Acunetix扫描器的辅助工具 – 作者:三米前有蕉皮

TIM截图20171231222335.png

大致的功能

  • 1.扫描器的主机随时切换,不用把api密钥换来换去。
  • 2.可以选择扫描的速度频率
  • 3.支持拖放批量扫描,快捷键F8自动取剪切板目标进行单个扫描。
  • 4.可以设置代理服务器
  • 5.设置登陆账号,密码
  • 6.批量添加描述
  • 7.报告生成,下载
  • 8.可忽略鸡肋漏洞

说明

  • 程序是用易语言写的,调用了curl。随便你们怎么看,我还会其他语言的,只是觉得易语言方便和很快可以实现我想要的功能。不喜欢可以不用,或自己用其他语言写一个的。
  • 云盘里一共有五个文件,还有录屏教程。链接在文末。
    ca-bundle.crt //curl的证书
    config.ini  //配置文件
    curl.exe  //curl主程序
    New.exe  //主程序
    忽略的漏洞.txt  //放忽略漏洞的标题的

0.准备

  • 在使用Acunetix-11的过程中发现一个一个添加目标,还要点扫描目标,还要选择类型,想想都觉得麻烦,特别是有一堆子域名的时候。所以想着造个轮子方便一下自己。就开始在网上找教程,在这里非常感谢【屌丝归档笔记】,我大部分的思路都是从他的博客里学的。

  • 怎么调用api?在Acunetix的Web控制台上的右上角点Profile,拉到最下面,刚刚开始是没有api-key的。所以要生成一个,先复制出来,一会要用到。

1. 我们先添加一个扫描目标:

curl -k --request POST --url https://localhost:3443/api/v1/targets --header "X-Auth: 1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0" --header "content-type: application/json" --data "{\"address\":\"http://127.0.0.1\",\"description\":\"\u4e09\u7c73\u524d\u6709\u8549\u76ae\",\"criticality\":\"10\"}"
  • 解释一下:
 https://localhost:3443/   是host
 1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0   是api-key
 http://127.0.0.1`   是添加扫描的目标
 \u4e09\u7c73\u524d\u6709\u8549\u76ae\`   是描述,解码后也就是三米前有蕉皮(可设置)
10 是目标的临界值 (Critical [30], High [20], Normal [10], Low [0])
  • 试着执行一下上面的命令,返回下面的信息

    {
    "criticality": 10,
    "description": "\u4e09\u7c73\u524d\u6709\u8549\u76ae",
    "address": "http://127.0.0.1",
    "target_id": "89054811-234b-49c1-84dd-b84b0b4631db"
    }
  • 返回target_id就表明添加成功了。

2. 现在我们来开始扫描刚刚添加的目标

curl -k --request POST --url https://localhost:3443/api/v1/scans --header "X-Auth:1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0" --header "content-type: application/json" --data "{\"target_id\":\"89054811-234b-49c1-84dd-b84b0b4631db\",\"profile_id\":\"11111111-1111-1111-1111-111111111111\",\"schedule\":{\"disable\":false,\"start_date\":null,\"time_sensitive\":false}}"
  • 解释一下其中:

89054811-234b-49c1-84dd-b84b0b4631db是上面刚刚生成的target_id11111111-1111-1111-1111-111111111111是profile ID。我自己理解就是【Full Scan】扫描类型

  • 执行下面命令可以查看所有profile。
curl -k --request POST --url https://localhost:3443/api/v1/scanning_profiles --header "X-Auth: 1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0"
  • 具体看看name后面的值。看下面的图就懂了。

