大致的功能
- 1.扫描器的主机随时切换,不用把api密钥换来换去。
- 2.可以选择扫描的速度频率
- 3.支持拖放批量扫描,快捷键F8自动取剪切板目标进行单个扫描。
- 4.可以设置代理服务器
- 5.设置登陆账号,密码
- 6.批量添加描述
- 7.报告生成,下载
- 8.可忽略鸡肋漏洞
说明
- 程序是用易语言写的,调用了curl。随便你们怎么看,我还会其他语言的,只是觉得易语言方便和很快可以实现我想要的功能。不喜欢可以不用,或自己用其他语言写一个的。
- 云盘里一共有五个文件,还有录屏教程。链接在文末。
ca-bundle.crt //curl的证书
config.ini //配置文件
curl.exe //curl主程序
New.exe //主程序
忽略的漏洞.txt //放忽略漏洞的标题的
0.准备
-
在使用Acunetix-11的过程中发现一个一个添加目标,还要点扫描目标,还要选择类型,想想都觉得麻烦,特别是有一堆子域名的时候。所以想着造个轮子方便一下自己。就开始在网上找教程,在这里非常感谢【屌丝归档笔记】,我大部分的思路都是从他的博客里学的。
-
怎么调用api?在Acunetix的Web控制台上的右上角点Profile,拉到最下面,刚刚开始是没有api-key的。所以要生成一个,先复制出来,一会要用到。
1. 我们先添加一个扫描目标:
curl -k --request POST --url https://localhost:3443/api/v1/targets --header "X-Auth: 1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0" --header "content-type: application/json" --data "{\"address\":\"http://127.0.0.1\",\"description\":\"\u4e09\u7c73\u524d\u6709\u8549\u76ae\",\"criticality\":\"10\"}"
- 解释一下:
https://localhost:3443/ 是host
1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0 是api-key
http://127.0.0.1` 是添加扫描的目标
\u4e09\u7c73\u524d\u6709\u8549\u76ae\` 是描述,解码后也就是三米前有蕉皮(可设置)
10 是目标的临界值 (Critical [30], High [20], Normal [10], Low [0])-
试着执行一下上面的命令,返回下面的信息
{ "criticality": 10, "description": "\u4e09\u7c73\u524d\u6709\u8549\u76ae", "address": "http://127.0.0.1", "target_id": "89054811-234b-49c1-84dd-b84b0b4631db" } -
返回target_id就表明添加成功了。
2. 现在我们来开始扫描刚刚添加的目标
curl -k --request POST --url https://localhost:3443/api/v1/scans --header "X-Auth:1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0" --header "content-type: application/json" --data "{\"target_id\":\"89054811-234b-49c1-84dd-b84b0b4631db\",\"profile_id\":\"11111111-1111-1111-1111-111111111111\",\"schedule\":{\"disable\":false,\"start_date\":null,\"time_sensitive\":false}}"
- 解释一下其中:
89054811-234b-49c1-84dd-b84b0b4631db是上面刚刚生成的target_id11111111-1111-1111-1111-111111111111是profile ID。我自己理解就是【Full Scan】扫描类型
- 执行下面命令可以查看所有profile。
curl -k --request POST --url https://localhost:3443/api/v1/scanning_profiles --header "X-Auth: 1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0"
- 具体看看name后面的值。看下面的图就懂了。
{
"scanning_profiles": [
{
"custom": false,
"checks": [],
"name": "Full Scan",//完全扫描
"sort_order": 1,
"profile_id": "11111111-1111-1111-1111-111111111111"
},
{
"custom": false,
"checks": [],
"name": "High Risk Vulnerabilities",//扫描高危漏洞
"sort_order": 2,
"profile_id": "11111111-1111-1111-1111-111111111112"
},
{
"custom": false,
"checks": [],
"name": "Cross-site Scripting Vulnerabilities",//扫描跨站脚本漏洞
"sort_order": 3,
"profile_id": "11111111-1111-1111-1111-111111111116"
},
{
"custom": false,
"checks": [],
"name": "SQL Injection Vulnerabilities",//扫描SQL注入漏洞
"sort_order": 4,
"profile_id": "11111111-1111-1111-1111-111111111113"
},
{
"custom": false,
"checks": [],
"name": "Weak Passwords",//扫描弱口令
"sort_order": 5,
"profile_id": "11111111-1111-1111-1111-111111111115"
},
{
"custom": false,
"checks": [],
