擦除wvs的一些标志

发布时间:August 18, 2017 // 分类: // 2 Comments

最近在调试整合wvs的这个扫描程序.发现了一些问题,比如说我发现wvs总是会带一些标志.比如说

headers

Acunetix-Aspect
Acunetix-Aspect-Password
Acunetix-Aspect-Queries
Accept:acunetix/wvs
Referer:www.acunetix-
Cookie: acunetixCookie

2.url里面包含的特征

md5(acunetix_wvs_security_test)
injected_by_wvs
wvstest
acunetix-wvs-test
acunetix.wvs
acunetix_invalid
$acunetix
bxss.me

扫描了一个本地的靶场.然后查看日志

root@bee-box:/var/log/apache2# cat access.log |grep acunetix | wc -l
5549
root@bee-box:/var/log/apache2# cat access.log |grep acunetix_wvs_security_test | wc -l
5075
root@bee-box:/var/log/apache2# cat access.log |grep -v acunetix_wvs_security_test |grep wvs | wc -l
3879
root@bee-box:/var/log/apache2# cat access.log |grep -v acunetix_wvs_security_test |grep -v wvstest | grep wvs |wc -l
13
root@bee-box:/var/log/apache2# cat access.log |grep -v acunetix_wvs_security_test |grep -v wvstest | grep wvs |tail
192.168.0.100 - - [17/Aug/2017:19:29:55 +0200] "GET /acunetix-wvs-test-for-some-inexistent-file HTTP/1.1" 404 409 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
192.168.0.100 - - [17/Aug/2017:19:29:57 +0200] "GET http://www.acunetix.wvs HTTP/1.1" 200 588 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
192.168.0.100 - - [17/Aug/2017:19:29:57 +0200] "CONNECT www.acunetix.wvs:443 HTTP/1.1" 405 408 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
192.168.0.101 - - [17/Aug/2017:19:32:06 +0200] "GET /acunetix-wvs-test-for-some-inexistent-file HTTP/1.1" 404 409 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
192.168.0.101 - - [17/Aug/2017:20:24:37 +0200] "GET /acunetix-wvs-test-for-some-inexistent-file HTTP/1.1" 404 409 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
192.168.0.101 - - [17/Aug/2017:20:25:36 +0200] "GET /acunetix-wvs-test-for-some-inexistent-file HTTP/1.1" 404 409 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
192.168.0.101 - - [17/Aug/2017:20:35:08 +0200] "GET /acunetix-wvs-test-for-some-inexistent-file HTTP/1.1" 404 409 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
192.168.0.100 - - [18/Aug/2017:03:58:49 +0200] "GET /acunetix-wvs-test-for-some-inexistent-file HTTP/1.1" 404 409 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
192.168.0.100 - - [18/Aug/2017:03:58:54 +0200] "CONNECT www.acunetix.wvs:443 HTTP/1.1" 405 408 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
192.168.0.100 - - [18/Aug/2017:03:58:54 +0200] "GET http://www.acunetix.wvs HTTP/1.1" 200 588 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
root@bee-box:/var/log/apache2#

所以很容易确定这个属于wvs扫描的.也很容易就被waf直接干掉了.所以需要借助于第三发的其他来去掉这些标志。之前有看到burp来去掉这个标志的.但是在云端,开一个burp好像有点gg的.于是想到了强悍的wyproxy.

首先去掉httpheader里面的标志.在handler.py里面增加了一个擦除函数

def Characteristics(headers):
    #repeat wvs
    if 'Acunetix-Aspect' in headers:
        del headers['Acunetix-Aspect']
    if 'Acunetix-Aspect-Password' in headers:
        del headers['Acunetix-Aspect-Password']
    if 'Acunetix-Aspect-Queries' in headers:
        del headers['Acunetix-Aspect-Queries']
    if 'Accept' in headers:
        if headers['Accept'] == 'acunetix/wvs':
            headers['Accept'] = 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8'
    if 'Referer' in headers:
        if 'www.acunetix-' in headers['Referer']:
            headers['Referer'] = flow.request.url
    if 'Cookie' in headers:
        if 'acunetixCookie' in headers['Cookie']:
            headers['Cookie'] = headers['Cookie'].replace('acunetixCookie','testCookie')
    return headers

然后在wyproxy_request_handle里面增加一行

def wyproxy_request_handle(flow):
    """wyproxy send data to server before processing"""

    flow.request.anticache()  # disable cache
    flow.request.anticomp()   # disable gzip compress
    Characteristics(flow.request.headers)

测试效果如下.擦除前后的对比效果

就在我打算替换url参数的时候.类似

直接替换的函数.不过这样不可行.只是暂时的替换了,但是实际上请求的参数并没有被替换.

后来在看官方的文档的时候发现一个东西
http://docs.mitmproxy.org/en/stable/scripting/api.html#mitmproxy.http.HTTPRequest

replace(pattern, repl, flags=0, count=0)

Replaces a regular expression pattern with repl in the headers, the request path and the body of the request. Encoded content will be decoded before replacement, and re-encoded afterwards.

可以直接全文里面使用正则去替换.类似于

def dispose(url):
    #replacee path query
    #url.replace('md5\(acunetix_wvs_security_test\)','63c19a\'.\'6da79816\'.\'b21429e5b\'.\'b262daed8')
    url.replace('injected_by_wvs','injected_by_tsn')
    url.replace('wvstest','xsstest')
    url.replace('acunetix-wvs-test','security-test')
    url.replace('acunetix\.wvs','0xa.cc')
    url.replace('acunetix_invalid','file_invalid')
    url.replace('\[\$acunetix\]','[$filuname]')
    return url
def wyproxy_request_handle(flow):
    """wyproxy send data to server before processing"""

    flow.request.anticache()  # disable cache
    flow.request.anticomp()   # disable gzip compress
    Characteristics(flow.request.headers)
    dispose(flow.request)

测试的效果
实际的请求

服务器抓到的日志请求

实际的测试里面.发现部分替换掉了无法检测出结果.比如md5(acunetix_wvs_security_test)被替换掉了.对于php代码执行这块就检测不到了.bxss.me是肯定不能换掉掉.替换了后发现ssrf xxe 远程包含,远程读取都不能被发现了.不过查日志可以根据这个作为关键字来查找倒是

标签:wvs

已有 2 条 关于 " 擦除wvs的一些标志 "的评论.

  1. M M

    请教一下,博主是怎么让wvs通过wyproxy代理来扫描?我将安装了wvs11的机子intelnet设置中直接设置全局代理为wyproxy,不管是http还是socks5,都没有抓到扫描包,这是怎么回事。。

添加新评论 »