W3AF(Web Application Attack and AUdit Framework)

发表于 | 更新于 | 分类于 | 评论数:

W3AF (Web Application Attack and AUdit Framework)

  • 这个书out了,看这个:
    https://bbs.ichunqiu.com/thread-15297-1-1.html
http://www.freebuf.com/articles/5472.html

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
root@kali:~# cd /usr/share/w3af

root@kali:/usr/share/w3af# ./w3af_console
w3af>>> 




root@bt:/pentest/web/w3af# ./w3af_console
Checking if a new version is available in our SVN repository. Please wait...
An error occured while updating: 'NoneType' object is not iterable
w3af>>> plugins
w3af/plugins>>> list discovery
|---------------------------------------------------------------------------|
| Plugin name            | Status | Conf | Description                      |
|---------------------------------------------------------------------------|
| afd                    |        |      | Find out if the remote web       |
|                        |        |      | server has an active filter (    |
|                        |        |      | IPS or WAF ).                    |
| allowedMethods         |        | Yes  | Enumerate the allowed methods of |
|                        |        |      | an URL.                          |
| archiveDotOrg          |        | Yes  | Search archive.org to find new   |
|                        |        |      | pages in the target site.        |
| bing_spider            |        | Yes  | Search Bing to get a list of new |
|                        |        |      | URLs                             |
| content_negotiation    |        | Yes  | Use content negotiation to find  |
|                        |        |      | new resources.                   |
| detectReverseProxy     |        |      | Find out if the remote web       |
|                        |        |      | server has a reverse proxy.      |
| detectTransparentProxy |        |      | Find out if your ISP has a       |
|                        |        |      | transparent proxy installed.     |
| digitSum               |        | Yes  | Take an URL with a number (      |
|                        |        |      | index2.asp ) and try to find     |
|                        |        |      | related files (index1.asp,       |
|                        |        |      | index3.asp).                     |
| dir_bruter             |        | Yes  | Finds Web server directories by  |
|                        |        |      | bruteforcing.                    |
| dnsWildcard            |        |      | Find out if www.site.com and     |
|                        |        |      | site.com return the same page.   |
| domain_dot             |        |      | Send a specially crafted request |
|                        |        |      | with a dot after the domain      |
|                        |        |      | (http://host.tld./) and analyze  |
|                        |        |      | response.                        |
| dotNetErrors           |        |      | Request specially crafted URLs   |
|                        |        |      | that generate ASP.NET errors in  |
|                        |        |      | order to gather information.     |
| favicon_identification |        |      | Identify server software using   |
|                        |        |      | favicon.                         |
| findBackdoor           |        |      | Find web backdoors and web       |
|                        |        |      | shells.                          |
| findCaptchas           |        |      | Identify captcha images on web   |
|                        |        |      | pages.                           |
| findDVCS               |        |      | Find GIT, Mercurial (HG), and    |
|                        |        |      | Bazaar (BZR) repositories        |
| findGit                |        |      | Find GIT repositories            |
| findvhost              |        |      | Modify the HTTP Host header and  |
|                        |        |      | try to find virtual hosts.       |
| fingerBing             |        | Yes  | Search Bing to get a list of     |
|                        |        |      | users for a domain.              |
| fingerGoogle           |        | Yes  | Search Google using the Google   |
|                        |        |      | API to get a list of users for a |
|                        |        |      | domain.                          |
| fingerPKS              |        |      | Search MIT PKS to get a list of  |
|                        |        |      | users for a domain.              |
| fingerprint_WAF        |        |      | Identify if a Web Application    |
|                        |        |      | Firewall is present and if       |
|                        |        |      | possible identify the vendor and |
|                        |        |      | version.                         |
| fingerprint_os         |        |      | Fingerprint the remote operating |
|                        |        |      | system using the HTTP protocol.  |
| frontpage_version      |        |      | Search FrontPage Server Info     |
|                        |        |      | file and if it finds it will     |
|                        |        |      | determine its version.           |
| ghdb                   |        | Yes  | Search Google for                |
|                        |        |      | vulnerabilities in the target    |
|                        |        |      | site.                            |
| googleSpider           |        | Yes  | Search google using google API   |
|                        |        |      | to get new URLs                  |
| halberd                |        |      | Identify if the remote server    |
|                        |        |      | has HTTP load balancers.         |
| hmap                   |        | Yes  | Fingerprint the server type, i.e |
|                        |        |      | apache, iis, tomcat, etc.        |
| http_vs_https_dist     |        | Yes  | Determines the network distance  |
|                        |        |      | between the http and https ports |
|                        |        |      | for a target.                    |
| importResults          |        | Yes  | Import URLs found by other       |
|                        |        |      | tools.                           |
| oracleDiscovery        |        |      | Find Oracle applications on the  |
|                        |        |      | remote web server.               |
| phishtank              |        | Yes  | Search the phishtank.com         |
|                        |        |      | database to determine if your    |
|                        |        |      | server is (or was) being used in |
|                        |        |      | phishing scams.                  |
| phpEggs                |        |      | Fingerprint the PHP version      |
|                        |        |      | using documented easter eggs     |
|                        |        |      | that exist in PHP.               |
| phpinfo                |        |      | Search PHP Info file and if it   |
|                        |        |      | finds it will determine the      |
|                        |        |      | version of PHP.                  |
| pykto                  |        | Yes  | A nikto port to python.          |
| ria_enumerator         |        | Yes  | Fingerprint Rich Internet Apps - |
|                        |        |      | Google Gears Manifest files,     |
|                        |        |      | Silverlight and Flash.           |
| robotsReader           |        |      | Analyze the robots.txt file and  |
|                        |        |      | find new URLs                    |
| serverHeader           |        | Yes  | Identify the server type based   |
|                        |        |      | on the server header.            |
| serverStatus           |        |      | Find new URLs from the Apache    |
|                        |        |      | server-status cgi.               |
| sharedHosting          |        | Yes  | Use Bing search to determine if  |
|                        |        |      | the website is in a shared       |
|                        |        |      | hosting.                         |
| sitemapReader          |        |      | Analyze the sitemap.xml file and |
|                        |        |      | find new URLs                    |
| slash                  |        |      | Identify if the resource         |
|                        |        |      | http://host.tld/spam/ and        |
|                        |        |      | http://host.tld/spam are the     |
|                        |        |      | same.                            |
| spiderMan              |        | Yes  | SpiderMan is a local proxy that  |
|                        |        |      | will collect new URLs.           |
| urlFuzzer              |        | Yes  | Try to find backups, and other   |
|                        |        |      | related files.                   |
| urllist_txt            |        |      | Analyze the urllist.txt file and |
|                        |        |      | find new URLs                    |
| userDir                |        | Yes  | Try to find user directories     |
|                        |        |      | like "http://test/~user/" and    |
|                        |        |      | identify the remote OS based on  |
|                        |        |      | the remote users.                |
| webDiff                |        | Yes  | Compare a local directory with a |
|                        |        |      | remote URL path.                 |
| webSpider              |        | Yes  | Crawl the web application.       |
| wordnet                |        | Yes  | Use the wordnet lexical database |
|                        |        |      | to find new URLs.                |
| wordpress_fingerprint  |        |      | Finds the version of a WordPress |
|                        |        |      | installation.                    |
| wsdlFinder             |        |      | Find web service definitions     |
|                        |        |      | files.                           |
| xssedDotCom            |        |      | Search in xssed.com to find      |
|                        |        |      | xssed pages.                     |
| yahooSiteExplorer      |        | Yes  | Search Yahoo's index using Yahoo |
|                        |        |      | site explorer to get a list of   |
|                        |        |      | URLs                             |
| zone_h                 |        |      | Find out if the site was defaced |
|                        |        |      | in the past.                     |
|---------------------------------------------------------------------------|
w3af/plugins>>> bruteforce
|----------------------------------------------------------------------------|
| Plugin name     | Status | Conf | Description                              |
|----------------------------------------------------------------------------|
| basicAuthBrute  |        | Yes  | Bruteforce HTTP basic authentication.    |
| formAuthBrute   |        | Yes  | Bruteforce HTML form authentication.     |
|----------------------------------------------------------------------------|
w3af/plugins>>> bruteforce formAuthBrute
w3af/plugins>>> bruteforce config formAuthBrute
w3af/plugins/bruteforce/config:formAuthBrute>>> set passwdFile true
w3af/plugins/bruteforce/config:formAuthBrute>>> set usersFile True
w3af/plugins/bruteforce/config:formAuthBrute>>> back
w3af/plugins>>> audit xss,sqli
w3af/plugins>>> discovery webSpider
w3af/plugins>>> discovery config webSpider 
w3af/plugins/discovery/config:webSpider>>> set onlyForward True
w3af/plugins/discovery/config:webSpider>>> back
w3af/plugins>>> target
Unknown command 'target'
w3af/plugins>>> back
w3af>>> target
w3af/config:target>>> set target http://www.dvssc.com/dvwa/index.php
w3af/config:target>>> back
w3af>>> plugins
w3af/plugins>>> output htmlFile
w3af/plugins>>> output config htmlFile
w3af/plugins/output/config:htmlFile>>> set verbose True
w3af/plugins/output/config:htmlFile>>> set fileName aa.html
w3af/plugins/output/config:htmlFile>>> back
w3af/plugins>>> back
w3af>>> start
Auto-enabling plugin: grep.error500
Auto-enabling plugin: grep.passwordProfiling
Auto-enabling plugin: grep.getMails
Auto-enabling plugin: grep.httpAuthDetect
Auto-enabling plugin: grep.lang
New URL found by webSpider plugin: http://www.dvssc.com/dvwa/dvwa/images/login_logo.png
New URL found by webSpider plugin: http://www.dvssc.com/dvwa/
New URL found by webSpider plugin: http://www.dvssc.com/dvwa/login.php
New URL found by webSpider plugin: http://www.dvssc.com/dvwa/dvwa/css/login.css
The page language is: en
New URL found by webSpider plugin: http://www.dvssc.com/dvwa/dvwa/
New URL found by webSpider plugin: http://www.dvssc.com/dvwa/dvwa/css/
New URL found by webSpider plugin: http://www.dvssc.com/dvwa/dvwa/css/help.css
New URL found by webSpider plugin: http://www.dvssc.com/dvwa/dvwa/css/source.css
New URL found by webSpider plugin: http://www.dvssc.com/dvwa/dvwa/includes/
New URL found by webSpider plugin: http://www.dvssc.com/dvwa/dvwa/js/
New URL found by webSpider plugin: http://www.dvssc.com/dvwa/dvwa/css/main.css
New URL found by webSpider plugin: http://www.dvssc.com/dvwa/dvwa/images/
New URL found by webSpider plugin: http://www.dvssc.com/dvwa/dvwa/images/RandomStorm.png
New URL found by webSpider plugin: http://www.dvssc.com/dvwa/dvwa/images/warning.png
New URL found by webSpider plugin: http://www.dvssc.com/dvwa/dvwa/images/lock.png
New URL found by webSpider plugin: http://www.dvssc.com/dvwa/dvwa/images/dollar.png
New URL found by webSpider plugin: http://www.dvssc.com/dvwa/dvwa/js/dvwaPage.js
New URL found by webSpider plugin: http://www.dvssc.com/dvwa/dvwa/includes/DBMS/
New URL found by webSpider plugin: http://www.dvssc.com/dvwa/dvwa/images/spanner.png
New URL found by webSpider plugin: http://www.dvssc.com/dvwa/dvwa/includes/dvwaPhpIds.inc.php
New URL found by webSpider plugin: http://www.dvssc.com/dvwa/dvwa/images/logo.png
New URL found by webSpider plugin: http://www.dvssc.com/dvwa/dvwa/includes/dvwaPage.inc.php
New URL found by webSpider plugin: http://www.dvssc.com/dvwa/dvwa/includes/DBMS/MySQL.php
New URL found by webSpider plugin: http://www.dvssc.com/dvwa/dvwa/includes/DBMS/DBMS.php
New URL found by webSpider plugin: http://www.dvssc.com/dvwa/dvwa/includes/DBMS/PGSQL.php
Starting formAuthBrute plugin execution.
