Wapiti - C�ng c? ki?m tra l?i c?a nh?ng ?ng d?ng web
Wapiti l� m?t ?ng d?ng m� ngu?n m? m� b?n c� th? s? d?ng d? ki?m tra t�nh b?o m?t c?a c�c ?ng d?ng web c?a b?n.
N� th?c hi?n qu�t "blackbox", nghia l� n� kh�ng nghi�n c?u m� ngu?n c?a ?ng d?ng nhung s? qu�t c�c trang web c?a ?ng d?ng web du?c tri?n khai, t�m ki?m c�c t?p l?nh v� bi?u m?u noi n� c� th? ch�n d? li?u.
Wapiti ho?t d?ng nhu m?t fuzzer, ch�n c�c payloads d? xem nh?ng trang web d? b? t?n thuong.
Wapiti c� th? ph�t hi?n c�c l? h?ng sau:
File disclosure (Local and remote include/require, fopen, readfile...)
Database Injection (PHP/JSP/ASP SQL Injections and XPath Injections)
XSS (Cross Site Scripting) injection (reflected and permanent)
Command Execution detection (eval(), system(), passtru()...)
CRLF Injection (HTTP Response Splitting, session fixation...)
XXE (XmleXternal Entity) injection
Use of know potentially dangerous files (thanks to the Nikto database)
Weak .htaccess configurations that can be bypassed
Presence of backup files giving sensitive information (source code disclosure)
Wapiti h? tr? c? phuong th?c GET v� POST HTTP cho c�c cu?c t?n c�ng. N� cung h? tr? nhi?u ph?n v� c� th? ti�m payloads trong t�n t?p tin (t?i l�n).
T�nh nang, d?c di?m:
T?o b�o c�o d? b? t?n thuong theo c�c d?nh d?ng kh�c nhau (HTML, XML, JSON, TXT ...)
C� th? t?m ngung v� ti?p t?c qu�t ho?c t?n c�ng
C� th? cung c?p cho b?n c�c m�u s?c trong terminal d? l�m n?i b?t c�c l? h?ng
C�c m?c d? kh�c nhau c?a verbosity
C�ch nhanh v� d? d�ng d? k�ch ho?t / h?y k�ch ho?t m�-dun t?n c�ng
Th�m m?t payload c� th? d? d�ng nhu th�m m?t d�ng v�o m?t t?p tin van b?n
H? tr? proxy HTTP v� HTTPS
X�c th?c th�ng qua m?t s? phuong ph�p: Basic, Digest, Kerberos ho?c NTLM
Kh? nang h?n ch? ph?m vi qu�t (mi?n, thu m?c, trang web)
T? d?ng lo?i b? m?t tham s? trong URL
C�c bi?n ph�p b?o v? ch?ng l?i c�c v�ng qu�t kh�ng gi?i h?n (t?i da s? gi� tr? cho m?t tham s?)
C� kh? nang thi?t l?p c�c URL d?u ti�n d? kh�m ph� (ngay c? khi kh�ng n?m trong ph?m vi)
C� th? lo?i tr? m?t s? URL c?a qu� tr�nh qu�t v� c�c cu?c t?n c�ng (v� d?: URL dang xu?t)
Nh?p kh?u cookie (t?i ch�ng v?i c�ng c? wapiti-cookie v� wapiti-getcookie)
C� th? k�ch ho?t / h?y k�ch ho?t x�c minh ch?ng ch? SSL
Tr�ch xu?t URL t? t?p SWF Flash
H�y th? tr�ch xu?t c�c URL t? javascript (tr�nh th�ng d?ch JS r?t co b?n)
Nh?n th?c v? HTML5 (hi?u c�c th? HTML g?n d�y)
S? d?ng:
Python wapiti.py http://server.com/base/url/ [options]
N� th?c hi?n qu�t "blackbox", nghia l� n� kh�ng nghi�n c?u m� ngu?n c?a ?ng d?ng nhung s? qu�t c�c trang web c?a ?ng d?ng web du?c tri?n khai, t�m ki?m c�c t?p l?nh v� bi?u m?u noi n� c� th? ch�n d? li?u.
Wapiti ho?t d?ng nhu m?t fuzzer, ch�n c�c payloads d? xem nh?ng trang web d? b? t?n thuong.
Wapiti c� th? ph�t hi?n c�c l? h?ng sau:
File disclosure (Local and remote include/require, fopen, readfile...)
Database Injection (PHP/JSP/ASP SQL Injections and XPath Injections)
XSS (Cross Site Scripting) injection (reflected and permanent)
Command Execution detection (eval(), system(), passtru()...)
CRLF Injection (HTTP Response Splitting, session fixation...)
XXE (XmleXternal Entity) injection
Use of know potentially dangerous files (thanks to the Nikto database)
Weak .htaccess configurations that can be bypassed
Presence of backup files giving sensitive information (source code disclosure)
Wapiti h? tr? c? phuong th?c GET v� POST HTTP cho c�c cu?c t?n c�ng. N� cung h? tr? nhi?u ph?n v� c� th? ti�m payloads trong t�n t?p tin (t?i l�n).
T�nh nang, d?c di?m:
T?o b�o c�o d? b? t?n thuong theo c�c d?nh d?ng kh�c nhau (HTML, XML, JSON, TXT ...)
C� th? t?m ngung v� ti?p t?c qu�t ho?c t?n c�ng
C� th? cung c?p cho b?n c�c m�u s?c trong terminal d? l�m n?i b?t c�c l? h?ng
C�c m?c d? kh�c nhau c?a verbosity
C�ch nhanh v� d? d�ng d? k�ch ho?t / h?y k�ch ho?t m�-dun t?n c�ng
Th�m m?t payload c� th? d? d�ng nhu th�m m?t d�ng v�o m?t t?p tin van b?n
H? tr? proxy HTTP v� HTTPS
X�c th?c th�ng qua m?t s? phuong ph�p: Basic, Digest, Kerberos ho?c NTLM
Kh? nang h?n ch? ph?m vi qu�t (mi?n, thu m?c, trang web)
T? d?ng lo?i b? m?t tham s? trong URL
C�c bi?n ph�p b?o v? ch?ng l?i c�c v�ng qu�t kh�ng gi?i h?n (t?i da s? gi� tr? cho m?t tham s?)
C� kh? nang thi?t l?p c�c URL d?u ti�n d? kh�m ph� (ngay c? khi kh�ng n?m trong ph?m vi)
C� th? lo?i tr? m?t s? URL c?a qu� tr�nh qu�t v� c�c cu?c t?n c�ng (v� d?: URL dang xu?t)
Nh?p kh?u cookie (t?i ch�ng v?i c�ng c? wapiti-cookie v� wapiti-getcookie)
C� th? k�ch ho?t / h?y k�ch ho?t x�c minh ch?ng ch? SSL
Tr�ch xu?t URL t? t?p SWF Flash
H�y th? tr�ch xu?t c�c URL t? javascript (tr�nh th�ng d?ch JS r?t co b?n)
Nh?n th?c v? HTML5 (hi?u c�c th? HTML g?n d�y)
S? d?ng:
Python wapiti.py http://server.com/base/url/ [options]
No comments: