wmap的使用


WMap是一个集成于Metasploit框架中用于测试Web脆弱性的工具,在使用之前,你需要先创建一个数据库连接用于存放扫描的数据、结果,然后加载wmap插件,当你不清楚命令有哪些时,可以使用help命令进行查看帮助。

msf > load wmap
.-.-.-..-.-.-..—..—.
| | | || | | || | || |-‘
`—–‘`-‘-‘-‘`-^-‘`-‘
[WMAP 1.5.1] ===  et [  ] metasploit.com 2012
[*]Successfully loaded plugin: wmap
msf > help
wmap Commands
=============
    Command       Description
    ——-       ———–
    wmap_modules  Manage wmap modules
    wmap_nodes    Manage nodes
    wmap_run      Test targets
    wmap_sites    Manage sites
    wmap_targets  Manage targets
    wmap_vulns    Display web vulns
…snip…


在真正运行扫描之前,需要先使用wmap_sites的-a选项添加一个URL进行扫描,添加了之后你可以使用wmap_sites -l命令查看可用的目标。

msf > wmap_sites -h
[*]  Usage: wmap_targets [options]
    -h        Display this help text
    -a [url]  Add site (vhost,url)
    -l        List all available sites
    -s [id]   Display site structure (vhost,url|ids) (level)
msf > wmap_sites -a http://172.16.194.172
[*] Site created.
msf > wmap_sites -l
[*] Available sites
===============
     Id  Host            Vhost           Port  Proto  # Pages  # Forms
     —  —-            —–           —-  —–  ——-  ——-
     0   172.16.194.172  172.16.194.172  80    http   0        0

然后,将站点添加到“目标”中去,使用wmap_targets命令的-t选项;

msf > wmap_targets -h
[*]Usage: wmap_targets [options]
    -h         Display this help text
    -t [urls]    Define target sites (vhost1,url[space]vhost2,url)
    -d [ids]    Define target sites (id1, id2, id3 …)
    -c         Clean target sites list
    -l          List all target sites
msf > wmap_targets -t http://172.16.194.172/mutillidae/index.php


Once added, we can view our list of targets by using the ‘-l’ switch from the console. 

msf > wmap_targets -l
[*] Defined targets
===============
     Id  Vhost           Host            Port  SSL    Path
     —  —–           —-            —-  —    —-
     0   172.16.194.172  172.16.194.172  80    false    /mutillidae/index.php


Using the “wmap_run” command will scan the target system. 

msf > wmap_run -h
[*]Usage: wmap_run [options]
    -h                        Display this help text
    -t                        Show all enabled modules
    -m [regex]                Launch only modules that name match provided regex.
    -p [regex]                Only test path defined by regex.
    -e [/path/to/profile]     Launch profile modules against all matched targets.
                              (No profile file runs all enabled modules.)


We first using the “-t” switch to list the modules that will be used to scan the remote system. (使用 wmap_run -l 命令可以列出我们将要使用的扫描模块!)

msf > wmap_run -t
[*] Testing target:
[*]     Site: 192.168.1.100 (192.168.1.100)
[*]     Port: 80 SSL: false
[*] ============================================================
[*] Testing started. 2012-01-16 15:46:42 -0500
[*] =[ SSL testing ]=
[*] ============================================================
[*] Target is not SSL. SSL modules disabled.
[*] =[ Web Server testing ]=
[*] ============================================================[*] Loaded auxiliary/admin/http/contentkeeper_fileaccess …[*] Loaded auxiliary/admin/http/tomcat_administration …[*]Loaded auxiliary/admin/http/tomcat_utf8_traversal …[*] Loaded auxiliary/admin/http/trendmicro_dlp_traversal …
..snip…
msf >


All that remains now is to actually run the scan against our target URL. 

msf > wmap_run -e
[*] Using ALL wmap enabled modules.
[-] NO WMAP NODES DEFINED. Executing local modules
[*] Testing target:
[*]     Site: 172.16.194.172 (172.16.194.172)
[*]     Port: 80 SSL: false
============================================================
[*] Testing started. 2012-06-27 09:29:13 -0400
[*] =[ SSL testing ]=
============================================================
[*] Target is not SSL. SSL modules disabled.
[*] =[ Web Server testing ]=
============================================================
[*] Module auxiliary/scanner/http/http_version
[*] 172.16.194.172:80 Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 )
[*] Module auxiliary/scanner/http/open_proxy
[*] Module auxiliary/scanner/http/robots_txt
..snip…..snip…..snip…
[*] Module auxiliary/scanner/http/soap_xml
[*] Path: /
[*] Server 172.16.194.172:80 returned HTTP 404 for /.  Use a different one.
[*] Module auxiliary/scanner/http/trace_axd
[*] Path: /
[*] Module auxiliary/scanner/http/verb_auth_bypass
[*]
=[ Unique Query testing ]=
============================================================
[*] Module auxiliary/scanner/http/blind_sql_query
[*] Module auxiliary/scanner/http/error_sql_injection
[*] Module auxiliary/scanner/http/http_traversal
[*] Module auxiliary/scanner/http/rails_mass_assignment
[*] Module exploit/multi/http/lcms_php_exec
[*]
=[ Query testing ]=
============================================================
[*]
=[ General testing ]=
============================================================
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Launch completed in 212.01512002944946 seconds.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[*]
Done.


