在github上看到一个不错的第三方应用程序漏洞扫描工具YASUO,所以拿来体验一把看看。工具是阉割版,但是可以看出来思路很赞!
安装
bash
[root@localhost software]# git clone https://github.com/SecurityCompass/yasuo.git
因为是ruby开发的,然后我们需要安装一些依赖
bash
gem install ruby-nmap gem install net-http-persistent gem install mechanize gem install colorize gem install text-table
安装好了以后运行一下看看:
bash
[root@localhost yasuo]# ./yasuo.rb /usr/local/share/ruby/site_ruby/rubygems/core_ext/kernel_require.rb:54:in `require': cannot load such file -- json/pure (LoadError) from /usr/local/share/ruby/site_ruby/rubygems/core_ext/kernel_require.rb:54:in `require' from /usr/share/gems/gems/json-1.7.7/lib/json.rb:60:in `rescue in <module:JSON>' from /usr/share/gems/gems/json-1.7.7/lib/json.rb:57:in `<module:JSON>' from /usr/share/gems/gems/json-1.7.7/lib/json.rb:54:in `<top (required)>' from /usr/local/share/ruby/site_ruby/rubygems/core_ext/kernel_require.rb:128:in `require' from /usr/local/share/ruby/site_ruby/rubygems/core_ext/kernel_require.rb:128:in `rescue in require' from /usr/local/share/ruby/site_ruby/rubygems/core_ext/kernel_require.rb:39:in `require' from /usr/local/share/gems/gems/mime-types-2.5/lib/mime/type.rb:4:in `<top (required)>' from /usr/local/share/ruby/site_ruby/rubygems/core_ext/kernel_require.rb:54:in `require' from /usr/local/share/ruby/site_ruby/rubygems/core_ext/kernel_require.rb:54:in `require' from /usr/local/share/gems/gems/mime-types-2.5/lib/mime/types.rb:3:in `<top (required)>' from /usr/local/share/ruby/site_ruby/rubygems/core_ext/kernel_require.rb:54:in `require' from /usr/local/share/ruby/site_ruby/rubygems/core_ext/kernel_require.rb:54:in `require' from /usr/local/share/gems/gems/mechanize-2.7.3/lib/mechanize.rb:4:in `<top (required)>' from /usr/local/share/ruby/site_ruby/rubygems/core_ext/kernel_require.rb:128:in `require' from /usr/local/share/ruby/site_ruby/rubygems/core_ext/kernel_require.rb:128:in `rescue in require' from /usr/local/share/ruby/site_ruby/rubygems/core_ext/kernel_require.rb:39:in `require' from /home/goderci/software/yasuo/resp200.rb:2:in `<top (required)>' from /usr/local/share/ruby/site_ruby/rubygems/core_ext/kernel_require.rb:54:in `require' from /usr/local/share/ruby/site_ruby/rubygems/core_ext/kernel_require.rb:54:in `require' from ./yasuo.rb:34:in `<main>'
报了一个错,需要再安装一个依赖:
sh
[root@localhost yasuo]# gem install json_pure Fetching: json_pure-1.8.2.gem (100%) Successfully installed json_pure-1.8.2 Parsing documentation for json_pure-1.8.2 Installing ri documentation for json_pure-1.8.2 1 gem installed
然后就好了:
sh
[root@localhost yasuo]# ruby yasuo.rb -h ######################################################################################### oooooo oooo .o. .oooooo..o ooooo ooo .oooooo. `888. .8' .888. d8P' `Y8 `888' `8' d8P' `Y8b `888. .8' .88888. Y88bo. 888 8 888 888 `888.8' .8' `888. `ZY8888o. 888 8 888 888 `888' .88ooo8888. `0Y88b 888 8 888 888 888 .8' `888. oo .d8P `88. .8' `88b d88' o888o o88o o8888o 88888888P' `YbodP' `Y8bood8P' Welcome to Yasuo v0.1 Author: Saurabh Harit (@0xsauby) | Contribution & Coolness: Stephen Hall (@_stephen_h) ######################################################################################### Yasuo 0.1 -s, --path-signatures CSV file of vulnerable app signatures -f, --file [FILE] Nmap output in xml format -r, --range [RANGE] IP Range to Scan -n, --noping Run the full TCP scan with no ping -p, --port [PORT NUMBER] Ports to Scan -A, --all_ports Scan on all 65535 ports -b, --brute [all/form/basic] Bruteforce -h, -?, --help, --? Get Help -v, --version Get Version
开扫试一试
[root@localhost yasuo]# ./yasuo.rb -r 120.132.58.24
#########################################################################################
oooooo oooo .o. .oooooo..o ooooo ooo .oooooo.
