【漏洞扫描器】AWVS扫描器简单分析

企业开发 2023-04-08 13:35:40 阅读次数: 0

文章目录

0x01 前言

0x02 抓包分析

简单抓包看了下,值得学习的一点:发送10个左右请求,计算站点的平均响应时间。

这么抓包分析目的性偏弱,上网找到一些相关资料,还是站在巨人的肩膀上进行学习吧。

从自动发包的请求来看,手动抓包并重放的方式,会影响AWVS的请求内容。抓包重放的方式,参考价值不大。

手动抓包并重放(AWVS显示发送了6个请求)(参考价值不大)

抓包方式:手动拦截请求包并重放。

第一个请求包

GET / HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36
Host: 127.0.0.1
Connection: close

第二个请求包

GET /p1KaLmIg2kB7fZp5 HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36
Host: 127.0.0.1
Connection: close

第三个请求包:GET /?gGBw={vsCx}&firc=<> HTTP/1.1
第四个:GET / HTTP/1.1
第五个:GET /p1KaLmIg2kB7fZp5 HTTP/1.1
第六个:GET /?gGBw={vsCx}&firc=<> HTTP/1.1
第七个:GET /p1KaLmIg2kB7fZp5 HTTP/1.1
第8个:GET / HTTP/1.1
第9个:GET /p1KaLmIg2kB7fZp5 HTTP/1.1
第10个:GET /?gGBw={vsCx}&firc=<> HTTP/1.1

此时AWVS扫描页面:请求数量是1,计算了平均响应时间。
在这里插入图片描述

第11个请求包,服务器返回404

POST / HTTP/1.1
Content-Type: application/json
Accept: application/json
Accept-Encoding: gzip, deflate
Content-Length: 737
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36
Host: 127.0.0.1
Connection: close

{"operationName":"IntrospectionQuery","variables":{},"query":"query IntrospectionQuery { __schema { queryType { name } mutationType { name } types { ...FullType }  }} fragment FullType on __Type { kind name description fields(includeDeprecated: false) { name description args { ...InputValue } type { ...TypeRef } } inputFields { ...InputValue } interfaces { ...TypeRef } enumValues(includeDeprecated: false) { name description } possibleTypes { ...TypeRef }} fragment InputValue on __InputValue { name description type { ...TypeRef } defaultValue} fragment TypeRef on __Type { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name } } } } } } }}"}

第12个请求包,服务器返回404

POST /graphql HTTP/1.1
Content-Type: application/json
Accept: application/json
Accept-Encoding: gzip, deflate
Content-Length: 737
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36
Host: 127.0.0.1
Connection: close

{"operationName":"IntrospectionQuery","variables":{},"query":"query IntrospectionQuery { __schema { queryType { name } mutationType { name } types { ...FullType }  }} fragment FullType on __Type { kind name description fields(includeDeprecated: false) { name description args { ...InputValue } type { ...TypeRef } } inputFields { ...InputValue } interfaces { ...TypeRef } enumValues(includeDeprecated: false) { name description } possibleTypes { ...TypeRef }} fragment InputValue on __InputValue { name description type { ...TypeRef } defaultValue} fragment TypeRef on __Type { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name } } } } } } }}"}

第13个:GET / HTTP/1.1

第14个,探测8161端口,伪造身份验证字段Authorization

GET /admin/ HTTP/1.1
Authorization: Basic YWRtaW46YWRtaW4=(base64解密结果是admin:admin)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36
Host: 127.0.0.1:8161
Connection: close

第15个:GET /vYyxCPJNGO.jsp
第16个:GET /bal
第17个:伪造Referer字段

GET /ad.php HTTP/1.1
Referer: http://127.0.0.1/
Host: 127.0.0.1

第18个:伪造Referer字段

GET /adminer.php HTTP/1.1
Referer: http://127.0.0.1/
Host: 127.0.0.1

第19-22个:伪造Referer字段,同第17和18个

/_adminer.php
/Adminer.php
/ad.php

第23个:探测8161端口

GET /jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fshells HTTP/1.1
Host: 127.0.0.1:8081

第24个:访问bxss.me域名进行认证

POST /ng/auth HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
Content-Length: 57
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36
Host: bxss.me
Connection: close

user_id=009247&token=f61f2d2d-c11e-461d-8469-0c4924bdc4a2

第25个:

POST / HTTP/1.1
Content-Type: application/json
Accept: application/json
Accept-Encoding: gzip, deflate
Content-Length: 737
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36
Host: 127.0.0.1
Connection: close

{"operationName":"IntrospectionQuery","variables":{},"query":"query IntrospectionQuery { __schema { queryType { name } mutationType { name } types { ...FullType }  }} fragment FullType on __Type { kind name description fields(includeDeprecated: false) { name description args { ...InputValue } type { ...TypeRef } } inputFields { ...InputValue } interfaces { ...TypeRef } enumValues(includeDeprecated: false) { name description } possibleTypes { ...TypeRef }} fragment InputValue on __InputValue { name description type { ...TypeRef } defaultValue} fragment TypeRef on __Type { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name } } } } } } }}"}

第26个:POST数据等等都与第25个相同

POST /graphql

第27个:GET /bal
第28个:GET /adminer.php
第29个:GET /
第30个:GET /Adminer.php,伪造Referer头
第31-32个:同上开始进行目录遍历,伪造Referer头