Cant open True file.
Found 26 URLs and 59 different points of injection.
The list of URLs is:
- http://www.dvssc.com/dvwa/login.php
- http://www.dvssc.com/dvwa/dvwa/images/login_logo.png
- http://www.dvssc.com/dvwa/index.php
- http://www.dvssc.com/dvwa/
- http://www.dvssc.com/dvwa/dvwa/css/login.css
- http://www.dvssc.com/dvwa/dvwa/css/help.css
- http://www.dvssc.com/dvwa/dvwa/
- http://www.dvssc.com/dvwa/dvwa/css/
- http://www.dvssc.com/dvwa/dvwa/css/source.css
- http://www.dvssc.com/dvwa/dvwa/includes/
- http://www.dvssc.com/dvwa/dvwa/js/
- http://www.dvssc.com/dvwa/dvwa/css/main.css
- http://www.dvssc.com/dvwa/dvwa/includes/DBMS/MySQL.php
- http://www.dvssc.com/dvwa/dvwa/includes/DBMS/DBMS.php
- http://www.dvssc.com/dvwa/dvwa/images/
- http://www.dvssc.com/dvwa/dvwa/includes/DBMS/PGSQL.php
- http://www.dvssc.com/dvwa/dvwa/images/RandomStorm.png
- http://www.dvssc.com/dvwa/dvwa/images/warning.png
- http://www.dvssc.com/dvwa/dvwa/images/lock.png
- http://www.dvssc.com/dvwa/dvwa/images/dollar.png
- http://www.dvssc.com/dvwa/dvwa/js/dvwaPage.js
- http://www.dvssc.com/dvwa/dvwa/includes/DBMS/
- http://www.dvssc.com/dvwa/dvwa/images/spanner.png
- http://www.dvssc.com/dvwa/dvwa/includes/dvwaPhpIds.inc.php
- http://www.dvssc.com/dvwa/dvwa/images/logo.png
- http://www.dvssc.com/dvwa/dvwa/includes/dvwaPage.inc.php
The list of fuzzable requests is:
- http://www.dvssc.com/dvwa/ | Method: GET
- http://www.dvssc.com/dvwa/dvwa/ | Method: GET
- http://www.dvssc.com/dvwa/dvwa/ | Method: GET | Parameters: (C="D", O="A")
- http://www.dvssc.com/dvwa/dvwa/ | Method: GET | Parameters: (C="M", O="A")
- http://www.dvssc.com/dvwa/dvwa/ | Method: GET | Parameters: (C="M", O="D")
- http://www.dvssc.com/dvwa/dvwa/ | Method: GET | Parameters: (C="N", O="D")
- http://www.dvssc.com/dvwa/dvwa/ | Method: GET | Parameters: (C="S", O="A")
- http://www.dvssc.com/dvwa/dvwa/css/ | Method: GET
- http://www.dvssc.com/dvwa/dvwa/css/ | Method: GET | Parameters: (C="D", O="A")
- http://www.dvssc.com/dvwa/dvwa/css/ | Method: GET | Parameters: (C="D", O="D")
- http://www.dvssc.com/dvwa/dvwa/css/ | Method: GET | Parameters: (C="M", O="A")
- http://www.dvssc.com/dvwa/dvwa/css/ | Method: GET | Parameters: (C="N", O="A")
- http://www.dvssc.com/dvwa/dvwa/css/ | Method: GET | Parameters: (C="N", O="D")
- http://www.dvssc.com/dvwa/dvwa/css/ | Method: GET | Parameters: (C="S", O="A")
- http://www.dvssc.com/dvwa/dvwa/css/help.css | Method: GET
- http://www.dvssc.com/dvwa/dvwa/css/login.css | Method: GET
- http://www.dvssc.com/dvwa/dvwa/css/main.css | Method: GET
- http://www.dvssc.com/dvwa/dvwa/css/source.css | Method: GET
- http://www.dvssc.com/dvwa/dvwa/images/ | Method: GET
- http://www.dvssc.com/dvwa/dvwa/images/ | Method: GET | Parameters: (C="D", O="A")
- http://www.dvssc.com/dvwa/dvwa/images/ | Method: GET | Parameters: (C="M", O="A")
- http://www.dvssc.com/dvwa/dvwa/images/ | Method: GET | Parameters: (C="N", O="D")
- http://www.dvssc.com/dvwa/dvwa/images/ | Method: GET | Parameters: (C="S", O="A")
- http://www.dvssc.com/dvwa/dvwa/images/ | Method: GET | Parameters: (C="S", O="D")
- http://www.dvssc.com/dvwa/dvwa/images/RandomStorm.png | Method: GET
- http://www.dvssc.com/dvwa/dvwa/images/dollar.png | Method: GET
- http://www.dvssc.com/dvwa/dvwa/images/lock.png | Method: GET
- http://www.dvssc.com/dvwa/dvwa/images/login_logo.png | Method: GET
- http://www.dvssc.com/dvwa/dvwa/images/logo.png | Method: GET
- http://www.dvssc.com/dvwa/dvwa/images/spanner.png | Method: GET
- http://www.dvssc.com/dvwa/dvwa/images/warning.png | Method: GET
- http://www.dvssc.com/dvwa/dvwa/includes/ | Method: GET
- http://www.dvssc.com/dvwa/dvwa/includes/ | Method: GET | Parameters: (C="D", O="A")
- http://www.dvssc.com/dvwa/dvwa/includes/ | Method: GET | Parameters: (C="M", O="A")
- http://www.dvssc.com/dvwa/dvwa/includes/ | Method: GET | Parameters: (C="N", O="A")
- http://www.dvssc.com/dvwa/dvwa/includes/ | Method: GET | Parameters: (C="N", O="D")
- http://www.dvssc.com/dvwa/dvwa/includes/ | Method: GET | Parameters: (C="S", O="A")
- http://www.dvssc.com/dvwa/dvwa/includes/DBMS/ | Method: GET
