Sitadel 一款功能强大的Web应用漏洞扫描器

Sitadel 一款功能强大的Web应用漏洞扫描器

Sitadel实际上是WAScan的升级版,不过是Python版本(>= 3.4)的,这样有助于研究人员根据自己的需要去进行自定义开发,并引入新的功能模块。

目前,Sitadel可实现扩展的功能如下:

前端框架检测
内容分发网络检测
定义扫描风险等级
插件系统
可使用Docker镜像进行构建和运行

Sitadel

工具安装

$ git clone https://github.com/shenril/Sitadel.git
$ cd Sitadel
$ pip install .
$ python sitadel.py –help

功能介绍

1. 指纹识别

服务器
Web框架(CakePHP、CheeryPy……)
前端框架(AngularJS、MeteorJS、VueJS……)
Web应用程序防火墙(Waf)
内容管理系统(CMS)
操作系统(Linux、Unix……)
编程语言(PHP、Ruby……)
Cookie安全
内容分发网络(CDN)

2. 攻击

(1)暴力破解

管理接口
常用后门
常用备份目录
常用备份文件
常用目录
常用文件
日志文件

(2)注入攻击

HTML注入
SQL注入
LDAP注入
XPath注入
跨站脚本(XSS)
远程文件披露(RFI)
PHP代码注入

(3)其他攻击

HTTPAllow方法
HTML对象
多重引用
Robots路径
WebDav
跨站追踪(XST)
PHPINFO
Listing

(4)漏洞利用

ShellShock
匿名密码(CVE-2007-1858)
SPDY(CVE-2012-4929)
Struts-Shock

参考命令

基本运行方式:

python sitadel http://website.com

以“高危”风险等级运行扫描,不支持重定向:

python sitadel http://website.com -r 2 --no-redirect

运行指定模块(查看运行日志):

python sitadel http://website.com -a admin backdoor -f header server –vvv

Docker运行:

docker build -t sitadel .
docker run sitadel http://example.com

Sitadel github下载地址:Sitadel

#!/usr/bin/env python
# -*- coding:utf-8 -*-
#
# @name:    Sitadel - Web Application Security Scanner
# @repo:    https://github.com/shenril/Sitadel
# @author:  Shenril
# @license: See the file 'LICENSE.txt'

import argparse
import logging
import sys

from lib import __version__
from lib.config import settings
from lib.config.settings import Risk
from lib.request.request import Request
from lib.utils import banner, manager, output, validator
from lib.utils.container import Services
from lib.utils.datastore import Datastore
from lib.utils.output import Output


class Sitadel(object):
    bn = banner.Banner()
    ma = manager
    url = None

    def main(self):
        parser = argparse.ArgumentParser(formatter_class=argparse.ArgumentDefaultsHelpFormatter,
                                         usage=self.bn.banner())
        # Prepare the possible values for risk levels
        risk_values = [r.value for r in Risk]
        # Add arguments
        parser.add_argument("url", help="URL of the website to scan")
        parser.add_argument("-r", "--risk", type=int, help="Level of risk allowed for the scan",
                            choices=risk_values)
        parser.add_argument("-ua", "--user-agent", default="Sitadel " + __version__,
                            help="User-agent to set for the scan requests")
        parser.add_argument("--redirect", dest='redirect',
                            help="Whether or not the scan should follow redirection",
                            action="store_true")
        parser.add_argument("--no-redirect", dest='redirect',
                            help="Whether or not the scan should follow redirection",
                            action="store_false")
        parser.set_defaults(redirect=True)
        parser.add_argument("-t", "--timeout", type=int, help="Timeout to set for the scan HTTP requests")
        parser.add_argument("-c", "--cookie", help="Cookie to set for the scan HTTP requests")
        parser.add_argument("-p", "--proxy", help="Proxy to set for the scan HTTP requests")
        parser.add_argument("-f", "--fingerprint", nargs='+', help="Fingerprint modules to activate")
        parser.add_argument("-a", "--attack", nargs='+', help="Attack modules to activate")
        parser.add_argument("--config", help="Path to the config file", default="config/config.yml")
        parser.add_argument("-v", "--verbosity", action="count", default=0, help="Increase output verbosity")
        parser.add_argument('--version', action='version', version=self.bn.version())
        args = parser.parse_args()

        # Verify the target URL
        self.url = validator.validate_target(args.url)

        # Reading configuration
        settings.from_yaml(args.config)
        if args.risk is not None:
            settings.risk = Risk(args.risk)

        # Register services
        Services.register("datastore", Datastore(settings.datastore))
        Services.register("logger", logging.getLogger("sitadelLog"))
        Services.register("output", Output())
        Services.register("request_factory",
                          Request(url=self.url, agent=args.user_agent, proxy=args.proxy, redirect=args.redirect,
                                  timeout=args.timeout))

        # Display target and scan starting time
        self.bn.preamble(self.url)

        # Run the fingerprint modules
        self.ma.fingerprints(args.fingerprint,
                             args.user_agent,
                             args.proxy,
                             args.redirect,
                             args.timeout,
                             self.url,
                             args.cookie)

        # Run the crawler to discover urls
        discovered_urls = self.ma.crawler(self.url, args.user_agent)

        # Run the attack modules on discovered urls
        self.ma.attacks(args.attack, self.url, discovered_urls)


if __name__ == "__main__":
    try:
        Sitadel().main()
    except KeyboardInterrupt:
        sys.exit(output.Output().error('Interruption by the user, Quitting...'))

数学函数在线绘图

from