WMAP

https://www.cnblogs.com/comdodo/p/5324492.html

WMap是一个集成于Metasploit框架中用于测试Web脆弱性的工具，在使用之前，你需要先创建一个数据库连接用于存放扫描的数据、结果，然后加载wmap插件，当你不清楚命令有哪些时，可以使用help命令进行查看帮助。

msf > load wmap

.-.-.-..-.-.-..—..—.

| | | || | | || | || |-‘

-----'-‘-‘-‘-^-'-‘

[WMAP 1.5.1] === et [ ] metasploit.com 2012

[*]Successfully loaded plugin: wmap

msf > help

wmap Commands

=============

Command Description

——- ———–

wmap_modules Manage wmap modules

wmap_nodes Manage nodes

wmap_run Test targets

wmap_sites Manage sites

wmap_targets Manage targets

wmap_vulns Display web vulns

…snip…

在真正运行扫描之前，需要先使用wmap_sites的-a选项添加一个URL进行扫描，添加了之后你可以使用wmap_sites -l命令查看可用的目标。

msf > wmap_sites -h

[*] Usage: wmap_targets [options]

-h Display this help text

-a [url] Add site (vhost,url)

-l List all available sites

-s [id] Display site structure (vhost,url|ids) (level)

msf > wmap_sites -a http://172.16.194.172

[*] Site created.

msf > wmap_sites -l

[*] Available sites

===============

Id Host Vhost Port Proto # Pages # Forms

— —- —– —- —– ——- ——-

0 172.16.194.172 172.16.194.172 80 http 0 0

然后，将站点添加到“目标”中去，使用wmap_targets命令的-t选项；

msf > wmap_targets -h

[*]Usage: wmap_targets [options]

-h Display this help text

-t [urls] Define target sites (vhost1,url[space]vhost2,url)

-d [ids] Define target sites (id1, id2, id3 …)

-c Clean target sites list

-l List all target sites

msf > wmap_targets -t http://172.16.194.172/mutillidae/index.php

Once added, we can view our list of targets by using the ‘-l’ switch from the console.

msf > wmap_targets -l

[*] Defined targets

===============

Id Vhost Host Port SSL Path

— —– —- —- — —-

0 172.16.194.172 172.16.194.172 80 false /mutillidae/index.php

Using the “wmap_run” command will scan the target system.

msf > wmap_run -h

[*]Usage: wmap_run [options]

-h Display this help text

-t Show all enabled modules

-m [regex] Launch only modules that name match provided regex.

-p [regex] Only test path defined by regex.

-e [/path/to/profile] Launch profile modules against all matched targets.

(No profile file runs all enabled modules.)

We first using the “-t” switch to list the modules that will be used to scan the remote system. （使用 wmap_run -l 命令可以列出我们将要使用的扫描模块！）

msf > wmap_run -t

[*] Testing target:

[*] Site: 192.168.1.100 (192.168.1.100)

[*] Port: 80 SSL: false

[*] ============================================================

[*] Testing started. 2012-01-16 15:46:42 -0500

[*] =[ SSL testing ]=

[*] ============================================================

[*] Target is not SSL. SSL modules disabled.

[*] =[ Web Server testing ]=

[*] ============================================================[*] Loaded auxiliary/admin/http/contentkeeper_fileaccess …[*] Loaded auxiliary/admin/http/tomcat_administration …[*]Loaded auxiliary/admin/http/tomcat_utf8_traversal …[*] Loaded auxiliary/admin/http/trendmicro_dlp_traversal …

..snip…

msf >

All that remains now is to actually run the scan against our target URL.

msf > wmap_run -e

[*] Using ALL wmap enabled modules.

[-] NO WMAP NODES DEFINED. Executing local modules

[*] Testing target:

[*] Site: 172.16.194.172 (172.16.194.172)

[*] Port: 80 SSL: false

============================================================

[*] Testing started. 2012-06-27 09:29:13 -0400

[*] =[ SSL testing ]=

============================================================

[*] Target is not SSL. SSL modules disabled.

[*] =[ Web Server testing ]=

============================================================

[*] Module auxiliary/scanner/http/http_version

[*] 172.16.194.172:80 Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 )

[*] Module auxiliary/scanner/http/open_proxy

[*] Module auxiliary/scanner/http/robots_txt

..snip…..snip…..snip…

[*] Module auxiliary/scanner/http/soap_xml

[*] Path: /

[*] Server 172.16.194.172:80 returned HTTP 404 for /. Use a different one.

[*] Module auxiliary/scanner/http/trace_axd

[*] Path: /

[*] Module auxiliary/scanner/http/verb_auth_bypass

[*]

=[ Unique Query testing ]=

============================================================

[*] Module auxiliary/scanner/http/blind_sql_query

[*] Module auxiliary/scanner/http/error_sql_injection

[*] Module auxiliary/scanner/http/http_traversal

[*] Module auxiliary/scanner/http/rails_mass_assignment

[*] Module exploit/multi/http/lcms_php_exec

[*]

=[ Query testing ]=

============================================================

[*]

=[ General testing ]=

============================================================

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Launch completed in 212.01512002944946 seconds.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

[*]

Done.