TIM截图20180101132400.png

{
 "scanning_profiles": [
  {
   "custom": false,
   "checks": [],
   "name": "Full Scan",//完全扫描
   "sort_order": 1,
   "profile_id": "11111111-1111-1111-1111-111111111111"
  },
  {
   "custom": false,
   "checks": [],
   "name": "High Risk Vulnerabilities",//扫描高危漏洞
   "sort_order": 2,
   "profile_id": "11111111-1111-1111-1111-111111111112"
  },
  {
   "custom": false,
   "checks": [],
   "name": "Cross-site Scripting Vulnerabilities",//扫描跨站脚本漏洞
   "sort_order": 3,
   "profile_id": "11111111-1111-1111-1111-111111111116"
  },
  {
   "custom": false,
   "checks": [],
   "name": "SQL Injection Vulnerabilities",//扫描SQL注入漏洞
   "sort_order": 4,
   "profile_id": "11111111-1111-1111-1111-111111111113"
  },
  {
   "custom": false,
   "checks": [],
   "name": "Weak Passwords",//扫描弱口令
   "sort_order": 5,
   "profile_id": "11111111-1111-1111-1111-111111111115"
  },
  {
   "custom": false,
   "checks": [],
   "name": "Crawl Only",//只是爬虫去爬网站的目录结构
   "sort_order": 6,
   "profile_id": "11111111-1111-1111-1111-111111111117"
  }
 ]
}
  • 写轮子的时候并没有把扫描类型加上去,一般都是完全扫描的,就没有这个功能。有建议可以加上的。

  • 执行完了添加扫描应该是返回下面的数据:

{
 "schedule": {
  "time_sensitive": false,
  "start_date": null,
  "disable": false
 },
 "ui_session_id": null,
 "profile_id": "11111111-1111-1111-1111-111111111111",
 "target_id": "89054811-234b-49c1-84dd-b84b0b4631db"
}

3. 查看扫描状态

curl -k https://localhost:3443/api/v1/scans --header "X-Auth:1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0"
  • 如果是扫描目标较多的话,会返回很多数据。这里只拿出一个目标看看。
    {
     "criticality": 10,
     "next_run": null,
     "scan_id": "7cd1c5b2-aca3-45e1-bfd3-07baf9d8a79d",
     "current_session": {
      "event_level": 0,
      "severity_counts": {
       "high": 0,
       "info": 0,
       "low": 1,
       "medium": 1
      },
      "scan_session_id": "02fcf3e2-f029-4440-a9f8-04f4929cef5a",
      "progress": 0,
      "start_date": "2017-11-11T20:37:53.126579+08:00",
      "status": "queued",
      "threat": 2
     },
     "report_template_id": null,
     "target_id": "89054811-234b-49c1-84dd-b84b0b4631db",
     "target": {
      "criticality": 10,
      "description": "\u4e09\u7c73\u524d\u6709\u8549\u76ae",
      "address": "http://127.0.0.1"
     },
     "profile_name": "Full Scan",
     "schedule": {
      "start_date": null,
      "history_limit": null,
      "time_sensitive": false,
      "recurrence": null,
      "disable": false
     },
     "profile_id": "11111111-1111-1111-1111-111111111111"
    },

4. 删除一个扫描目标

  • 按照屌丝归档笔记的方法死活不可以,最后通过抓包发现请求并不是GET方式的,而是DELETE方式。
curl -k --request DELETE --url https://localhost:3443/api/v1/targets/8000e46d-e361-4760-8b8a-b29fa8579604 --header "X-Auth:1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0" --header "content-type: application/json"
  • 解释一下:

    8000e46d-e361-4760-8b8a-b29fa8579604是target_id,通过查看扫描状态的时候可以取到。

5. 报告方面

  • 获取报告类型,大概就是下面这张图片里面的选项,还是看name的值

  • TIM截图20180101132747.png

curl -k --url https://localhost:3443/api/v1/report_templates --header "X-Auth:1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0" --header "content-type: application/json"
  • 和name一一对应的
{
  "templates": [
    {
      "accepted_sources": [
        "all_vulnerabilities",
        "targets",
        "groups",
        "scans",
        "scan_result",
        "vulnerabilities",
        "scan_vulnerabilities",
        "scan_pair",
        "scan_result_pair"
      ],
      "group": "Standard Reports",
      "template_id": "11111111-1111-1111-1111-111111111111",
      "name": "Developer"
    },
    {
      "accepted_sources": [
        "all_vulnerabilities",
        "targets",
        "groups",
        "scans",
        "scan_result",
        "vulnerabilities",
        "scan_vulnerabilities",
        "scan_pair",
        "scan_result_pair"
      ],
      "group": "Standard Reports",
      "template_id": "11111111-1111-1111-1111-111111111112",
      "name": "Quick"
    },
    {
      "accepted_sources": [
        "all_vulnerabilities",
        "targets",
        "groups",
        "scans",
        "scan_result",
        "vulnerabilities",
        "scan_vulnerabilities",
        "scan_pair",
        "scan_result_pair"
      ],
      "group": "Standard Reports",
      "template_id": "11111111-1111-1111-1111-111111111113",
      "name": "Executive Summary"
    },
    {
      "accepted_sources": [
        "all_vulnerabilities",
        "targets",
        "groups",
        "scans",
        "scan_result",
        "vulnerabilities",
        "scan_vulnerabilities",
        "scan_pair",
        "scan_result_pair"
      ],
      "group": "Compliance Reports",
      "template_id": "11111111-1111-1111-1111-111111111114",
      "name": "HIPAA"
    },
    {
      "accepted_sources": [
        "all_vulnerabilities",
        "targets",
        "groups",
        "scans",
        "scan_result",
        "vulnerabilities",
        "scan_vulnerabilities",
        "scan_pair",
        "scan_result_pair"
      ],
      "group": "Standard Reports",
      "template_id": "11111111-1111-1111-1111-111111111115",
      "name": "Affected Items"
    },
    {
      "accepted_sources": [
        "all_vulnerabilities",
        "targets",
        "groups",
        "scans",
        "scan_result",
        "vulnerabilities",
        "scan_vulnerabilities",
        "scan_pair",
        "scan_result_pair"
      ],
      "group": "Standard Reports",
      "template_id": "11111111-1111-1111-1111-111111111124",
      "name": "Scan Comparison"
    },
    {
      "accepted_sources": [
        "all_vulnerabilities",
        "targets",
        "groups",
        "scans",
        "scan_result",
        "vulnerabilities",
        "scan_vulnerabilities",
        "scan_pair",
        "scan_result_pair"
      ],
      "group": "Compliance Reports",
      "template_id": "11111111-1111-1111-1111-111111111116",
      "name": "CWE 2011"
    },
    {
      "accepted_sources": [
        "all_vulnerabilities",
        "targets",
        "groups",
        "scans",
        "scan_result",
        "vulnerabilities",
        "scan_vulnerabilities",
        "scan_pair",
        "scan_result_pair"
      ],
      "group": "Compliance Reports",
      "template_id": "11111111-1111-1111-1111-111111111117",
      "name": "ISO 27001"
    },
    {
      "accepted_sources": [
        "all_vulnerabilities",
        "targets",
        "groups",
        "scans",
        "scan_result",
        "vulnerabilities",
        "scan_vulnerabilities",
        "scan_pair",
        "scan_result_pair"
      ],
      "group": "Compliance Reports",
      "template_id": "11111111-1111-1111-1111-111111111118",
      "name": "NIST SP800 53"
    },
    {
      "accepted_sources": [
        "all_vulnerabilities",
        "targets",
        "groups",
        "scans",
        "scan_result",
        "vulnerabilities",
        "scan_vulnerabilities",
        "scan_pair",
        "scan_result_pair"
      ],
      "group": "Compliance Reports",
      "template_id": "11111111-1111-1111-1111-111111111119",
      "name": "OWASP Top 10 2013"
    },
    {
      "accepted_sources": [
        "all_vulnerabilities",
        "targets",
        "groups",
        "scans",
        "scan_result",
        "vulnerabilities",
        "scan_vulnerabilities",
        "scan_pair",
        "scan_result_pair"
      ],
      "group": "Compliance Reports",
      "template_id": "11111111-1111-1111-1111-111111111120",
      "name": "PCI DSS 3.2"
    },
    {
      "accepted_sources": [
        "all_vulnerabilities",
        "targets",
        "groups",
        "scans",
        "scan_result",
        "vulnerabilities",
        "scan_vulnerabilities",
        "scan_pair",
        "scan_result_pair"
      ],
      "group": "Compliance Reports",
      "template_id": "11111111-1111-1111-1111-111111111121",
      "name": "Sarbanes Oxley"
    },
    {
      "accepted_sources": [
        "all_vulnerabilities",
        "targets",
        "groups",
        "scans",
        "scan_result",
        "vulnerabilities",
        "scan_vulnerabilities",
        "scan_pair",
        "scan_result_pair"
      ],
      "group": "Compliance Reports",
      "template_id": "11111111-1111-1111-1111-111111111122",
      "name": "STIG DISA"
    },
    {
      "accepted_sources": [
        "all_vulnerabilities",
        "targets",
        "groups",
        "scans",
        "scan_result",
        "vulnerabilities",
        "scan_vulnerabilities",
        "scan_pair",
        "scan_result_pair"
      ],
      "group": "Compliance Reports",
      "template_id": "11111111-1111-1111-1111-111111111123",
      "name": "WASC Threat Classification"
    }
  ]
}
  • 添加报告生成任务,下面的是默认使用Developer
curl -k -i --request POST --url https://localhost:3443//api/v1/reports --header "X-Auth: 1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0" --header "content-type: application/json" --data "{\"template_id\":\"11111111-1111-1111-1111-111111111111\",\"source\":{\"list_type\":\"scans\", \"id_list\":[\"64113dd8-3a37-447a-bde7-c5fef9924b83"\"]}}

