{"id":303,"date":"2014-07-01T01:35:04","date_gmt":"2014-07-01T01:35:04","guid":{"rendered":"http:\/\/ixyzero.com\/blog\/?p=303"},"modified":"2014-07-01T01:35:04","modified_gmt":"2014-07-01T01:35:04","slug":"wmap%e7%9a%84%e4%bd%bf%e7%94%a8","status":"publish","type":"post","link":"https:\/\/ixyzero.com\/blog\/archives\/303.html","title":{"rendered":"wmap\u7684\u4f7f\u7528"},"content":{"rendered":"

WMap\u662f\u4e00\u4e2a\u96c6\u6210\u4e8eMetasploit\u6846\u67b6\u4e2d\u7528\u4e8e\u6d4b\u8bd5Web\u8106\u5f31\u6027\u7684\u5de5\u5177\uff0c\u5728\u4f7f\u7528\u4e4b\u524d\uff0c\u4f60\u9700\u8981\u5148\u521b\u5efa\u4e00\u4e2a\u6570\u636e\u5e93\u8fde\u63a5\u7528\u4e8e\u5b58\u653e\u626b\u63cf\u7684\u6570\u636e\u3001\u7ed3\u679c\uff0c\u7136\u540e\u52a0\u8f7dwmap\u63d2\u4ef6\uff0c\u5f53\u4f60\u4e0d\u6e05\u695a\u547d\u4ee4\u6709\u54ea\u4e9b\u65f6\uff0c\u53ef\u4ee5\u4f7f\u7528help\u547d\u4ee4\u8fdb\u884c\u67e5\u770b\u5e2e\u52a9\u3002<\/p>\n

msf >\u00a0load wmap<\/span><\/div>\n
.-.-.-..-.-.-..—..—.<\/div>\n
| | | || | | || | || |-‘<\/div>\n
`—–‘`-‘-‘-‘`-^-‘`-‘<\/div>\n
[WMAP 1.5.1] ===\u00a0 et [\u00a0 ] metasploit.com 2012<\/div>\n
[*]<\/span>Successfully loaded plugin: wmap<\/div>\n
<\/div>\n
msf >\u00a0help<\/span><\/div>\n
<\/div>\n
wmap Commands<\/div>\n
=============<\/div>\n
<\/div>\n
\u00a0\u00a0\u00a0 Command\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Description<\/div>\n
\u00a0\u00a0\u00a0 ——-\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ———–<\/div>\n
\u00a0\u00a0\u00a0 wmap_modules\u00a0 Manage wmap modules<\/div>\n
\u00a0\u00a0\u00a0 wmap_nodes\u00a0\u00a0\u00a0 Manage nodes<\/div>\n
\u00a0\u00a0\u00a0 wmap_run\u00a0\u00a0\u00a0\u00a0\u00a0 Test targets<\/div>\n
\u00a0\u00a0\u00a0 wmap_sites\u00a0\u00a0\u00a0 Manage sites<\/div>\n
\u00a0\u00a0\u00a0 wmap_targets\u00a0 Manage targets<\/div>\n
\u00a0\u00a0\u00a0 wmap_vulns\u00a0\u00a0\u00a0 Display web vulns<\/div>\n
<\/div>\n
…snip…<\/span><\/div>\n


\u5728\u771f\u6b63\u8fd0\u884c\u626b\u63cf\u4e4b\u524d\uff0c\u9700\u8981\u5148\u4f7f\u7528wmap_sites\u7684-a\u9009\u9879\u6dfb\u52a0\u4e00\u4e2aURL\u8fdb\u884c\u626b\u63cf\uff0c\u6dfb\u52a0\u4e86\u4e4b\u540e\u4f60\u53ef\u4ee5\u4f7f\u7528wmap_sites -l\u547d\u4ee4\u67e5\u770b\u53ef\u7528\u7684\u76ee\u6807\u3002<\/span><\/p>\n

