Metasploit是一個(gè)極其強(qiáng)大的滲透測(cè)試框架，包含了巨量模塊。但是，模塊數(shù)量眾多，使得在使用的時(shí)候也很不方便。于是就有了WMAP。這個(gè)工具可以一次運(yùn)用多個(gè)模塊，并將結(jié)果保存在數(shù)據(jù)庫(kù)中，十分方便。

????????由于在學(xué)習(xí)過程中，在百度上搜索時(shí)沒能找到WMAP的較為專門描述的文章，就打算翻譯一個(gè)英文教程，讓大家的學(xué)習(xí)更方便。

以下是文章正文：

什么是WMAP？

WMAP?是一款最初由?SQLMap?創(chuàng)建而來的多功能網(wǎng)絡(luò)應(yīng)用漏洞掃描器.這個(gè)工具整合在Metasploit中，并且可以從Metasploit Framework中啟動(dòng)進(jìn)行?網(wǎng)站掃描.

用WMAP進(jìn)行漏洞掃描

我們首先要?jiǎng)?chuàng)建一個(gè)數(shù)據(jù)庫(kù)來保存我們的WMAP掃描結(jié)果, 加載?“wmap”?插件, 然后輸入?“help”來看看我們多了哪些新命令可以使用.

msf?>?load?wmap.-.-.-..-.-.-..---..---.

|?|?|?||?|?|?||?|?||?|-'

`-----'`-'-'-'`-^-'`-'[WMAP?1.5.1]?===??et?[??]?metasploit.com?2012[*]?Successfully?loaded?plugin:?wmap

msf?>??helpwmap?Commands

=============

????Command???????Description

????-------???????-----------

????wmap_modules??Manage?wmap?modules

????wmap_nodes????Manage?nodes

????wmap_run??????Test?targets

????wmap_sites????Manage?sites

????wmap_targets??Manage?targets

????wmap_vulns????Display?web?vulns...snip...

wmap命令

=================

命令?????????????????描述

----------??????????----------------------------

wmap_modules?????????管理wmap模塊

wmap_nodes???????????管理結(jié)點(diǎn)

wmap_run?????????????測(cè)試目標(biāo)

wmap_sites???????????管理站點(diǎn)

wmap_targets?????????管理目標(biāo)

wmap_vulns???????????顯示掃描到的漏洞

在進(jìn)行掃描之前, 我們需要用 “wmap_sites”.和“-a”參數(shù)來添加一個(gè)新的目標(biāo)url.然后, 執(zhí)行?“wmap_sites -l”?命令打印出所有已添加目標(biāo).

msf?>?wmap_sites?-h

[*]Usage:?wmap_targets?[options]

????????-h????????Display?this?help?text

????????-a?[url]??Add?site?(vhost,url)

????????-l????????List?all?available?sites

????????-s?[id]???Display?site?structure?(vhost,url|ids)?(level)

msf?>?wmap_sites?-a?http://172.16.194.172

[*]?Site?created.

msf?>?wmap_sites?-l

[*]?Available?sites

===============

?????Id??Host????????????Vhost???????????Port??Proto??#?Pages??#?Forms

?????--??----????????????-----???????????----??-----??-------??-------

?????0???172.16.194.172??172.16.194.172??80????http???0????????0

msf?>?wmap_sites?-h

[*]?Usage:?wmap_sites?[options]

????-h??????????????顯示幫助說明

????-a?[url]???????添加站點(diǎn)(vhost,url)

????-d?[ids]??????刪除站點(diǎn)(用空格將id隔開)

????-l???????????????列出所有站點(diǎn)

????-s?[id]????????顯示url結(jié)構(gòu)?(vhost,url|ids)?(level)

接著, 用?“wmap_targets”命令添加一個(gè)目標(biāo).

msf?>?wmap_targets?-h[*]?Usage:?wmap_targets?[options]

????????-h??????????????Display?this?help?text

????????-t?[urls]???????Define?target?sites?(vhost1,url[space]vhost2,url)?

????????-d?[ids]????????Define?target?sites?(id1,?id2,?id3?...)

????????-c??????????????Clean?target?sites?list

????????-l??????????????List?all?target?sites

msf?>?wmap_targets?-t?http://172.16.194.172/mutillidae/index.php

msf?>?wmap_targets?-h

[*]?Usage:?wmap_targets?[options]

????-h????????????顯示幫助說明

????-t?[urls]?????用url將已經(jīng)添加的一個(gè)或者多個(gè)站點(diǎn)定義為目標(biāo)。url用空格隔開。(vhost1,url[space]vhost2,url)

????-d?[ids]??????用id將已經(jīng)添加的一個(gè)或者多個(gè)站點(diǎn)定義為目標(biāo)。?id用逗號(hào)隔開。(id1,?id2,?id3?...)

????-c????????????清除目標(biāo)列表

????-l????????????顯示所有目標(biāo)

添加目標(biāo)后, 我們可以用 ‘-l’ 顯示所有目標(biāo).

msf?>?wmap_targets?-l

[*]?Defined?targets

===============

?????Id??Vhost???????????Host????????????Port??SSL????Path

?????--??-----???????????----????????????----??---????----

?????0???172.16.194.172??172.16.194.172??80????false????/mutillidae/index.php

用“wmap_run”?命令就可以開始掃描目標(biāo)了.

msf?>?wmap_run?-h[*]?Usage:?wmap_run?[options]

????????-h????????????????????????Display?this?help?text

????????-t????????????????????????Show?all?enabled?modules

????????-m?[regex]????????????????Launch?only?modules?that?name?match?provided?regex.