GET /_adminer.php
GET /ad.php

第33个:GET /vYyxCPJNGO.jsp
第34个:与之前数据包重复

POST / HTTP/1.1
Content-Type: application/json
Accept: application/json
Accept-Encoding: gzip, deflate
Content-Length: 737
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36
Host: 127.0.0.1
Connection: close

{"operationName":"IntrospectionQuery","variables":{},"query":"query IntrospectionQuery { __schema { queryType { name } mutationType { name } types { ...FullType }  }} fragment FullType on __Type { kind name description fields(includeDeprecated: false) { name description args { ...InputValue } type { ...TypeRef } } inputFields { ...InputValue } interfaces { ...TypeRef } enumValues(includeDeprecated: false) { name description } possibleTypes { ...TypeRef }} fragment InputValue on __InputValue { name description type { ...TypeRef } defaultValue} fragment TypeRef on __Type { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name } } } } } } }}"}

第35个:与第34个相似,POST /graphql

第36个:GET /
第37个:GET /bal
第38-42个:伪造Referer头

GET /ad.php
GET /Adminer.php
GET /ad.php
GET /_adminer.php
GET /adminer.php

第43-44个:

GET /vYyxCPJNGO.jsp
GET /7DB6s5TmTI.php

第45个:

GET / HTTP/1.1
Max-Forwards: 0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36
Host: 127.0.0.1
Connection: close

第46-54个:伪造Referer头

GET /adminer-4.3.1-mysql.php
GET /adminer-4.3.0-mysql-en.php
GET /adminer-4.3.1-mysql-en.php
GET /adminer-4.3.0-en.php
GET /adminer-4.3.1-en.php
GET /adminer-4.3.1.php
GET /adminer-4.3.0-mysql.php
GET /adminer-4.3.0.php
GET /adminer-4.3.1.php

第55个

GET / HTTP/1.1
Max-Forwards: 0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36
Host: 127.0.0.1
Connection: close

第56-60个:伪造Referer头

GET /adminer-4.3.1-mysql.php
GET /adminer-4.3.0-mysql-en.php
GET /adminer-4.3.1-mysql-en.php
GET /adminer-4.3.0-mysql.php
GET /adminer-4.3.1-en.php

第61个:

GET /7DB6s5TmTI.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36
Host: 127.0.0.1
Connection: close

第62-63个:伪造Referer头

GET /adminer-4.3.0.php
GET /adminer-4.3.0-en.php

第64个:

GET / HTTP/1.1
Max-Forwards: 0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36
Host: 127.0.0.1
Connection: close

第65-72个:伪造Referer头

GET /adminer-4.3.0-en.php
GET /adminer-4.3.1-mysql-en.php
GET /adminer-4.3.1-mysql.php
GET /adminer-4.3.1.php
GET /adminer-4.3.1-en.php
GET /adminer-4.3.0-mysql.php
GET /adminer-4.3.0.php
GET /adminer-4.3.0-mysql-en.php

第73个:GET /7DB6s5TmTI.php。

此时AWVS显示页面
在这里插入图片描述

暂停扫描任务,下班。

通过发包历史查看请求

参考文章:【技术分享】对AWVS的一次简单分析-2017

Burpsuite支持查看 HTTP history,故无需手动抓包重放,查看历史就能看到扫描器的每个请求。
在这里插入图片描述

请求数量:截至到暂停扫描任务,一共发送了17000+个请求。

从请求的URL来看,也是目录枚举爬取+Fuzz扫描的方式。目前看,大多数Web扫描器都是基于这样的一种模式。

0x03 小结

参考文章:【技术分享】对AWVS的一次简单分析-2017

AWVS 可借鉴的内容,参考文章中提到一些。
在这里插入图片描述

总体对个人的启发如下,当下可以考虑先编写Golang实现的目录枚举和页面链接提取两个工作,然后考虑对枚举和提取的URL进行mark分类。

  • 不可或缺的目录枚举工作
  • URL的分类和专门扫描工作

猜你喜欢

转载自blog.csdn.net/soldi_er/article/details/123071962
今日推荐
火速冲上 GitHub 热榜 —— 开源编程语言、框架哪有这么可爱?
北京人形机器人创新中心发布全球首个纯电驱拟人奔跑的全尺寸人形机器人“天工”
LFOSSA 源来如此公开课 | 掌握云原生未来:CNCF 认证全面攻略与备考秘籍
国产云输入法——仅华为无云端数据上传安全问题
开源日报 | 工业开源项目OGG 1.0;姐姐,你要和我一起配置火狐吗;苹果AI遥遥落后?Fedora 40
开放签电子签章:停止新增,优化体验,前进更进(五一假期前工作)
周排行
Metasploit文件目录与入侵基本概念
跨域(CORS)请求问题[No 'Access-Control-Allow-Origin' header is present on the requested resource]常见解决方案
CodeIgniter 源码解读之 CodeIgniter.php(二)
SAS入门之(四)改变数据类型
初识元组
[数学建模]数学建模算法和模型(B站视频)(二)
Nginx 服务器源码安装配置流程
C#实现语音视频录制 【基于MCapture + MFile】
开发进度4
下载安装vue的方法网址
每日归档
更多
2024-04-28(0)
2024-04-27(56)
2024-04-26(39)
2024-04-25(22)
2024-04-24(36)
2024-04-23(26)
2024-04-22(39)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022