"name": "Crawl Only",//只是爬虫去爬网站的目录结构
"sort_order": 6,
"profile_id": "11111111-1111-1111-1111-111111111117"
}
]
}
-
写轮子的时候并没有把扫描类型加上去,一般都是完全扫描的,就没有这个功能。有建议可以加上的。
-
执行完了添加扫描应该是返回下面的数据:
{
"schedule": {
"time_sensitive": false,
"start_date": null,
"disable": false
},
"ui_session_id": null,
"profile_id": "11111111-1111-1111-1111-111111111111",
"target_id": "89054811-234b-49c1-84dd-b84b0b4631db"
}
3. 查看扫描状态
curl -k https://localhost:3443/api/v1/scans --header "X-Auth:1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0"
- 如果是扫描目标较多的话,会返回很多数据。这里只拿出一个目标看看。
{
"criticality": 10,
"next_run": null,
"scan_id": "7cd1c5b2-aca3-45e1-bfd3-07baf9d8a79d",
"current_session": {
"event_level": 0,
"severity_counts": {
"high": 0,
"info": 0,
"low": 1,
"medium": 1
},
"scan_session_id": "02fcf3e2-f029-4440-a9f8-04f4929cef5a",
"progress": 0,
"start_date": "2017-11-11T20:37:53.126579+08:00",
"status": "queued",
"threat": 2
},
"report_template_id": null,
"target_id": "89054811-234b-49c1-84dd-b84b0b4631db",
"target": {
"criticality": 10,
"description": "\u4e09\u7c73\u524d\u6709\u8549\u76ae",
"address": "http://127.0.0.1"
},
"profile_name": "Full Scan",
"schedule": {
"start_date": null,
"history_limit": null,
"time_sensitive": false,
"recurrence": null,
"disable": false
},
"profile_id": "11111111-1111-1111-1111-111111111111"
},
4. 删除一个扫描目标
- 按照屌丝归档笔记的方法死活不可以,最后通过抓包发现请求并不是GET方式的,而是DELETE方式。
curl -k --request DELETE --url https://localhost:3443/api/v1/targets/8000e46d-e361-4760-8b8a-b29fa8579604 --header "X-Auth:1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0" --header "content-type: application/json"
-
解释一下:
8000e46d-e361-4760-8b8a-b29fa8579604是target_id,通过查看扫描状态的时候可以取到。
5. 报告方面
-
获取报告类型,大概就是下面这张图片里面的选项,还是看name的值
-
curl -k --url https://localhost:3443/api/v1/report_templates --header "X-Auth:1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0" --header "content-type: application/json"
- 和name一一对应的
{
"templates": [
{
"accepted_sources": [
"all_vulnerabilities",
"targets",
"groups",
"scans",
"scan_result",
"vulnerabilities",
"scan_vulnerabilities",
"scan_pair",
"scan_result_pair"
],
"group": "Standard Reports",
"template_id": "11111111-1111-1111-1111-111111111111",
"name": "Developer"
},
{
"accepted_sources": [
"all_vulnerabilities",
"targets",
"groups",
"scans",
"scan_result",
"vulnerabilities",
"scan_vulnerabilities",
"scan_pair",
"scan_result_pair"
],
"group": "Standard Reports",
"template_id": "11111111-1111-1111-1111-111111111112",
"name": "Quick"
},
{
"accepted_sources": [
"all_vulnerabilities",
"targets",
"groups",
"scans",
"scan_result",
"vulnerabilities",
"scan_vulnerabilities",
"scan_pair",
"scan_result_pair"
],
"group": "Standard Reports",
"template_id": "11111111-1111-1111-1111-111111111113",
"name": "Executive Summary"
},
{
"accepted_sources": [
"all_vulnerabilities",
"targets",
"groups",
"scans",
"scan_result",
"vulnerabilities",
"scan_vulnerabilities",
"scan_pair",
"scan_result_pair"
],
"group": "Compliance Reports",
"template_id": "11111111-1111-1111-1111-111111111114",
"name": "HIPAA"
},
{
"accepted_sources": [
"all_vulnerabilities",
"targets",
"groups",
"scans",
"scan_result",
"vulnerabilities",
"scan_vulnerabilities",
"scan_pair",
"scan_result_pair"
],
"group": "Standard Reports",
"template_id": "11111111-1111-1111-1111-111111111115",
"name": "Affected Items"
},
{
"accepted_sources": [
"all_vulnerabilities",
"targets",
"groups",
"scans",
"scan_result",
"vulnerabilities",
"scan_vulnerabilities",
"scan_pair",
"scan_result_pair"
],
"group": "Standard Reports",
"template_id": "11111111-1111-1111-1111-111111111124",
"name": "Scan Comparison"
},
{
"accepted_sources": [
"all_vulnerabilities",
"targets",
"groups",
"scans",
"scan_result",
"vulnerabilities",
"scan_vulnerabilities",
"scan_pair",
"scan_result_pair"
],
"group": "Compliance Reports",
"template_id": "11111111-1111-1111-1111-111111111116",
"name": "CWE 2011"
},
{
"accepted_sources": [
"all_vulnerabilities",
"targets",
"groups",
"scans",
"scan_result",
"vulnerabilities",
"scan_vulnerabilities",
"scan_pair",
"scan_result_pair"
],
"group": "Compliance Reports",
"template_id": "11111111-1111-1111-1111-111111111117",
"name": "ISO 27001"
},
{
"accepted_sources": [
"all_vulnerabilities",
"targets",
"groups",
"scans",
"scan_result",
"vulnerabilities",
"scan_vulnerabilities",
"scan_pair",
"scan_result_pair"
],
"group": "Compliance Reports",
"template_id": "11111111-1111-1111-1111-111111111118",
"name": "NIST SP800 53"
},
{
"accepted_sources": [
"all_vulnerabilities",
"targets",
"groups",
"scans",
"scan_result",
"vulnerabilities",
"scan_vulnerabilities",
"scan_pair",
"scan_result_pair"
],
"group": "Compliance Reports",
"template_id": "11111111-1111-1111-1111-111111111119",
"name": "OWASP Top 10 2013"
},
{
"accepted_sources": [
"all_vulnerabilities",
"targets",
"groups",
"scans",
"scan_result",
"vulnerabilities",
"scan_vulnerabilities",
"scan_pair",
"scan_result_pair"
],
"group": "Compliance Reports",
"template_id": "11111111-1111-1111-1111-111111111120",
"name": "PCI DSS 3.2"
},
{
"accepted_sources": [
"all_vulnerabilities",
"targets",
"groups",
"scans",
"scan_result",
"vulnerabilities",
"scan_vulnerabilities",
"scan_pair",
"scan_result_pair"
],
"group": "Compliance Reports",
"template_id": "11111111-1111-1111-1111-111111111121",
"name": "Sarbanes Oxley"
},
{
"accepted_sources": [
"all_vulnerabilities",
"targets",
"groups",
"scans",
"scan_result",
"vulnerabilities",
"scan_vulnerabilities",
"scan_pair",
"scan_result_pair"
],
"group": "Compliance Reports",
"template_id": "11111111-1111-1111-1111-111111111122",
"name": "STIG DISA"
},
{
"accepted_sources": [
"all_vulnerabilities",
"targets",
"groups",
"scans",
"scan_result",
"vulnerabilities",
"scan_vulnerabilities",
"scan_pair",
"scan_result_pair"
],
"group": "Compliance Reports",
"template_id": "11111111-1111-1111-1111-111111111123",
"name": "WASC Threat Classification"
}
]
}
- 添加报告生成任务,下面的是默认使用Developer
curl -k -i --request POST --url https://localhost:3443//api/v1/reports --header "X-Auth: 1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0" --header "content-type: application/json" --data "{\"template_id\":\"11111111-1111-1111-1111-111111111111\",\"source\":{\"list_type\":\"scans\", \"id_list\":[\"64113dd8-3a37-447a-bde7-c5fef9924b83"\"]}}
其中
64113dd8-3a37-447a-bde7-c5fef9924b83是scan_id,通过查看扫描状态的时候可以取到。
-
获取所有的报告状态
curl -k --url https://localhost:3443/api/v1/reports --header "X-Auth:1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0" --header "content-type: application/json" -
返回的数据
{
"reports": [
{
"report_id": "0c8ddda2-13f1-4e57-8472-37f7a24ad466",
"template_name": "Developer",
"template_id": "11111111-1111-1111-1111-111111111111",
"generation_date": "2017-11-11T22:48:34.225360+08:00",
"source": {
"list_type": "scans",
"description": "http://127.0.0.1;\u4e09\u7c73\u524d\u6709\u8549\u76ae",
"id_list": [
"64113dd8-3a37-447a-bde7-c5fef9924b83"
]
},
"download": [
"/reports/download/0c8ddda2-13f1-4e57-8472-37f7a24ad466.html",
"/reports/download/0c8ddda2-13f1-4e57-8472-37f7a24ad466.pdf"
],
"template_type": 0,
"status": "completed"
}
],
"pagination": {
"previous_cursor": 0,
"next_cursor": null
}
}
-
值得注意的是
download和status的值,下载支持HTML和PDF格式,等一下要用到。就是当status为完成的时候就可以下载了,下载地址是host加上download里的值。 -
比如:https://localhost:3443/reports/download/0c8ddda2-13f1-4e57-8472-37f7a24ad466.html
6.忽视低危漏洞
- 有时候扫出来的一些鸡肋漏洞实在没有什么作用,而且数量也很多,非常烦人。
- 先获取所有的漏洞ID,
vulnerabilities中的vt_name是漏洞的标题,vuln_id是漏洞的ID这两个都在下面要用到的。先判断漏洞的标题是否在忽视漏洞的列表里,再获取漏洞的ID,进行忽视。
curl -s -k --request GET --url https://localhost:3443/api/v1/vulnerabilities?q=status:open -H "content-type: application/json" -H "X-Auth:1986ad8c0a5b3df4d7028d5f3c06e936cd9526c84695c4cd3a1ca7a248246cb77"
- 忽视漏洞的请求是用PUT方式:
curl -s -k --request GET --url https://localhost:3443/api/v1/vulnerabilities?q=status:open -H "content-type: application/json" -H "X-Auth:1986ad8c0a5b3df4d7028d5f3c06e936cd9526c84695c4cd3a1ca7a248246cb77" - 还要提交
{"status":"ignored"}表示忽视该漏洞 - 这里的
1679149810550048216就是漏洞ID,在上面可以获取到。 - 在curl里就是这样子的。
curl -s -k --request PUT --url https://10.18.1.14:3443/api/v1/vulnerabilities/1681238316512446232/status --data "{\"status\":\"ignored\"}" -H "content-type: application/json" -H "X-Auth:1986ad8c0a5b3df4d7028d5f3c06e936cd9526c84695c4cd3a1ca7a248246cb77"
1681238316512446232就是要忽略的漏洞ID
-
漏洞统一放在了程序运行目录下的
忽略的漏洞.txt文件里,一行一个。 -
代理就是设置下面的,只有http的,其他协议自己想办法。
更新:
-
2017年11月11日开始造这个轮子。
-
2017年最后一晚更新了,可调扫描速度,主机改成列表了,可忽视某些漏洞,可以设置代理。
附件
-
链接: https://pan.baidu.com/s/1bpjjnTd 密码: h4p6
-
里面有录屏教程。
参考
https://github.com/h4rdy/Acunetix11-API-Documentation
https://github.com/0xa-saline/acunetix-api
http://www.chamd5.org/json.html
来源:freebuf.com 2018-01-10 11:03:43 by: 三米前有蕉皮
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
请登录后发表评论
注册