WMap是一个集成于Metasploit框架中用于测试Web脆弱性的工具,在使用之前,你需要先创建一个数据库连接用于存放扫描的数据、结果,然后加载wmap插件,当你不清楚命令有哪些时,可以使用help命令进行查看帮助。
msf > load wmap
.-.-.-..-.-.-..—..—.
| | | || | | || | || |-‘
`—–‘`-‘-‘-‘`-^-‘`-‘
[WMAP 1.5.1] === et [ ] metasploit.com 2012
[*]Successfully loaded plugin: wmap
msf > help
wmap Commands
=============
Command Description
——- ———–
wmap_modules Manage wmap modules
wmap_nodes Manage nodes
wmap_run Test targets
wmap_sites Manage sites
wmap_targets Manage targets
wmap_vulns Display web vulns
…snip…
在真正运行扫描之前,需要先使用wmap_sites的-a选项添加一个URL进行扫描,添加了之后你可以使用wmap_sites -l命令查看可用的目标。
msf > wmap_sites -h
[*] Usage: wmap_targets [options]
-h Display this help text
-a [url] Add site (vhost,url)
-l List all available sites
-s [id] Display site structure (vhost,url|ids) (level)
msf > wmap_sites -a http://172.16.194.172
[*] Site created.
msf > wmap_sites -l
[*] Available sites
===============
Id Host Vhost Port Proto # Pages # Forms
— —- —– —- —– ——- ——-
0 172.16.194.172 172.16.194.172 80 http 0 0
然后,将站点添加到“目标”中去,使用wmap_targets命令的-t选项;
msf > wmap_targets -h
[*]Usage: wmap_targets [options]
-h Display this help text
-t [urls] Define target sites (vhost1,url[space]vhost2,url)
-d [ids] Define target sites (id1, id2, id3 …)
-c Clean target sites list
-l List all target sites
msf > wmap_targets -t http://172.16.194.172/mutillidae/index.php
Once added, we can view our list of targets by using the ‘-l’ switch from the console.
msf > wmap_targets -l
[*] Defined targets
===============
Id Vhost Host Port SSL Path
— —– —- —- — —-
0 172.16.194.172 172.16.194.172 80 false /mutillidae/index.php
Using the “wmap_run” command will scan the target system.
msf > wmap_run -h
[*]Usage: wmap_run [options]
-h Display this help text
-t Show all enabled modules
-m [regex] Launch only modules that name match provided regex.
-p [regex] Only test path defined by regex.
-e [/path/to/profile] Launch profile modules against all matched targets.
(No profile file runs all enabled modules.)
We first using the “-t” switch to list the modules that will be used to scan the remote system. (使用 wmap_run -l 命令可以列出我们将要使用的扫描模块!)
msf > wmap_run -t
[*] Testing target:
[*] Site: 192.168.1.100 (192.168.1.100)
[*] Port: 80 SSL: false
[*] ============================================================
[*] Testing started. 2012-01-16 15:46:42 -0500
[*] =[ SSL testing ]=
[*] ============================================================
[*] Target is not SSL. SSL modules disabled.
[*] =[ Web Server testing ]=
[*] ============================================================[*] Loaded auxiliary/admin/http/contentkeeper_fileaccess …[*] Loaded auxiliary/admin/http/tomcat_administration …[*]Loaded auxiliary/admin/http/tomcat_utf8_traversal …[*] Loaded auxiliary/admin/http/trendmicro_dlp_traversal …
..snip…
msf >
All that remains now is to actually run the scan against our target URL.
msf > wmap_run -e
[*] Using ALL wmap enabled modules.
[-] NO WMAP NODES DEFINED. Executing local modules
[*] Testing target:
[*] Site: 172.16.194.172 (172.16.194.172)
[*] Port: 80 SSL: false
============================================================
[*] Testing started. 2012-06-27 09:29:13 -0400
[*] =[ SSL testing ]=
============================================================
[*] Target is not SSL. SSL modules disabled.
[*] =[ Web Server testing ]=
============================================================
[*] Module auxiliary/scanner/http/http_version
[*] 172.16.194.172:80 Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 )
[*] Module auxiliary/scanner/http/open_proxy
[*] Module auxiliary/scanner/http/robots_txt
..snip…..snip…..snip…
[*] Module auxiliary/scanner/http/soap_xml
[*] Path: /
[*] Server 172.16.194.172:80 returned HTTP 404 for /. Use a different one.
[*] Module auxiliary/scanner/http/trace_axd
[*] Path: /
[*] Module auxiliary/scanner/http/verb_auth_bypass
[*]
=[ Unique Query testing ]=
============================================================
[*] Module auxiliary/scanner/http/blind_sql_query
[*] Module auxiliary/scanner/http/error_sql_injection
[*] Module auxiliary/scanner/http/http_traversal
[*] Module auxiliary/scanner/http/rails_mass_assignment
[*] Module exploit/multi/http/lcms_php_exec
[*]
=[ Query testing ]=
============================================================
[*]
=[ General testing ]=
============================================================
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Launch completed in 212.01512002944946 seconds.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[*]
Done.