- http://www.dvssc.com/dvwa/dvwa/includes/DBMS/ | Method: GET | Parameters: (C="D", O="A")
- http://www.dvssc.com/dvwa/dvwa/includes/DBMS/ | Method: GET | Parameters: (C="D", O="D")
- http://www.dvssc.com/dvwa/dvwa/includes/DBMS/ | Method: GET | Parameters: (C="M", O="A")
- http://www.dvssc.com/dvwa/dvwa/includes/DBMS/ | Method: GET | Parameters: (C="N", O="A")
- http://www.dvssc.com/dvwa/dvwa/includes/DBMS/ | Method: GET | Parameters: (C="N", O="D")
- http://www.dvssc.com/dvwa/dvwa/includes/DBMS/ | Method: GET | Parameters: (C="S", O="A")
- http://www.dvssc.com/dvwa/dvwa/includes/DBMS/DBMS.php | Method: GET
- http://www.dvssc.com/dvwa/dvwa/includes/DBMS/MySQL.php | Method: GET
- http://www.dvssc.com/dvwa/dvwa/includes/DBMS/PGSQL.php | Method: GET
- http://www.dvssc.com/dvwa/dvwa/includes/dvwaPage.inc.php | Method: GET
- http://www.dvssc.com/dvwa/dvwa/includes/dvwaPhpIds.inc.php | Method: GET
- http://www.dvssc.com/dvwa/dvwa/js/ | Method: GET
- http://www.dvssc.com/dvwa/dvwa/js/ | Method: GET | Parameters: (C="D", O="A")
- http://www.dvssc.com/dvwa/dvwa/js/ | Method: GET | Parameters: (C="M", O="A")
- http://www.dvssc.com/dvwa/dvwa/js/ | Method: GET | Parameters: (C="M", O="D")
- http://www.dvssc.com/dvwa/dvwa/js/ | Method: GET | Parameters: (C="N", O="D")
- http://www.dvssc.com/dvwa/dvwa/js/ | Method: GET | Parameters: (C="S", O="A")
- http://www.dvssc.com/dvwa/dvwa/js/dvwaPage.js | Method: GET
- http://www.dvssc.com/dvwa/index.php | Method: GET
- http://www.dvssc.com/dvwa/login.php | Method: GET
- http://www.dvssc.com/dvwa/login.php | Method: POST | Parameters: (username="", password="")
An unidentified web application error (HTTP response code 500) was found at: "http://www.dvssc.com/dvwa/dvwa/includes/DBMS/MySQL.php". Enable all plugins and try again, if the vulnerability still is not identified, please verify mannually and report it to the w3af developers. This vulnerability was found in the request with id 181.
An unidentified web application error (HTTP response code 500) was found at: "http://www.dvssc.com/dvwa/dvwa/includes/DBMS/PGSQL.php". Enable all plugins and try again, if the vulnerability still is not identified, please verify mannually and report it to the w3af developers. This vulnerability was found in the request with id 185.
Password profiling TOP 100:
- [1] Name with 402 repetitions.
- [2] Parent with 400 repetitions.
- [3] Last with 400 repetitions.
- [4] modified with 400 repetitions.
- [5] Size with 400 repetitions.
- [6] Description with 400 repetitions.
- [7] Damn with 168 repetitions.
- [8] DVWA with 168 repetitions.
- [9] Vulnerable with 168 repetitions.
- [10] Login with 140 repetitions.
- [11] dvwaPage with 126 repetitions.
- [12] RandomStorm with 119 repetitions.
- [13] images with 91 repetitions.
- [14] help with 74 repetitions.
- [15] MySQL with 74 repetitions.
- [16] main with 74 repetitions.
- [17] login with 74 repetitions.
- [18] PGSQL with 74 repetitions.
- [19] color with 66 repetitions.
- [20] spanner with 63 repetitions.
- [21] DBMS with 63 repetitions.
- [22] lock with 63 repetitions.
- [23] dvwaPhpIds with 63 repetitions.
- [24] logo with 63 repetitions.
- [25] includes with 63 repetitions.
- [26] dollar with 63 repetitions.
- [27] source with 62 repetitions.
- [28] border with 56 repetitions.
- [29] font with 48 repetitions.
- [30] padding with 48 repetitions.
- [31] 10px with 44 repetitions.
- [32] margin with 44 repetitions.
- [33] background with 40 repetitions.
- [34] align with 38 repetitions.
- [35] Application with 28 repetitions.
- [36] Username with 28 repetitions.
- [37] width with 28 repetitions.
- [38] OpenSource with 28 repetitions.
- [39] project with 28 repetitions.
- [40] Password with 28 repetitions.
- [41] size with 26 repetitions.
- [42] bottom with 24 repetitions.
- [43] 20px with 24 repetitions.
- [44] solid with 22 repetitions.
- [45] left with 22 repetitions.
- [46] style with 18 repetitions.
- [47] text with 16 repetitions.
- [48] right with 16 repetitions.
- [49] 13px with 14 repetitions.
- [50] height with 12 repetitions.