msf >\u00a0wmap_sites -h<\/span><\/div>\n
[*]<\/span>\u00a0 Usage: wmap_targets [options]<\/div>\n
\u00a0\u00a0\u00a0 -h\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Display this help text<\/div>\n
\u00a0\u00a0\u00a0 -a [url]\u00a0 Add site (vhost,url)<\/div>\n
\u00a0\u00a0\u00a0 -l\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 List all available sites<\/div>\n
\u00a0\u00a0\u00a0 -s [id]\u00a0\u00a0 Display site structure (vhost,url|ids) (level)<\/div>\n
<\/div>\n
msf >\u00a0wmap_sites -a\u00a0http:\/\/172.16.194.172<\/a><\/span><\/div>\n
[*]\u00a0<\/span>Site created.<\/div>\n
msf >\u00a0wmap_sites -l<\/span><\/div>\n
[*]\u00a0<\/span>Available sites<\/div>\n
===============<\/div>\n
<\/div>\n
\u00a0\u00a0\u00a0\u00a0 Id\u00a0 Host\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Vhost\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Port\u00a0 Proto\u00a0 # Pages\u00a0 # Forms<\/div>\n
\u00a0\u00a0\u00a0\u00a0 —\u00a0 —-\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 —–\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 —-\u00a0 —–\u00a0 ——-\u00a0 ——-<\/div>\n
\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0 172.16.194.172\u00a0 172.16.194.172\u00a0 80\u00a0\u00a0\u00a0 http\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0<\/div>\n
<\/div>\n
<\/div>\n

\u7136\u540e\uff0c\u5c06\u7ad9\u70b9\u6dfb\u52a0\u5230\u201c\u76ee\u6807\u201d\u4e2d\u53bb\uff0c\u4f7f\u7528wmap_targets\u547d\u4ee4\u7684-t\u9009\u9879\uff1b<\/span><\/p>\n

msf >\u00a0wmap_targets -h<\/span><\/div>\n
[*]<\/span>Usage: wmap_targets [options]<\/div>\n
\u00a0\u00a0\u00a0 -h\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Display this help text<\/div>\n
\u00a0\u00a0\u00a0 -t [urls]\u00a0\u00a0\u00a0\u00a0Define target sites (vhost1,url[space]vhost2,url)<\/strong><\/span><\/div>\n
\u00a0\u00a0\u00a0 -d [ids]\u00a0\u00a0\u00a0 Define target sites (id1, id2, id3 …)<\/div>\n
\u00a0\u00a0\u00a0 -c\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Clean target sites list<\/div>\n
\u00a0\u00a0\u00a0 -l\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 List all target sites<\/div>\n
<\/div>\n
<\/div>\n
msf >\u00a0wmap_targets -t http:\/\/172.16.194.172\/mutillidae\/index.php<\/span><\/div>\n


Once added, we can view our list of targets by using the ‘-l’ switch from the console.\u00a0<\/span>

<\/p>\n

\n
msf > wmap_targets -l<\/div>\n
[*] Defined targets<\/div>\n
===============<\/div>\n
<\/div>\n
\u00a0\u00a0\u00a0\u00a0 Id\u00a0 Vhost\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Host\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Port\u00a0 SSL\u00a0\u00a0\u00a0 Path<\/div>\n
\u00a0\u00a0\u00a0\u00a0 —\u00a0 —–\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 —-\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 —-\u00a0 —\u00a0\u00a0\u00a0 —-<\/div>\n
\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0 172.16.194.172\u00a0 172.16.194.172\u00a0 80\u00a0\u00a0\u00a0 false\u00a0\u00a0\u00a0 \/mutillidae\/index.php<\/div>\n
<\/div>\n<\/div>\n


Using the\u00a0<\/span>“wmap_run”<\/b>\u00a0command will scan the target system.\u00a0<\/span>

<\/p>\n

msf >\u00a0wmap_run -h<\/span><\/div>\n
[*]<\/span>Usage: wmap_run [options]<\/div>\n
\u00a0\u00a0\u00a0 -h\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Display this help text<\/div>\n
\u00a0\u00a0\u00a0 -t\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Show all enabled modules<\/div>\n
\u00a0\u00a0\u00a0 -m [regex]\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Launch only modules that name match provided regex.<\/div>\n
\u00a0\u00a0\u00a0 -p [regex]\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Only test path defined by regex.<\/div>\n
\u00a0\u00a0\u00a0 -e [\/path\/to\/profile]\u00a0\u00a0\u00a0\u00a0 Launch profile modules against all matched targets.<\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 (No profile file runs all enabled modules.)<\/div>\n
<\/div>\n