在扫描执行完了之后,我们可以查看一下数据库中是否存在一些可用的东西—漏洞!
msf > wmap_vulns -l
[*] + [172.16.194.172] (172.16.194.172): scraper /
[*] scraper Scraper
[*] GET Metasploitable2 – Linux
[*] + [172.16.194.172] (172.16.194.172): directory /dav/
[*] directory Directory found.
[*] GET Res code: 200
[*] + [172.16.194.172] (172.16.194.172): directory /cgi-bin/
[*] directory Directoy found.
[*] GET Res code: 403
…snip…
msf >
可以使用 vulns 命令可以查看更详细的信息!
msf > vulns
[*]Time: 2012-01-16 20:58:49 UTC Vuln: host=172.16.2.207 port=80 proto=tcp name=auxiliary/scanner/http/options refs=CVE-2005-3398,CVE-2005-3498,OSVDB-877,BID-11604,BID-9506,BID-9561
We can now use this information to gather further information on the reported vulnerability. As pentesters, we would want to investigate each finding further and identify if there are potential methods for attack.
总结一下使用wmap的具体步骤:
- 进入Metasploit(在这之前最好先运行:service postgresql start && service metasploit start 命令开启这两个基础服务);
- 然后连接数据库(db_connect){其实应该是默认连接的,但是估计是因为我之前没有注意,在哪个地方翻了个错误,导致后来都得手动连接};
- 之后加载wmap插件(load wmap);
- 添加站点:wmap_sites -a URL
- 列为目标:wmap_targets -t URL
- 先是将要执行的扫描模块:wmap_run -t
- 执行扫描:wmap_run -e
- 在扫描完成之后显示是否存在可利用漏洞:wmap_vulns -l(若要查看更详细的信息,则使用vulns命令)
msf > load wmap
.-.-.-..-.-.-..—..—.
| | | || | | || | || |-‘
`—–‘`-‘-‘-‘`-^-‘`-‘
[WMAP 1.5.1] === et [ ] metasploit.com 2012
[*] Successfully loaded plugin: wmap
msf > help
wmap Commands
=============
Command Description
——- ———–
wmap_modules Manage wmap modules
wmap_nodes Manage nodes
wmap_run Test targets
wmap_sites Manage sites
wmap_targets Manage targets
wmap_vulns Display web vulns
Core Commands
=============
Command Description
——- ———–
? Help menu
back Move back from the current context
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
exit Exit the console
go_pro Launch Metasploit web GUI
grep Grep the output of another command
help Help menu
info Displays information about one or more module
irb Drop into irb scripting mode
jobs Displays and manages jobs
kill Kill a job
load Load a framework plugin
loadpath Searches for and loads modules from a path
makerc Save commands entered since start to a file
popm Pops the latest module off the stack and makes it active
previous Sets the previously loaded module as the current module
pushm Pushes the active or list of modules onto the module stack
quit Exit the console
reload_all Reloads all modules from all defined module paths
resource Run the commands stored in a file
route Route traffic through a session
save Saves the active datastores
search Searches module names and descriptions
sessions Dump session listings and display information about sessions
set Sets a variable to a value
setg Sets a global variable to a value
show Displays modules of a given type, or all modules
sleep Do nothing for the specified number of seconds
spool Write console output into a file as well the screen
threads View and manipulate background threads
unload Unload a framework plugin
unset Unsets one or more variables
unsetg Unsets one or more global variables
use Selects a module by name
version Show the framework and console library version numbers
Database Backend Commands
=========================
Command Description
——- ———–
creds List all credentials in the database
db_connect Connect to an existing database
db_disconnect Disconnect from the current database instance
db_export Export a file containing the contents of the database
db_import Import a scan result file (filetype will be auto-detected)
db_nmap Executes nmap and records the output automatically
db_rebuild_cache Rebuilds the database-stored module cache
db_status Show the current database status
hosts List all hosts in the database
loot List all loot in the database
notes List all notes in the database
services List all services in the database
vulns List all vulnerabilities in the database
workspace Switch between database workspaces
msf > wmap_
wmap_modules wmap_nodes wmap_run wmap_sites wmap_targets wmap_vulns
msf > wmap_sites -a http://www.dvssc.com/
[-] Unable to create site
msf > wmap_sites -a 10.10.10.129
[-] Unable to create site
msf > wmap_sites -a http://10.10.10.129
[-] Unable to create site
msf > wmap_sites -a http://210.21.21.21
[-] Unable to create site
msf > wmap_sites -a http://210.21.21.21/
[-] Unable to create site
msf > wmap_sites -h
[*] Usage: wmap_sites [options]
-h Display this help text
-a [url] Add site (vhost,url)
-d [ids] Delete sites (separate ids with space)
-l List all available sites
-s [id] Display site structure (vhost,url|ids) (level)
所以,总的来说wmap的利用流程就是:
wmap_sites -a http://192.168.10.11
wmap_sites -l
wmap_targets -t http://192.168.10.11/mutillidae/index.php
wmap_targets -t
wmap_run -t
wmap_run -e