????????-p?[regex]????????????????Only?test?path?defined?by?regex.

????????-e?[/path/to/profile]?????Launch?profile?modules?against?all?matched?targets.

??????????????????????????????????(No?profile?file?runs?all?enabled?modules.)

msf?>?wmap_run?-h

[*]?Usage:?wmap_run?[options]

????-h??????????????????????????????顯示幫助說明

????-t??????????????????????????????顯示所有可用模塊

????-m?[regex]??????????????????????啟用名字匹配正則表達(dá)式的模塊.

????-p?[regex]??????????????????????只測(cè)試匹配正則表達(dá)式的路徑.

????-e?[/path/to/profile]???????????對(duì)所有匹配的目標(biāo)啟用配置中的模塊.

?????????????????????????????????????????(若無配置，則啟用所有可用模塊.)

我們可以用?“-t”?參數(shù)來列出掃描中將要用到的模塊.

msf?>wmap_run?-t

[*]Testing?target:

[*]Site:?192.168.1.100?(192.168.1.100)

[*]Port:?80?SSL:?false

[*]============================================================

[*]Testing?started.?2012-01-16?15:46:42?-0500

[*]

=[?SSL?testing?]=

[*]============================================================

[*]Target?is?not?SSL.?SSL?modules?disabled.

[*]

=[?Web?Server?testing?]=

[*]============================================================

[*]Loaded?auxiliary/admin/http/contentkeeper_fileaccess?...

[*]Loaded?auxiliary/admin/http/tomcat_administration?...

[*]Loaded?auxiliary/admin/http/tomcat_utf8_traversal?...

[*]Loaded?auxiliary/admin/http/trendmicro_dlp_traversal?...

..snip...

msf?>

剩下的步驟就是對(duì)我們的目標(biāo)啟動(dòng) WMAP掃描.

msf?>?wmap_run?-e

[*]Using?ALL?wmap?enabled?modules.

[-]NO?WMAP?NODES?DEFINED.?Executing?local?modules

[*]Testing?target:

[*]Site:?172.16.194.172?(172.16.194.172)

[*]Port:?80?SSL:?false

============================================================

[*]Testing?started.?2012-06-27?09:29:13?-0400

[*]

=[?SSL?testing?]=

============================================================

[*]Target?is?not?SSL.?SSL?modules?disabled.

[*]

?=[?Web?Server?testing?]=

============================================================

[*]Module?auxiliary/scanner/http/http_version

[*]172.16.194.172:80?Apache/2.2.8?(Ubuntu)?DAV/2?(?Powered?by?PHP/5.2.4-2ubuntu5.10?)

[*]Module?auxiliary/scanner/http/open_proxy

[*]?Module?auxiliary/scanner/http/robots_txt

..snip...

..snip...

..snip...

[*]Module?auxiliary/scanner/http/soap_xml

[*]Path:?/

[*]Server?172.16.194.172:80?returned?HTTP?404?for?/.??Use?a?different?one.

[*]Module?auxiliary/scanner/http/trace_axd

[*]Path:?/

[*]Module?auxiliary/scanner/http/verb_auth_bypass

[*]

?=[?Unique?Query?testing?]=

============================================================

[*]Module?auxiliary/scanner/http/blind_sql_query

[*]Module?auxiliary/scanner/http/error_sql_injection

[*]Module?auxiliary/scanner/http/http_traversal

[*]Module?auxiliary/scanner/http/rails_mass_assignment

[*]Module?exploit/multi/http/lcms_php_exec

[*]

=[?Query?testing?]=

============================================================

[*]

=[?General?testing?]=

============================================================

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Launch?completed?in?212.01512002944946?seconds.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

[*]Done.

掃描結(jié)束后, 我們可以查看數(shù)據(jù)庫(kù)，看看 WMAP給我們找到了什么有趣的東西.

msf?>?wmap_vulns?-l

[*]?+?[172.16.194.172]?(172.16.194.172):?scraper?/

[*]?????scraper?Scraper

[*]?????GET?Metasploitable2?-?Linux

[*]?+?[172.16.194.172]?(172.16.194.172):?directory?/dav/

[*]?????directory?Directory?found.

[*]?????GET?Res?code:?200

[*]?+?[172.16.194.172]?(172.16.194.172):?directory?/cgi-bin/

[*]?????directory?Directoy?found.

[*]?????GET?Res?code:?403...snip...msf?>

上面的信息告訴我們?WMAP?找到了一個(gè)可用漏洞. 執(zhí)行“vulns”?命令來查看詳細(xì)信息.

msf?>?vulns[*]?Time:?2012-01-16?20:58:49?UTC?Vuln:?host=172.16.2.207?port=80?proto=tcp?name=auxiliary/scanner/http/options?refs=CVE-2005-3398,CVE-2005-3498,OSVDB-877,BID-11604,BID-9506,BID-9561

msf?>

用了WMAP進(jìn)行 漏洞掃描?后, 我們能夠使用這些掃描結(jié)果來對(duì)報(bào)告的漏洞收集更深入的信息. 作為滲透測(cè)試人員, 我們要更深入的調(diào)查每個(gè)發(fā)現(xiàn)，并找出是否有潛在的攻擊方法.

總結(jié)一下WMAP的用法：

msf>wmap_sites -a url ? ? ? ? 添加url

msf>wmap_targets -t url ? ? 添加目標(biāo)

msf>wmap_run -e ? ? ? ? ? ? ? ?開搞

msf>vulns ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?查看漏洞詳細(xì)信息