在扫描执行完了之后,我们可以查看一下数据库中是否存在一些可用的东西—漏洞!

msf > wmap_vulns -l
[*] + [172.16.194.172] (172.16.194.172): scraper /
[*]     scraper Scraper
[*]     GET Metasploitable2 – Linux
[*] + [172.16.194.172] (172.16.194.172): directory /dav/
[*]     directory Directory found.
[*]     GET Res code: 200
[*] + [172.16.194.172] (172.16.194.172): directory /cgi-bin/
[*]     directory Directoy found.
[*]     GET Res code: 403

…snip…

msf >


可以使用 vulns 命令可以查看更详细的信息!

msf > vulns
[*]Time: 2012-01-16 20:58:49 UTC Vuln: host=172.16.2.207 port=80 proto=tcp name=auxiliary/scanner/http/options refs=CVE-2005-3398,CVE-2005-3498,OSVDB-877,BID-11604,BID-9506,BID-9561
We can now use this information to gather further information on the reported vulnerability. As pentesters, we would want to investigate each finding further and identify if there are potential methods for attack.
来源: <http://www.offensive-security.com/metasploit-unleashed/WMAP_Web_Scanner>

总结一下使用wmap的具体步骤:

  • 进入Metasploit(在这之前最好先运行:service postgresql start && service metasploit start 命令开启这两个基础服务);
  • 然后连接数据库(db_connect){其实应该是默认连接的,但是估计是因为我之前没有注意,在哪个地方翻了个错误,导致后来都得手动连接};
  • 之后加载wmap插件(load wmap);
  • 添加站点:wmap_sites -a URL
  • 列为目标:wmap_targets -t URL
  • 先是将要执行的扫描模块:wmap_run -t
  • 执行扫描:wmap_run -e
  • 在扫描完成之后显示是否存在可利用漏洞:wmap_vulns -l(若要查看更详细的信息,则使用vulns命令)

msf > load wmap
.-.-.-..-.-.-..—..—.
| | | || | | || | || |-‘
`—–‘`-‘-‘-‘`-^-‘`-‘
[WMAP 1.5.1] ===  et [  ] metasploit.com 2012
[*] Successfully loaded plugin: wmap
msf > help
wmap Commands
=============
    Command       Description
    ——-       ———–
    wmap_modules  Manage wmap modules
    wmap_nodes    Manage nodes
    wmap_run      Test targets
    wmap_sites    Manage sites
    wmap_targets  Manage targets
    wmap_vulns    Display web vulns
Core Commands
=============
    Command       Description
    ——-       ———–
    ?             Help menu
    back          Move back from the current context
    banner        Display an awesome metasploit banner
    cd            Change the current working directory
    color         Toggle color
    connect       Communicate with a host
    exit          Exit the console
    go_pro        Launch Metasploit web GUI
    grep          Grep the output of another command
    help          Help menu
    info          Displays information about one or more module
    irb           Drop into irb scripting mode
    jobs          Displays and manages jobs
    kill          Kill a job
    load          Load a framework plugin
    loadpath      Searches for and loads modules from a path
    makerc        Save commands entered since start to a file
    popm          Pops the latest module off the stack and makes it active
    previous      Sets the previously loaded module as the current module
    pushm         Pushes the active or list of modules onto the module stack
    quit          Exit the console
    reload_all    Reloads all modules from all defined module paths
    resource      Run the commands stored in a file
    route         Route traffic through a session
    save          Saves the active datastores
    search        Searches module names and descriptions
    sessions      Dump session listings and display information about sessions
    set           Sets a variable to a value
    setg          Sets a global variable to a value
    show          Displays modules of a given type, or all modules
    sleep         Do nothing for the specified number of seconds
    spool         Write console output into a file as well the screen
    threads       View and manipulate background threads
    unload        Unload a framework plugin
    unset         Unsets one or more variables
    unsetg        Unsets one or more global variables
    use           Selects a module by name
    version       Show the framework and console library version numbers
Database Backend Commands
=========================
    Command           Description
    ——-           ———–
    creds             List all credentials in the database
    db_connect        Connect to an existing database
    db_disconnect     Disconnect from the current database instance
    db_export         Export a file containing the contents of the database
    db_import         Import a scan result file (filetype will be auto-detected)
    db_nmap           Executes nmap and records the output automatically
    db_rebuild_cache  Rebuilds the database-stored module cache
    db_status         Show the current database status
    hosts             List all hosts in the database
    loot              List all loot in the database
    notes             List all notes in the database
    services          List all services in the database
    vulns             List all vulnerabilities in the database
    workspace         Switch between database workspaces
msf > wmap_
wmap_modules  wmap_nodes    wmap_run      wmap_sites    wmap_targets  wmap_vulns   
msf > wmap_sites -a http://www.dvssc.com/
[-] Unable to create site
msf > wmap_sites -a 10.10.10.129
[-] Unable to create site
msf > wmap_sites -a http://10.10.10.129
[-] Unable to create site
msf > wmap_sites -a http://210.21.21.21
[-] Unable to create site
msf > wmap_sites -a http://210.21.21.21/
[-] Unable to create site
msf > wmap_sites -h
[*] Usage: wmap_sites [options]
   -h        Display this help text
   -a [url]  Add site (vhost,url)
   -d [ids]  Delete sites (separate ids with space)
   -l        List all available sites
   -s [id]   Display site structure (vhost,url|ids) (level)
所以,总的来说wmap的利用流程就是:
  wmap_sites -a http://192.168.10.11
  wmap_sites -l
  wmap_targets -t http://192.168.10.11/mutillidae/index.php
  wmap_targets -t
  wmap_run -t
  wmap_run -e
, ,

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注