POST['v']); } ?>" />
<input type="submit" />
</form>
</body>
</html>
|
Ce code permet d'afficher les lignes du fichier /etc/passwd qui contiennent la chaîne fournie en paramètre.
|
Tentons de découvrir si ce code est vulnérable :
# ./w3af_console w3af>>> plugins w3af/plugins>>> output console textFile w3af/plugins>>> audit osCommanding w3af/plugins>>> back w3af>>> target w3af/config:target>>> set target http://127.0.0.1/index.php w3af/config:target>>> back w3af>>> start Found 1 URLs and 2 different points of injection. The list of URLs is: - http://127.0.0.1/index.php The list of fuzzable requests is: - http://127.0.0.1/index.php | Method: GET - http://127.0.0.1/index.php | Method: POST | Parameters: (v) Starting osCommanding plugin execution. OS Commanding was found at: "http://127.0.0.1/index.php", using HTTP method POST. The sent post-data was: "v=%60+ping+-c+9+localhost%60". This vulnerability was found in the request with id 19. Finished scanning process.
Tout semble indiquer que le code est vulnérable.
Exploitation de vulnérabilité
Tentons maintenant d'exploiter la vulnérabilité découverte :
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.
Thank you for your comprehension.