02 勘察:识别 Web 应用的防火墙
2016-07-19 本文已影响411人
半个王国
Web Application Firewall (WAF)可以是一个硬件也可以是一个软件,用以检查过滤发往 Web 应用的数据包,常见的过滤机制是基于认证签名或正则表达式。
如果靶机应用的 WAF 屏蔽了我们的请求或封了我们的 IP 地址,那么我们的很多操作就显得多此一举了。在渗透测试的勘察阶段,探测并识别 WAF ,比如 Intrusion Detection System (IDS) 或者 Intrusion Prevention System (IPS)。进行 WAF 探测识别的目的是为了防止被靶机封杀访问。
这篇文章,我们讨论如何使用不同的方法,借助 Kali 提供的工具扫描并探测靶机和我们之间的 WAF。
实施步骤
Nmap 包含一堆脚本用来检测 WAF 是否存在:
root@kali:~# nmap -p 80,443 --script=http-waf-detect 192.168.150.143
Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-18 23:09 CST
Nmap scan report for bogon (192.168.150.143)
Host is up (0.00034s latency).
PORT STATE SERVICE
80/tcp open http
443/tcp open https
MAC Address: 00:0C:29:8F:CA:00 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.58 seconds
上面这个扫描结果显示,该站点没有使用 WAF
下面扫描一个使用 WAF 的 Web 应用:
root@kali:~# nmap -p 80,443 --script=http-waf-detect www.jianshu.com
Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-18 CST
Nmap scan report for www.jianshu.com (120.132.92.21)
Host is up (0.0049s latency).
PORT STATE SERVICE
80/tcp open http
| http-waf-detect: IDS/IPS/WAF detected:
|_www.jianshu.com:80/?p4yl04d3=<script>alert(document.cookie)</script>
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 1.31 seconds
root@kali:~# nmap -p 80,443 --script=http-waf-detect idea.lanyus.com
Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-18 23:19 CST
Nmap scan report for idea.lanyus.com (120.52.29.180)
Host is up (0.0081s latency).
PORT STATE SERVICE
80/tcp open http
| http-waf-detect: IDS/IPS/WAF detected:
|_idea.lanyus.com:80/?p4yl04d3=<script>alert(document.cookie)</script>
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 1.32 seconds
下面我们使用 Nmap 的另一个脚本来更加精确的定位 所使用的 WAF 产品:
root@kali:~# nmap -p 80,443 --script=http-waf-fingerprint idea.lanyus.com
Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-18 23:34 CST
Nmap scan report for idea.lanyus.com (120.52.29.180)
Host is up (0.0083s latency).
PORT STATE SERVICE
80/tcp open http
| http-waf-fingerprint:
| Detected WAF
|_ Cloudflare
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 1.28 seconds
另一个检测 WAF 的工具 wafw00f:
root@kali:~# wafw00f www.example.com
^ ^
_ __ _ ____ _ __ _ _ ____
///7/ /.' \ / __////7/ /,' \ ,' \ / __/
| V V // o // _/ | V V // 0 // 0 // _/
|_n_,'/_n_//_/ |_n_,' \_,' \_,'/_/
<
...'
WAFW00F - Web Application Firewall Detection Tool
By Sandro Gauci && Wendel G. Henrique
Checking http://www.example.com
Generic Detection results:
The site http://www.example.com seems to be behind a WAF or some sort of security solution
Reason: The server header is different when an attack is detected.
The server header for a normal response is "ECS (rhv/818F)", while the server header a response to an attack is "ECS (rhv/8192).",
Number of requests: 12
检测原理
WAF 检测原理是给服务发送特定请求,然后分析响应。比如 http-waf-detect ,它发送很多恶意请求,看有没有被服务端封杀、过滤或检测到的请求。 http-waf-fingerprint 也是这个工作流程,但是这个脚本还会进一步解析响应,根据不同 IDSs 和 WAFs 的模式来对 WAF 进行分类。wafw00f 的检测原理也是如此。