在扫描执行完了之后，我们可以查看一下数据库中是否存在一些可用的东西—漏洞！

msf > wmap_vulns -l

[*] + [172.16.194.172] (172.16.194.172): scraper /

[*] scraper Scraper

[*] GET Metasploitable2 – Linux

[*] + [172.16.194.172] (172.16.194.172): directory /dav/

[*] directory Directory found.

[*] GET Res code: 200

[*] + [172.16.194.172] (172.16.194.172): directory /cgi-bin/

[*] directory Directoy found.

[*] GET Res code: 403

…snip…

msf >

可以使用 vulns 命令可以查看更详细的信息！

msf > vulns

[*]Time: 2012-01-16 20:58:49 UTC Vuln: host=172.16.2.207 port=80 proto=tcp name=auxiliary/scanner/http/options refs=CVE-2005-3398,CVE-2005-3498,OSVDB-877,BID-11604,BID-9506,BID-9561

We can now use this information to gather further information on the reported vulnerability. As pentesters, we would want to investigate each finding further and identify if there are potential methods for attack.

来源： <http://www.offensive-security.com/metasploit-unleashed/WMAP_Web_Scanner>

总结一下使用wmap的具体步骤：

进入Metasploit（在这之前最好先运行：service postgresql start && service metasploit start 命令开启这两个基础服务）；
然后连接数据库（db_connect）{其实应该是默认连接的，但是估计是因为我之前没有注意，在哪个地方翻了个错误，导致后来都得手动连接}；
之后加载wmap插件（load wmap）；
添加站点：wmap_sites -a URL
列为目标：wmap_targets -t URL
先是将要执行的扫描模块：wmap_run -t
执行扫描：wmap_run -e
在扫描完成之后显示是否存在可利用漏洞：wmap_vulns -l（若要查看更详细的信息，则使用vulns命令）

msf > load wmap

.-.-.-..-.-.-..—..—.

| | | || | | || | || |-‘

-----'-‘-‘-‘-^-'-‘

[WMAP 1.5.1] === et [ ] metasploit.com 2012

[*] Successfully loaded plugin: wmap

msf > help

wmap Commands

=============

Command Description

——- ———–

wmap_modules Manage wmap modules

wmap_nodes Manage nodes

wmap_run Test targets

wmap_sites Manage sites

wmap_targets Manage targets

wmap_vulns Display web vulns

Core Commands

=============

Command Description

——- ———–

? Help menu

back Move back from the current context

banner Display an awesome metasploit banner

cd Change the current working directory

color Toggle color

connect Communicate with a host

exit Exit the console

go_pro Launch Metasploit web GUI

grep Grep the output of another command

help Help menu

info Displays information about one or more module

irb Drop into irb scripting mode

jobs Displays and manages jobs

kill Kill a job

load Load a framework plugin

loadpath Searches for and loads modules from a path

makerc Save commands entered since start to a file

popm Pops the latest module off the stack and makes it active

previous Sets the previously loaded module as the current module

pushm Pushes the active or list of modules onto the module stack

quit Exit the console

reload_all Reloads all modules from all defined module paths

resource Run the commands stored in a file

route Route traffic through a session

save Saves the active datastores

search Searches module names and descriptions

sessions Dump session listings and display information about sessions

set Sets a variable to a value

setg Sets a global variable to a value

show Displays modules of a given type, or all modules

sleep Do nothing for the specified number of seconds

spool Write console output into a file as well the screen

threads View and manipulate background threads

unload Unload a framework plugin

unset Unsets one or more variables

unsetg Unsets one or more global variables

use Selects a module by name

version Show the framework and console library version numbers

Database Backend Commands

=========================

Command Description

——- ———–

creds List all credentials in the database

db_connect Connect to an existing database

db_disconnect Disconnect from the current database instance

db_export Export a file containing the contents of the database

db_import Import a scan result file (filetype will be auto-detected)

db_nmap Executes nmap and records the output automatically

db_rebuild_cache Rebuilds the database-stored module cache

db_status Show the current database status

hosts List all hosts in the database

loot List all loot in the database

notes List all notes in the database

services List all services in the database

vulns List all vulnerabilities in the database

workspace Switch between database workspaces

msf > wmap_

wmap_modules wmap_nodes wmap_run wmap_sites wmap_targets wmap_vulns

msf > wmap_sites -a http://www.dvssc.com/

[-] Unable to create site

msf > wmap_sites -a 10.10.10.129

[-] Unable to create site

msf > wmap_sites -a http://10.10.10.129

[-] Unable to create site

msf > wmap_sites -a http://210.21.21.21

[-] Unable to create site

msf > wmap_sites -a http://210.21.21.21/

[-] Unable to create site

msf > wmap_sites -h

[*] Usage: wmap_sites [options]

-h Display this help text

-a [url] Add site (vhost,url)

-d [ids] Delete sites (separate ids with space)

-l List all available sites

-s [id] Display site structure (vhost,url|ids) (level)

所以，总的来说wmap的利用流程就是：

wmap_sites -a http://192.168.10.11

wmap_sites -l

wmap_targets -t http://192.168.10.11/mutillidae/index.php

wmap_targets -t

wmap_run -t

wmap_run -e

猜你喜欢