其中64113dd8-3a37-447a-bde7-c5fef9924b83是scan_id,通过查看扫描状态的时候可以取到。

  • 获取所有的报告状态

    curl -k --url  https://localhost:3443/api/v1/reports --header "X-Auth:1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0" --header "content-type: application/json"
    
  • 返回的数据

{
 "reports": [
  {
   "report_id": "0c8ddda2-13f1-4e57-8472-37f7a24ad466",
   "template_name": "Developer",
   "template_id": "11111111-1111-1111-1111-111111111111",
   "generation_date": "2017-11-11T22:48:34.225360+08:00",
   "source": {
    "list_type": "scans",
    "description": "http://127.0.0.1;\u4e09\u7c73\u524d\u6709\u8549\u76ae",
    "id_list": [
     "64113dd8-3a37-447a-bde7-c5fef9924b83"
    ]
   },
   "download": [
    "/reports/download/0c8ddda2-13f1-4e57-8472-37f7a24ad466.html",
    "/reports/download/0c8ddda2-13f1-4e57-8472-37f7a24ad466.pdf"
   ],
   "template_type": 0,
   "status": "completed"
  }
 ],
 "pagination": {
  "previous_cursor": 0,
  "next_cursor": null
 }
}

6.忽视低危漏洞

  • 有时候扫出来的一些鸡肋漏洞实在没有什么作用,而且数量也很多,非常烦人。
  • 先获取所有的漏洞ID,vulnerabilities中的vt_name是漏洞的标题,vuln_id是漏洞的ID这两个都在下面要用到的。先判断漏洞的标题是否在忽视漏洞的列表里,再获取漏洞的ID,进行忽视。
curl -s -k --request GET --url https://localhost:3443/api/v1/vulnerabilities?q=status:open -H "content-type: application/json" -H "X-Auth:1986ad8c0a5b3df4d7028d5f3c06e936cd9526c84695c4cd3a1ca7a248246cb77"
  • 忽视漏洞的请求是用PUT方式:
    curl -s -k --request GET --url https://localhost:3443/api/v1/vulnerabilities?q=status:open -H "content-type: application/json" -H "X-Auth:1986ad8c0a5b3df4d7028d5f3c06e936cd9526c84695c4cd3a1ca7a248246cb77"
    
  • 还要提交{"status":"ignored"}表示忽视该漏洞
  • 这里的1679149810550048216就是漏洞ID,在上面可以获取到。
  • 在curl里就是这样子的。
    curl -s -k --request PUT --url https://10.18.1.14:3443/api/v1/vulnerabilities/1681238316512446232/status --data "{\"status\":\"ignored\"}" -H "content-type: application/json" -H "X-Auth:1986ad8c0a5b3df4d7028d5f3c06e936cd9526c84695c4cd3a1ca7a248246cb77"
    

1681238316512446232就是要忽略的漏洞ID

  • 漏洞统一放在了程序运行目录下的忽略的漏洞.txt文件里,一行一个。

  • 代理就是设置下面的,只有http的,其他协议自己想办法。

更新:

  • 2017年11月11日开始造这个轮子。

  • 2017年最后一晚更新了,可调扫描速度,主机改成列表了,可忽视某些漏洞,可以设置代理。

附件

参考

https://github.com/h4rdy/Acunetix11-API-Documentation

https://github.com/0xa-saline/acunetix-api

http://www.chamd5.org/json.html

来源:freebuf.com 2018-01-10 11:03:43 by: 三米前有蕉皮

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享
评论 抢沙发

请登录后发表评论