We first using the\u00a0<\/span>“-t”<\/b>\u00a0switch to list the modules that will be used to scan the remote system.\u00a0\uff08\u4f7f\u7528 wmap_run -l \u547d\u4ee4\u53ef\u4ee5\u5217\u51fa\u6211\u4eec\u5c06\u8981\u4f7f\u7528\u7684\u626b\u63cf\u6a21\u5757\uff01\uff09<\/span>

<\/p>\n

msf >\u00a0wmap_run -t<\/span><\/div>\n
[*]<\/span>\u00a0Testing target:<\/div>\n
[*]<\/span>\u00a0\u00a0\u00a0\u00a0 Site: 192.168.1.100 (192.168.1.100)<\/div>\n
[*]<\/span>\u00a0\u00a0\u00a0\u00a0 Port: 80 SSL: false<\/div>\n
[*]<\/span>\u00a0============================================================<\/div>\n
[*]<\/span>\u00a0Testing started. 2012-01-16 15:46:42 -0500<\/div>\n
[*]\u00a0<\/span>=[ SSL testing ]=<\/div>\n
[*]<\/span>\u00a0============================================================<\/div>\n
[*]<\/span>\u00a0Target is not SSL. SSL modules disabled.<\/div>\n
[*]\u00a0<\/span>=[ Web Server testing ]=<\/div>\n
[*]<\/span>\u00a0============================================================[*]<\/span>\u00a0Loaded auxiliary\/admin\/http\/contentkeeper_fileaccess …[*]<\/span>\u00a0Loaded auxiliary\/admin\/http\/tomcat_administration …[*]<\/span>Loaded auxiliary\/admin\/http\/tomcat_utf8_traversal …[*]<\/span>\u00a0Loaded auxiliary\/admin\/http\/trendmicro_dlp_traversal …<\/div>\n
..snip…<\/span><\/div>\n
<\/div>\n
msf ><\/div>\n


All that remains now is to actually run the scan against our target URL.\u00a0<\/span>

<\/p>\n

msf >\u00a0wmap_run -e<\/span><\/div>\n
[*]<\/span>\u00a0Using ALL wmap enabled modules.<\/div>\n
[-]<\/span>\u00a0NO WMAP NODES DEFINED. Executing local modules<\/div>\n
[*]<\/span>\u00a0Testing target:<\/div>\n
[*]<\/span>\u00a0\u00a0\u00a0\u00a0 Site: 172.16.194.172 (172.16.194.172)<\/div>\n
[*]\u00a0<\/span>\u00a0\u00a0\u00a0 Port: 80 SSL: false<\/div>\n
============================================================<\/div>\n
[*]<\/span>\u00a0Testing started. 2012-06-27 09:29:13 -0400<\/div>\n
[*]\u00a0<\/span>=[ SSL testing ]=<\/div>\n
============================================================<\/div>\n
[*]<\/span>\u00a0Target is not SSL. SSL modules disabled.<\/div>\n
[*]\u00a0<\/span>=[ Web Server testing ]=<\/div>\n
============================================================<\/div>\n
[*]\u00a0<\/span>Module auxiliary\/scanner\/http\/http_version<\/div>\n
<\/div>\n
[*]<\/span>\u00a0172.16.194.172:80 Apache\/2.2.8 (Ubuntu) DAV\/2 ( Powered by PHP\/5.2.4-2ubuntu5.10 )<\/div>\n
[*]<\/span>\u00a0Module auxiliary\/scanner\/http\/open_proxy<\/div>\n
[*]\u00a0<\/span>Module auxiliary\/scanner\/http\/robots_txt<\/div>\n
<\/div>\n
<\/div>\n
..snip…<\/span>..snip…<\/span>..snip…<\/span><\/div>\n
<\/div>\n
<\/div>\n
[*]<\/span>\u00a0Module auxiliary\/scanner\/http\/soap_xml<\/div>\n
[*]<\/span>\u00a0Path: \/<\/div>\n
[*]<\/span>\u00a0Server 172.16.194.172:80 returned HTTP 404 for \/.\u00a0 Use a different one.<\/div>\n
[*]<\/span>\u00a0Module auxiliary\/scanner\/http\/trace_axd<\/div>\n
[*]<\/span>\u00a0Path: \/<\/div>\n
[*]<\/span>\u00a0Module auxiliary\/scanner\/http\/verb_auth_bypass<\/div>\n
[*]<\/span><\/div>\n
<\/div>\n
=[ Unique Query testing ]=<\/div>\n
============================================================<\/div>\n
[*]<\/span>\u00a0Module auxiliary\/scanner\/http\/blind_sql_query<\/div>\n
[*]<\/span>\u00a0Module auxiliary\/scanner\/http\/error_sql_injection<\/div>\n
[*]<\/span>\u00a0Module auxiliary\/scanner\/http\/http_traversal<\/div>\n
[*]<\/span>\u00a0Module auxiliary\/scanner\/http\/rails_mass_assignment<\/div>\n
[*]<\/span>\u00a0Module exploit\/multi\/http\/lcms_php_exec<\/div>\n
[*]<\/span><\/div>\n
<\/div>\n
=[ Query testing ]=<\/div>\n
============================================================<\/div>\n
[*]<\/span><\/div>\n
<\/div>\n
=[ General testing ]=<\/div>\n
============================================================<\/div>\n
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<\/div>\n
Launch completed in 212.01512002944946 seconds.<\/div>\n
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<\/div>\n
[*]<\/span><\/div>\n
Done.<\/div>\n
<\/div>\n