`888. .8' .888. d8P' `Y8 `888' `8' d8P' `Y8b
`888. .8' .88888. Y88bo. 888 8 888 888
`888.8' .8' `888. `ZY8888o. 888 8 888 888
`888' .88ooo8888. `0Y88b 888 8 888 888
888 .8' `888. oo .d8P `88. .8' `88b d88'
o888o o88o o8888o 88888888P' `YbodP' `Y8bood8P'
Welcome to Yasuo v0.1
Author: Saurabh Harit (@0xsauby) | Contribution & Coolness: Stephen Hall (@_stephen_h)
#########################################################################################
Initiating port scan
----------------------
Using nmap scan output file nmap_output_20150519143403UTC.xml
<<<Testing host - 120.132.58.24>>>
Discovered open port: 120.132.58.24:80
<<<Enumerating vulnerable applications>>>
-------------------------------------------
Testing ----> http://120.132.58.24:80/jmx-console
Testing ----> http://120.132.58.24:80/manager/html
Testing ----> http://120.132.58.24:80/manager
Testing ----> http://120.132.58.24:80/testlink-1.9.3/login.php
Testing ----> http://120.132.58.24:80/testlink/login.php
Testing ----> http://120.132.58.24:80/jenkins/
Testing ----> http://120.132.58.24:80/script/
Testing ----> http://120.132.58.24:80/axis2/axis2-admin
Testing ----> http://120.132.58.24:80/cms400min/
Testing ----> http://120.132.58.24:80/imc
Testing ----> http://120.132.58.24:80/umbraco/
Testing ----> http://120.132.58.24:80/vfolder.ghp
Testing ----> http://120.132.58.24:80/ctc/servlet
Testing ----> http://120.132.58.24:80/SiteScope/
Testing ----> http://120.132.58.24:80/ws/control
Testing ----> http://120.132.58.24:80/autopass
Testing ----> http://120.132.58.24:80/php/test.php
Testing ----> http://120.132.58.24:80/d4d/statusFilter.php
Testing ----> http://120.132.58.24:80/jos.php
Testing ----> http://120.132.58.24:80/moodle/
Testing ----> http://120.132.58.24:80/Auxiliumpetratepro/
Testing ----> http://120.132.58.24:80/IDC.php
Testing ----> http://120.132.58.24:80/sflog/
Testing ----> http://120.132.58.24:80/struts2-blank/example/HelloWorld.action
Testing ----> http://120.132.58.24:80/mobilecartly/
Testing ----> http://120.132.58.24:80/mediawiki/index.php?title=Special:UserLogin&returnto=Main_Page
Testing ----> http://120.132.58.24:80/qdPM/
Testing ----> http://120.132.58.24:80/www/
Testing ----> http://120.132.58.24:80/gestioip/
Testing ----> http://120.132.58.24:80/polarbearcms
Testing ----> http://120.132.58.24:80/SiteScope/
Testing ----> http://120.132.58.24:80/invoker/JMXInvokerServlet
Testing ----> http://120.132.58.24:80/blank-struts2/login.action
Testing ----> http://120.132.58.24:80/log1cms2.0/
Testing ----> http://120.132.58.24:80/wikka/
Testing ----> http://120.132.58.24:80/cuteflow_v.2.11.2/
Testing ----> http://120.132.58.24:80/roller
Testing ----> http://120.132.58.24:80/jenkins/
Testing ----> http://120.132.58.24:80/SiteScope/
Testing ----> http://120.132.58.24:80/phptax/
Testing ----> http://120.132.58.24:80/AjaXplorer-2.5.5/plugins/access.ssh/checkInstall.php
Testing ----> http://120.132.58.24:80/phpmyadmin/
Testing ----> http://120.132.58.24:80/vtigercrm/
Testing ----> http://120.132.58.24:80/com_extplorer_2.1.0/
Testing ----> http://120.132.58.24:80/vtigercrm/
Testing ----> http://120.132.58.24:80/openx/
Testing ----> http://120.132.58.24:80/glossword/1.8/
Testing ----> http://120.132.58.24:80/glpi/
Testing ----> http://120.132.58.24:80/kordil_edms/
Testing ----> http://120.132.58.24:80/mt
Testing ----> http://120.132.58.24:80/zabbix/
Testing ----> http://120.132.58.24:80/bf102/