- [51] none with 12 repetitions.
- [52] 15px with 12 repetitions.
- [53] sans with 10 repetitions.
- [54] D2D4D4 with 10 repetitions.
- [55] body with 10 repetitions.
- [56] float with 10 repetitions.
- [57] serif with 10 repetitions.
- [58] false with 10 repetitions.
- [59] Arial with 8 repetitions.
- [60] Helvetica with 8 repetitions.
- [61] weight with 8 repetitions.
- [62] bold with 8 repetitions.
- [63] span with 8 repetitions.
- [64] 6B778C with 8 repetitions.
- [65] decoration with 8 repetitions.
- [66] f8fafa with 8 repetitions.
- [67] 758DAE with 8 repetitions.
- [68] return with 8 repetitions.
- [69] e7e7e7 with 6 repetitions.
- [70] hidden with 6 repetitions.
- [71] hover with 6 repetitions.
- [72] 12px with 6 repetitions.
- [73] container with 6 repetitions.
- [74] selected with 6 repetitions.
- [75] family with 6 repetitions.
- [76] C0C0C0 with 6 repetitions.
- [77] function with 6 repetitions.
- [78] overflow with 6 repetitions.
- [79] f4f4f4 with 6 repetitions.
- [80] 2f2f2f with 6 repetitions.
- [81] code with 4 repetitions.
- [82] focus with 4 repetitions.
- [83] with with 4 repetitions.
- [84] 25px with 4 repetitions.
- [85] input with 4 repetitions.
- [86] auto with 4 repetitions.
- [87] thisform with 4 repetitions.
- [88] F9F7ED with 4 repetitions.
- [89] form with 4 repetitions.
- [90] C3D9FF with 4 repetitions.
- [91] txtName with 4 repetitions.
- [92] 99cc33 with 4 repetitions.
- [93] area with 4 repetitions.
- [94] alerttxt with 4 repetitions.
- [95] mtxMessage with 4 repetitions.
- [96] A1CC33 with 4 repetitions.
- [97] empty with 4 repetitions.
- [98] 30px with 4 repetitions.
- [99] ffffff with 4 repetitions.
- [100] value with 4 repetitions.
Scan finished in 14 seconds.
w3af>>>

这是在Kali中的一次操作,相对比较完整

  • 这是我自己的操作记录,同时也掌握了相关信息的设置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
root@kali:/usr/share/w3af# ./w3af_console
w3af>>> help
|-----------------------------------------------------------------------------|
| start         | Start the scan.                                             |
| plugins       | Enable and configure plugins.                               |
| exploit       | Exploit the vulnerability.                                  |
| profiles      | List and use scan profiles.                                 |
| cleanup       | Cleanup before starting a new scan.                         |
|-----------------------------------------------------------------------------|
| help          | Display help. Issuing: help [command] , prints more         |
|               | specific help about "command"                               |
| version       | Show w3af version information.                              |
| keys          | Display key shortcuts.                                      |
|-----------------------------------------------------------------------------|
| http-settings | Configure the HTTP settings of the framework.               |
| misc-settings | Configure w3af misc settings.                               |
| target        | Configure the target URL.                                   |
|-----------------------------------------------------------------------------|
| back          | Go to the previous menu.                                    |
| exit          | Exit w3af.                                                  |
|-----------------------------------------------------------------------------|
| kb            | Browse the vulnerabilities stored in the Knowledge Base     |
|-----------------------------------------------------------------------------|
w3af>>> plugins
w3af/plugins>>> view
Unknown command 'view'
w3af/plugins>>> help
|-----------------------------------------------------------------------------|
| list             | List available plugins.                                  |
|-----------------------------------------------------------------------------|
| back             | Go to the previous menu.                                 |
| exit             | Exit w3af.                                               |
|-----------------------------------------------------------------------------|
| auth             | View, configure and enable auth plugins                  |
| grep             | View, configure and enable grep plugins                  |
| evasion          | View, configure and enable evasion plugins               |
| mangle           | View, configure and enable mangle plugins                |
| crawl            | View, configure and enable crawl plugins                 |
| bruteforce       | View, configure and enable bruteforce plugins            |
| audit            | View, configure and enable audit plugins                 |
| infrastructure   | View, configure and enable infrastructure plugins        |
| output           | View, configure and enable output plugins                |
|-----------------------------------------------------------------------------|
w3af/plugins>>> auth
|----------------------------------------------------------------------------|
| Plugin name    | Status  | Conf  | Description                             |
|----------------------------------------------------------------------------|
| detailed       |         | Yes   | Detailed authentication plugin.         |
| generic        |         | Yes   | Generic authentication plugin.          |
|----------------------------------------------------------------------------|
w3af/plugins>>> bruteforce 
|---------------------------------------------------------------------------|
| Plugin name  | Status | Conf | Description                                |
|---------------------------------------------------------------------------|
| basic_auth   |        | Yes  | Bruteforce HTTP basic authentication.      |
| form_auth    |        | Yes  | Bruteforce HTML form authentication.       |
|---------------------------------------------------------------------------|
w3af/plugins>>> bruteforce basic_auth,form_auth 
w3af/plugins>>> bruteforce                      
|----------------------------------------------------------------------------|
| Plugin name  | Status  | Conf | Description                                |
|----------------------------------------------------------------------------|
| basic_auth   | Enabled | Yes  | Bruteforce HTTP basic authentication.      |
| form_auth    | Enabled | Yes  | Bruteforce HTML form authentication.       |
|----------------------------------------------------------------------------|
w3af/plugins>>> help
|-----------------------------------------------------------------------------|
| list             | List available plugins.                                  |
|-----------------------------------------------------------------------------|
| back             | Go to the previous menu.                                 |
| exit             | Exit w3af.                                               |
|-----------------------------------------------------------------------------|
| auth             | View, configure and enable auth plugins                  |
| grep             | View, configure and enable grep plugins                  |
| evasion          | View, configure and enable evasion plugins               |
| mangle           | View, configure and enable mangle plugins                |
| crawl            | View, configure and enable crawl plugins                 |
| bruteforce       | View, configure and enable bruteforce plugins            |
| audit            | View, configure and enable audit plugins                 |
| infrastructure   | View, configure and enable infrastructure plugins        |
| output           | View, configure and enable output plugins                |
|-----------------------------------------------------------------------------|
w3af/plugins>>> bruteforce config form_auth
w3af/plugins/bruteforce/config:form_auth>>> view
|-----------------------------------------------------------------------------|
| Setting | Value                                         | Modified | Description  |
|-----------------------------------------------------------------------------|
| profilingNumber | 50                                            |     | This         |
|        |                                               |     | indicates    |
|        |                                               |     | how many     |
|        |                                               |     | passwords    |
|        |                                               |     | from         |
|        |                                               |     | profiling    |
|        |                                               |     | will be      |
|        |                                               |     | used.        |
| useLeetPasswd | True                                          |     | This         |
|        |                                               |     | indicates if |
|        |                                               |     | the          |
|        |                                               |     | bruteforce   |
|        |                                               |     | should try   |
|        |                                               |     | l337         |
|        |                                               |     | passwords    |
| useProfiling | True                                          |     | This         |
|        |                                               |     | indicates if |
|        |                                               |     | the          |
|        |                                               |     | bruteforce   |
|        |                                               |     | should use   |
|        |                                               |     | password     |
|        |                                               |     | profiling to |
|        |                                               |     | collect new  |
|        |                                               |     | passwords.   |
| useEmails | True                                          |     | This         |
|        |                                               |     | indicates if |
|        |                                               |     | the          |
|        |                                               |     | bruteforcer  |
|        |                                               |     | should use   |
|        |                                               |     | emails       |
|        |                                               |     | collected by |
|        |                                               |     | w3af plugins |
|        |                                               |     | as users.    |
| comboSeparator | :                                             |     | Separator    |
|        |                                               |     | string used  |
|        |                                               |     | in Combo     |
|        |                                               |     | file to      |
|        |                                               |     | split        |
|        |                                               |     | username and |
|        |                                               |     | password     |
| passEqUser | True                                          |     | This         |
|        |                                               |     | indicates if |
|        |                                               |     | the          |
|        |                                               |     | bruteforce   |
|        |                                               |     | should try   |
|        |                                               |     | password     |
|        |                                               |     | equal user   |
|        |                                               |     | in logins.   |
| passwdFile | w3af/core/controllers/bruteforce/passwords.txt |     | Passwords    |
|        |                                               |     | file to use  |
|        |                                               |     | in           |
|        |                                               |     | bruteforcing |
| comboFile | w3af/core/controllers/bruteforce/combo.txt    |     | Combo of     |
|        |                                               |     | username and |
|        |                                               |     | passord,     |
|        |                                               |     | file to use  |
|        |                                               |     | in           |
|        |                                               |     | bruteforcing |
| usersFile | w3af/core/controllers/bruteforce/users.txt    |     | Users file   |
|        |                                               |     | to use in    |
|        |                                               |     | bruteforcing |
| stopOnFirst | True                                          |     | This         |
|        |                                               |     | indicates if |
|        |                                               |     | the          |
|        |                                               |     | bruteforce   |
|        |                                               |     | should stop  |
|        |                                               |     | after        |
|        |                                               |     | finding the  |
|        |                                               |     | first        |
|        |                                               |     | correct user |
|        |                                               |     | and          |
|        |                                               |     | password.    |
| useSvnUsers | True                                          |     | This         |
|        |                                               |     | indicates if |
|        |                                               |     | we will use  |
|        |                                               |     | usernames    |
|        |                                               |     | from SVN     |
|        |                                               |     | headers      |
|        |                                               |     | collected by |
|        |                                               |     | w3af plugins |
|        |                                               |     | in           |
|        |                                               |     | bruteforce.  |
|-----------------------------------------------------------------------------|
w3af/plugins/bruteforce/config:form_auth>>> view
|-----------------------------------------------------------------------------------------------------------------------------------------|
| Setting         | Value                                          | Modified | Description                                               |
|-----------------------------------------------------------------------------------------------------------------------------------------|
| profilingNumber | 50                                             |          | This indicates how many passwords from profiling will be  |
|                 |                                                |          | used.                                                     |
| useLeetPasswd   | True                                           |          | This indicates if the bruteforce should try l337          |
|                 |                                                |          | passwords                                                 |
| useProfiling    | True                                           |          | This indicates if the bruteforce should use password      |
|                 |                                                |          | profiling to collect new passwords.                       |
| useEmails       | True                                           |          | This indicates if the bruteforcer should use emails       |
|                 |                                                |          | collected by w3af plugins as users.                       |
| comboSeparator  | :                                              |          | Separator string used in Combo file to split username and |
|                 |                                                |          | password                                                  |
| passEqUser      | True                                           |          | This indicates if the bruteforce should try password      |
|                 |                                                |          | equal user in logins.                                     |
| passwdFile      | w3af/core/controllers/bruteforce/passwords.txt |          | Passwords file to use in bruteforcing                     |
| comboFile       | w3af/core/controllers/bruteforce/combo.txt     |          | Combo of username and passord, file to use in             |
|                 |                                                |          | bruteforcing                                              |
| usersFile       | w3af/core/controllers/bruteforce/users.txt     |          | Users file to use in bruteforcing                         |
| stopOnFirst     | True                                           |          | This indicates if the bruteforce should stop after        |
|                 |                                                |          | finding the first correct user and password.              |
| useSvnUsers     | True                                           |          | This indicates if we will use usernames from SVN headers  |
|                 |                                                |          | collected by w3af plugins in bruteforce.                  |
|-----------------------------------------------------------------------------------------------------------------------------------------|
w3af/plugins/bruteforce/config:form_auth>>> back
The configuration has been saved.