\u5728\u626b\u63cf\u6267\u884c\u5b8c\u4e86\u4e4b\u540e\uff0c\u6211\u4eec\u53ef\u4ee5\u67e5\u770b\u4e00\u4e0b\u6570\u636e\u5e93\u4e2d\u662f\u5426\u5b58\u5728\u4e00\u4e9b\u53ef\u7528\u7684\u4e1c\u897f—\u6f0f\u6d1e\uff01<\/span><\/p>\n

\n
msf >\u00a0wmap_vulns -l<\/strong><\/span><\/div>\n
[*] + [172.16.194.172] (172.16.194.172): scraper \/<\/div>\n
[*]\u00a0\u00a0\u00a0\u00a0 scraper Scraper<\/div>\n
[*]\u00a0\u00a0\u00a0\u00a0 GET Metasploitable2 – Linux<\/div>\n
[*] + [172.16.194.172] (172.16.194.172): directory \/dav\/<\/div>\n
[*]\u00a0\u00a0\u00a0\u00a0 directory Directory found.<\/div>\n
[*]\u00a0\u00a0\u00a0\u00a0 GET Res code: 200<\/div>\n
[*] + [172.16.194.172] (172.16.194.172): directory \/cgi-bin\/<\/div>\n
[*]\u00a0\u00a0\u00a0\u00a0 directory Directoy found.<\/div>\n
[*]\u00a0\u00a0\u00a0\u00a0 GET Res code: 403<\/div>\n
<\/div>\n

…snip…<\/span><\/p>\n

<\/div>\n
msf ><\/div>\n<\/div>\n


\u53ef\u4ee5\u4f7f\u7528 vulns \u547d\u4ee4\u53ef\u4ee5\u67e5\u770b\u66f4\u8be6\u7ec6\u7684\u4fe1\u606f\uff01<\/span>

<\/p>\n

msf >\u00a0vulns<\/span><\/div>\n
[*]<\/span>Time: 2012-01-16 20:58:49 UTC Vuln: host=172.16.2.207 port=80 proto=tcp name=auxiliary\/scanner\/http\/options refs=CVE-2005-3398,CVE-2005-3498,OSVDB-877,BID-11604,BID-9506,BID-9561<\/div>\n
<\/div>\n
We can now use this information to gather further information on the reported vulnerability. As pentesters, we would want to investigate each finding further and identify if there are potential methods for attack.<\/span><\/small><\/div>\n
\u6765\u6e90\uff1a\u00a0<http:\/\/www.offensive-security.com\/metasploit-unleashed\/WMAP_Web_Scanner<\/a>><\/small><\/small><\/div>\n
\n
\n<\/div>\n
<\/small><\/small>\u603b\u7ed3\u4e00\u4e0b\u4f7f\u7528wmap\u7684\u5177\u4f53\u6b65\u9aa4\uff1a<\/strong><\/span><\/small><\/div>\n

\n