Testing ----> http://120.132.58.24:80/struts2-blank/example/HelloWorld.action
Testing ----> http://120.132.58.24:80/appRain-q-0.1.5
Testing ----> http://120.132.58.24:80/interface/
Testing ----> http://120.132.58.24:80/tiki/
Testing ----> http://120.132.58.24:80/forums/
Testing ----> http://120.132.58.24:80/wordpress
Testing ----> http://120.132.58.24:80/zimbraAdmin
Testing ----> http://120.132.58.24:80/nagios3/cgi-bin/history.cgi
Testing ----> http://120.132.58.24:80/php-charts_v1.0/
Testing ----> http://120.132.58.24:80/php-ofc-library/
Testing ----> http://120.132.58.24:80/librettoCMS_v.2.2.2/
Testing ----> http://120.132.58.24:80/horde/
Testing ----> http://120.132.58.24:80/wordpress
Testing ----> http://120.132.58.24:80/xoda/
Testing ----> http://120.132.58.24:80/zm/
Testing ----> http://120.132.58.24:80/seportal
Testing ----> http://120.132.58.24:80/webtester5/
Testing ----> http://120.132.58.24:80/hastymail2/
Testing ----> http://120.132.58.24:80/joomla
Testing ----> http://120.132.58.24:80/kimai/
Testing ----> http://120.132.58.24:80/chat/
Testing ----> http://120.132.58.24:80/simple_e_document_v_1_31/
Testing ----> http://120.132.58.24:80/sample
Testing ----> http://120.132.58.24:80/openemr
Testing ----> http://120.132.58.24:80/openemr
Testing ----> http://120.132.58.24:80/basilic-1.5.14/
Testing ----> http://120.132.58.24:80/narcissus-master/
Testing ----> http://120.132.58.24:80/pp088/
Testing ----> http://120.132.58.24:80/opensis/
Testing ----> http://120.132.58.24:80/vcms/
Testing ----> http://120.132.58.24:80/zabbix
Testing ----> http://120.132.58.24:80/WebCalendar-1.2.4/
Testing ----> http://120.132.58.24:80/spywall/pbcontrol.php
Testing ----> http://120.132.58.24:80/WeBid
Testing ----> http://120.132.58.24:80/dolibarr/
Testing ----> http://120.132.58.24:80/ctc/servlet
Testing ----> http://120.132.58.24:80/users/password
Testing ----> http://120.132.58.24:80/apply.cgi
Testing ----> http://120.132.58.24:80/seam-booking/home.seam
Testing ----> http://120.132.58.24:80/cgi-bin/admin.cgi
Testing ----> http://120.132.58.24:80/openbravo/
Testing ----> http://120.132.58.24:80/BEMS
Testing ----> http://120.132.58.24:80/CimWeb
Testing ----> http://120.132.58.24:80/PI/services/UCP/
Testing ----> http://120.132.58.24:80/_all_dbs
Testing ----> http://120.132.58.24:80/sap/bc/soap/rfc
Testing ----> http://120.132.58.24:80/admin/index.jsp
Testing ----> http://120.132.58.24:80/.svn/
Yasuo found - http://120.132.58.24:80/.svn/. No authentication required
--------------------------------------------------------
<<<Yasuo discovered following vulnerable applications>>>
--------------------------------------------------------
+-------------------------------+----------------------------------------------+----------+----------+
| URL to Application | Potential Exploit | Username | Password |
+-------------------------------+----------------------------------------------+----------+----------+
| http://120.132.58.24:80/.svn/ | ./auxiliary/scanner/http/svn_wcdb_scanner.rb | None | None |
+-------------------------------+----------------------------------------------+----------+----------+
[root@localhost yasuo]#
不过exp貌似作者没有放出来。应该是一个阉割版。哎,只能等作者放exp出来了。
小结
整体来说思路是不错的,如果exp放出来会比较完美;其实输入就是一个ip,然后先进行端口扫描,再根据web端口扫描应用,再根据应用扫描应用漏洞,甚至暴力破解,思路是很不错的。有点可惜,后面对这个工具保持持续关注。
原文地址:http://www.codefrom.com/paper/%E4%B8%80%E4%B8%AA%E6%80%9D%E8%B7%AF%E5%...
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用
。你还可以使用@
来通知其他用户。