w3af/plugins>>> audit
|----------------------------------------------------------------------------------------------------------------------------------------|
| Plugin name        | Status | Conf | Description                                                                                       |
|----------------------------------------------------------------------------------------------------------------------------------------|
| blind_sqli         |        | Yes  | Identify blind SQL injection vulnerabilities.                                                     |
| buffer_overflow    |        |      | Find buffer overflow vulnerabilities.                                                             |
| cors_origin        |        | Yes  | Inspect if application checks that the value of the "Origin" HTTP header isconsistent with the    |
|                    |        |      | value of the remote IP address/Host of the sender ofthe incoming HTTP request.                    |
| csrf               |        |      | Identify Cross-Site Request Forgery vulnerabilities.                                              |
| dav                |        |      | Verify if the WebDAV module is properly configured.                                               |
| eval               |        | Yes  | Find insecure eval() usage.                                                                       |
| file_upload        |        | Yes  | Uploads a file and then searches for the file inside all known directories.                       |
| format_string      |        |      | Find format string vulnerabilities.                                                               |
| frontpage          |        |      | Tries to upload a file using frontpage extensions (author.dll).                                   |
| generic            |        | Yes  | Find all kind of bugs without using a fixed database of errors.                                   |
| global_redirect    |        |      | Find scripts that redirect the browser to any site.                                               |
| htaccess_methods   |        |      | Find misconfigurations in Apache's "<LIMIT>" configuration.                                       |
| ldapi              |        |      | Find LDAP injection bugs.                                                                         |
| lfi                |        |      | Find local file inclusion vulnerabilities.                                                        |
| memcachei          |        |      | No description available for this plugin.                                                         |
| mx_injection       |        |      | Find MX injection vulnerabilities.                                                                |
| os_commanding      |        |      | Find OS Commanding vulnerabilities.                                                               |
| phishing_vector    |        |      | Find phishing vectors.                                                                            |
| preg_replace       |        |      | Find unsafe usage of PHPs preg_replace.                                                           |
| redos              |        |      | Find ReDoS vulnerabilities.                                                                       |
| response_splitting |        |      | Find response splitting vulnerabilities.                                                          |
| rfd                |        |      | Identify reflected file download vulnerabilities.                                                 |
| rfi                |        | Yes  | Find remote file inclusion vulnerabilities.                                                       |
| shell_shock        |        |      | Find shell shock vulnerabilities.                                                                 |
| sqli               |        |      | Find SQL injection bugs.                                                                          |
| ssi                |        |      | Find server side inclusion vulnerabilities.                                                       |
| ssl_certificate    |        | Yes  | Check the SSL certificate validity (if https is being used).                                      |
| un_ssl             |        |      | Find out if secure content can also be fetched using http.                                        |
| xpath              |        |      | Find XPATH injection vulnerabilities.                                                             |
| xss                |        | Yes  | Identify cross site scripting vulnerabilities.                                                    |
| xst                |        |      | Find Cross Site Tracing vulnerabilities.                                                          |
|----------------------------------------------------------------------------------------------------------------------------------------|
w3af/plugins>>> audit xss,sqli
w3af/plugins>>> help
|-----------------------------------------------------------------------------------------------------------------------------------------|
| list                          | List available plugins.                                                                                 |
|-----------------------------------------------------------------------------------------------------------------------------------------|
| back                          | Go to the previous menu.                                                                                |
| exit                          | Exit w3af.                                                                                              |
|-----------------------------------------------------------------------------------------------------------------------------------------|
| auth                          | View, configure and enable auth plugins                                                                 |
| grep                          | View, configure and enable grep plugins                                                                 |
| evasion                       | View, configure and enable evasion plugins                                                              |
| mangle                        | View, configure and enable mangle plugins                                                               |
| crawl                         | View, configure and enable crawl plugins                                                                |
| bruteforce                    | View, configure and enable bruteforce plugins                                                           |
| audit                         | View, configure and enable audit plugins                                                                |
| infrastructure                | View, configure and enable infrastructure plugins                                                       |
| output                        | View, configure and enable output plugins                                                               |
|-----------------------------------------------------------------------------------------------------------------------------------------|
w3af/plugins>>> crawl 
|-----------------------------------------------------------------------------------------------------------------------------------------|
| Plugin name                  | Status | Conf | Description                                                                              |
|-----------------------------------------------------------------------------------------------------------------------------------------|
| archive_dot_org              |        | Yes  | Search archive.org to find new pages in the target site.                                 |
| bing_spider                  |        | Yes  | Search Bing to get a list of new URLs                                                    |
| content_negotiation          |        | Yes  | Use content negotiation to find new resources.                                           |
| digit_sum                    |        | Yes  | Take an URL with a number (index2.asp) and try to find related files(index1.asp,         |
|                              |        |      | index3.asp).                                                                             |
| dir_file_bruter              |        | Yes  | Finds Web server directories and files by bruteforcing.                                  |
| dot_listing                  |        |      | Search for .listing files and extracts new filenames from it.                            |
| find_backdoors               |        |      | Find web backdoors and web shells.                                                       |
| find_captchas                |        |      | Identify captcha images on web pages.                                                    |
| find_dvcs                    |        |      | Search Git, Mercurial (HG), Bazaar (BZR), Subversion (SVN) and CVSrepositories and       |
|                              |        |      | checks for files containing                                                              |
| genexus_xml                  |        |      | Analyze the execute.xml and DeveloperMenu.xml files and find new URLs                    |
