最近在调试整合wvs的这个扫描程序.发现了一些问题,比如说我发现wvs总是会带一些标志.比如说
headers
Acunetix-Aspect
Acunetix-Aspect-Password
Acunetix-Aspect-Queries
Accept:acunetix/wvs
Referer:www.acunetix-
Cookie: acunetixCookie
2.url里面包含的特征
md5(acunetix_wvs_security_test)
injected_by_wvs
wvstest
acunetix-wvs-test
acunetix.wvs
acunetix_invalid
$acunetix
bxss.me
扫描了一个本地的靶场.然后查看日志
root@bee-box:/var/log/apache2# cat access.log |grep acunetix | wc -l
5549
root@bee-box:/var/log/apache2# cat access.log |grep acunetix_wvs_security_test | wc -l
5075
root@bee-box:/var/log/apache2# cat access.log |grep -v acunetix_wvs_security_test |grep wvs | wc -l
3879
root@bee-box:/var/log/apache2# cat access.log |grep -v acunetix_wvs_security_test |grep -v wvstest | grep wvs |wc -l
13
root@bee-box:/var/log/apache2# cat access.log |grep -v acunetix_wvs_security_test |grep -v wvstest | grep wvs |tail
192.168.0.100 - - [17/Aug/2017:19:29:55 +0200] "GET /acunetix-wvs-test-for-some-inexistent-file HTTP/1.1" 404 409 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
192.168.0.100 - - [17/Aug/2017:19:29:57 +0200] "GET http://www.acunetix.wvs HTTP/1.1" 200 588 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
192.168.0.100 - - [17/Aug/2017:19:29:57 +0200] "CONNECT www.acunetix.wvs:443 HTTP/1.1" 405 408 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
192.168.0.101 - - [17/Aug/2017:19:32:06 +0200] "GET /acunetix-wvs-test-for-some-inexistent-file HTTP/1.1" 404 409 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
192.168.0.101 - - [17/Aug/2017:20:24:37 +0200] "GET /acunetix-wvs-test-for-some-inexistent-file HTTP/1.1" 404 409 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
192.168.0.101 - - [17/Aug/2017:20:25:36 +0200] "GET /acunetix-wvs-test-for-some-inexistent-file HTTP/1.1" 404 409 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
192.168.0.101 - - [17/Aug/2017:20:35:08 +0200] "GET /acunetix-wvs-test-for-some-inexistent-file HTTP/1.1" 404 409 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
192.168.0.100 - - [18/Aug/2017:03:58:49 +0200] "GET /acunetix-wvs-test-for-some-inexistent-file HTTP/1.1" 404 409 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
192.168.0.100 - - [18/Aug/2017:03:58:54 +0200] "CONNECT www.acunetix.wvs:443 HTTP/1.1" 405 408 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
192.168.0.100 - - [18/Aug/2017:03:58:54 +0200] "GET http://www.acunetix.wvs HTTP/1.1" 200 588 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
root@bee-box:/var/log/apache2#
所以很容易确定这个属于wvs扫描的.也很容易就被waf直接干掉了.所以需要借助于第三发的其他来去掉这些标志。之前有看到burp来去掉这个标志的.但是在云端,开一个burp好像有点gg的.于是想到了强悍的wyproxy.
首先去掉httpheader里面的标志.在handler.py里面增加了一个擦除函数
def Characteristics(headers):
#repeat wvs
if 'Acunetix-Aspect' in headers:
del headers['Acunetix-Aspect']
if 'Acunetix-Aspect-Password' in headers:
del headers['Acunetix-Aspect-Password']
if 'Acunetix-Aspect-Queries' in headers:
del headers['Acunetix-Aspect-Queries']
if 'Accept' in headers:
if headers['Accept'] == 'acunetix/wvs':
headers['Accept'] = 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8'
if 'Referer' in headers:
if 'www.acunetix-' in headers['Referer']:
headers['Referer'] = flow.request.url
if 'Cookie' in headers:
if 'acunetixCookie' in headers['Cookie']:
headers['Cookie'] = headers['Cookie'].replace('acunetixCookie','testCookie')
return headers
然后在wyproxy_request_handle里面增加一行
def wyproxy_request_handle(flow):
"""wyproxy send data to server before processing"""
flow.request.anticache() # disable cache
flow.request.anticomp() # disable gzip compress
Characteristics(flow.request.headers)
测试效果如下.擦除前后的对比效果
就在我打算替换url参数的时候.类似
直接替换的函数.不过这样不可行.只是暂时的替换了,但是实际上请求的参数并没有被替换.
后来在看官方的文档的时候发现一个东西
http://docs.mitmproxy.org/en/stable/scripting/api.html#mitmproxy.http.HTTPRequest
replace(pattern, repl, flags=0, count=0)
Replaces a regular expression pattern with repl in the headers, the request path and the body of the request. Encoded content will be decoded before replacement, and re-encoded afterwards.
可以直接全文里面使用正则去替换.类似于
def dispose(url):
#replacee path query
#url.replace('md5\(acunetix_wvs_security_test\)','63c19a\'.\'6da79816\'.\'b21429e5b\'.\'b262daed8')
url.replace('injected_by_wvs','injected_by_tsn')
url.replace('wvstest','xsstest')
url.replace('acunetix-wvs-test','security-test')
url.replace('acunetix\.wvs','0xa.cc')
url.replace('acunetix_invalid','file_invalid')
url.replace('\[\$acunetix\]','[$filuname]')
return url
def wyproxy_request_handle(flow):
"""wyproxy send data to server before processing"""
flow.request.anticache() # disable cache
flow.request.anticomp() # disable gzip compress
Characteristics(flow.request.headers)
dispose(flow.request)
测试的效果
实际的请求
服务器抓到的日志请求
实际的测试里面.发现部分替换掉了无法检测出结果.比如md5(acunetix_wvs_security_test)被替换掉了.对于php代码执行这块就检测不到了.bxss.me是肯定不能换掉掉.替换了后发现ssrf xxe 远程包含,远程读取都不能被发现了.不过查日志可以根据这个作为关键字来查找倒是
标签:wvs
请教一下,博主是怎么让wvs通过wyproxy代理来扫描?我将安装了wvs11的机子intelnet设置中直接设置全局代理为wyproxy,不管是http还是socks5,都没有抓到扫描包,这是怎么回事。。
在wvs里面设置代理