| ghdb                         |        | Yes  | Search Google for vulnerabilities in the target site.                                    |
| google_spider                |        | Yes  | Search google using google API to get new URLs                                           |
| import_results               |        | Yes  | Import URLs found by other tools.                                                        |
| oracle_discovery             |        |      | Find Oracle applications on the remote web server.                                       |
| phishtank                    |        |      | Search the phishtank.com database to determine if your server is (or was)being used in   |
|                              |        |      | phishing scams.                                                                          |
| phpinfo                      |        |      | Search PHP Info file and if it finds it will determine the version of PHP.               |
| pykto                        |        | Yes  | A nikto port to python.                                                                  |
| ria_enumerator               |        | Yes  | Fingerprint Rich Internet Apps - Google Gears Manifest files, Silverlight and Flash.     |
| robots_txt                   |        |      | Analyze the robots.txt file and find new URLs                                            |
| sitemap_xml                  |        |      | Analyze the sitemap.xml file and find new URLs                                           |
| spider_man                   |        | Yes  | SpiderMan is a local proxy that will collect new URLs.                                   |
| url_fuzzer                   |        | Yes  | Try to find backups, and other related files.                                            |
| urllist_txt                  |        |      | Analyze the urllist.txt file and find new URLs                                           |
| user_dir                     |        |      | Identify user directories like "http://test/~user/" and infer the remote OS.             |
| web_diff                     |        | Yes  | Compare a local directory with a remote URL path.                                        |
| web_spider                   |        | Yes  | Crawl the web application.                                                               |
| wordnet                      |        | Yes  | Use the wordnet lexical database to find new URLs.                                       |
| wordpress_enumerate_users    |        |      | Finds users in a WordPress installation.                                                 |
| wordpress_fingerprint        |        |      | Finds the version of a WordPress installation.                                           |
| wordpress_fullpathdisclosure |        |      | Try to find the path where the WordPress is installed                                    |
| wsdl_finder                  |        |      | Find web service definitions files.                                                      |
|-----------------------------------------------------------------------------------------------------------------------------------------|
w3af/plugins>>> crawl web_spider 
w3af/plugins>>> crawl config web_spider
w3af/plugins/crawl/config:web_spider>>> view
|----------------------------------------------------------------------------------------------------------------------------------------|
| Setting      | Value | Modified | Description                                                                                          |
|----------------------------------------------------------------------------------------------------------------------------------------|
| only_forward | False |          | When crawling only follow links to paths inside the one given as target.                             |
| ignore_regex |       |          | When crawling, DO NOT follow links that match this regular expression. Please note that ignore_regex |
|              |       |          | has precedence over follow_regex.                                                                    |
| follow_regex | .*    |          | When crawling only follow which that match this regular expression. Please note that ignore_regex    |
|              |       |          | has precedence over follow_regex.                                                                    |
|----------------------------------------------------------------------------------------------------------------------------------------|
w3af/plugins/crawl/config:web_spider>>> set only_forward true
w3af/plugins/crawl/config:web_spider>>> back
The configuration has been saved.
w3af/plugins>>> back
w3af>>> target 
w3af/config:target>>> set target http://www.dvssc.com/dvwa/index.php
w3af/config:target>>> back
The configuration has been saved.
w3af>>> output 
Unknown command 'output'
w3af>>> plugins
w3af/plugins>>> output
|----------------------------------------------------------------------------------------------------------------------------------------|
| Plugin name         | Status    | Conf  | Description                                                                                  |
|----------------------------------------------------------------------------------------------------------------------------------------|
| console             | Enabled   | Yes   | Print messages to the console.                                                               |
| csv_file            |           | Yes   | Export identified vulnerabilities to a CSV file.                                             |
| email_report        |           | Yes   | Email report to specified addresses.                                                         |
| export_requests     |           | Yes   | Export the fuzzable requests found during crawl to a file.                                   |
| html_file           |           | Yes   | Generate HTML report with identified vulnerabilities and log messages.                       |
| text_file           |           | Yes   | Prints all messages to a text file.                                                          |
| xml_file            |           | Yes   | Print all messages to a xml file.                                                            |
|----------------------------------------------------------------------------------------------------------------------------------------|
w3af/plugins>>> output html_file
w3af/plugins>>> output config html_file
w3af/plugins/output/config:html_file>>> view
|----------------------------------------------------------------------------------------------------------------------------------------|
| Setting     | Value                                                 | Modified | Description                                           |
|----------------------------------------------------------------------------------------------------------------------------------------|
| output_file | ~/report.html                                         |          | File name where this plugin will write to             |
| verbose     | False                                                 |          | True if debug information will be appended to the     |
|             |                                                       |          | report.                                               |
| template    | w3af/plugins/output/html_file/templates/complete.html |          | The path to the HTML template used to render the      |
|             |                                                       |          | report.                                               |
|----------------------------------------------------------------------------------------------------------------------------------------|
w3af/plugins/output/config:html_file>>> set output_file lixu.php
w3af/plugins/output/config:html_file>>> set verbose true
w3af/plugins/output/config:html_file>>> view                    
|----------------------------------------------------------------------------------------------------------------------------------------|
| Setting     | Value                                                 | Modified | Description                                           |
|----------------------------------------------------------------------------------------------------------------------------------------|
| output_file | lixu.php                                              | Yes      | File name where this plugin will write to             |
| verbose     | true                                                  | Yes      | True if debug information will be appended to the     |
|             |                                                       |          | report.                                               |
| template    | w3af/plugins/output/html_file/templates/complete.html |          | The path to the HTML template used to render the      |
|             |                                                       |          | report.                                               |
|----------------------------------------------------------------------------------------------------------------------------------------|
w3af/plugins/output/config:html_file>>> back
The configuration has been saved.
w3af/plugins>>> back
w3af>>> start


#到此为止,如果配置正确就能够对目标网站进行测试,直接图形化界面吧,方便
-------------本文结束感谢您的阅读-------------
0%