2017年的双11开始造这个轮子的。把自己常用的功能加进去了。
大致的功能
- 1.扫描器的主机随时切换,不用把api密钥换来换去。
- 2.可以选择扫描的速度频率
- 3.支持拖放批量扫描,快捷键F8自动取剪切板目标进行单个扫描。
- 4.可以设置代理服务器
- 5.设置登陆账号,密码
- 6.批量添加描述
- 7.报告生成,下载
- 8.可忽略鸡肋漏洞
说明
- 程序是用易语言写的,调用了curl。随便你们怎么看,我还会其他语言的,只是觉得易语言方便和很快可以实现我想要的功能。不喜欢可以不用,或自己用其他语言写一个的。
- 云盘里一共有五个文件,还有录屏教程。链接在文末。
ca-bundle.crt //curl的证书 config.ini //配置文件 curl.exe //curl主程序 New.exe //主程序 忽略的漏洞.txt //放忽略漏洞的标题的 0.准备
-
在使用Acunetix-11的过程中发现一个一个添加目标,还要点扫描目标,还要选择类型,想想都觉得麻烦,特别是有一堆子域名的时候。所以想着造个轮子方便一下自己。就开始在网上找教程,在这里非常感谢【屌丝归档笔记】,我大部分的思路都是从他的博客里学的。
-
怎么调用api?在Acunetix的Web控制台上的右上角点Profile,拉到最下面,刚刚开始是没有api-key的。所以要生成一个,先复制出来,一会要用到。
1. 我们先添加一个扫描目标:
curl -k --request POST --url https://localhost:3443/api/v1/targets --header "X-Auth: 1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0" --header "content-type: application/json" --data "{\"address\":\"http://127.0.0.1\",\"description\":\"\u4e09\u7c73\u524d\u6709\u8549\u76ae\",\"criticality\":\"10\"}" - 解释一下:
https://localhost:3443/ 是host 1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0 是api-key http://127.0.0.1` 是添加扫描的目标 \u4e09\u7c73\u524d\u6709\u8549\u76ae\` 是描述,解码后也就是三米前有蕉皮(可设置) 10 是目标的临界值 (Critical [30], High [20], Normal [10], Low [0])-
试着执行一下上面的命令,返回下面的信息
{ "criticality": 10, "description": "\u4e09\u7c73\u524d\u6709\u8549\u76ae", "address": "http://127.0.0.1", "target_id": "89054811-234b-49c1-84dd-b84b0b4631db" } -
返回target_id就表明添加成功了。
2. 现在我们来开始扫描刚刚添加的目标
curl -k --request POST --url https://localhost:3443/api/v1/scans --header "X-Auth:1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0" --header "content-type: application/json" --data "{\"target_id\":\"89054811-234b-49c1-84dd-b84b0b4631db\",\"profile_id\":\"11111111-1111-1111-1111-111111111111\",\"schedule\":{\"disable\":false,\"start_date\":null,\"time_sensitive\":false}}" - 解释一下其中:
89054811-234b-49c1-84dd-b84b0b4631db是上面刚刚生成的target_id11111111-1111-1111-1111-111111111111是profile ID。我自己理解就是【Full Scan】扫描类型
- 执行下面命令可以查看所有profile。
curl -k --request POST --url https://localhost:3443/api/v1/scanning_profiles --header "X-Auth: 1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0" - 具体看看name后面的值。看下面的图就懂了。
{ "scanning_profiles": [
{ "custom": false, "checks": [], "name": "Full Scan",//完全扫描 "sort_order": 1, "profile_id": "11111111-1111-1111-1111-111111111111" },
{ "custom": false, "checks": [], "name": "High Risk Vulnerabilities",//扫描高危漏洞 "sort_order": 2, "profile_id": "11111111-1111-1111-1111-111111111112" },
{ "custom": false, "checks": [], "name": "Cross-site Scripting Vulnerabilities",//扫描跨站脚本漏洞 "sort_order": 3, "profile_id": "11111111-1111-1111-1111-111111111116" },
{ "custom": false, "checks": [], "name": "SQL Injection Vulnerabilities",//扫描SQL注入漏洞 "sort_order": 4, "profile_id": "11111111-1111-1111-1111-111111111113" },
{ "custom": false, "checks": [], "name": "Weak Passwords",//扫描弱口令 "sort_order": 5, "profile_id": "11111111-1111-1111-1111-111111111115" },
{ "custom": false, "checks": [], "name": "Crawl Only",//只是爬虫去爬网站的目录结构 "sort_order": 6, "profile_id": "11111111-1111-1111-1111-111111111117" }
]
} -
写轮子的时候并没有把扫描类型加上去,一般都是完全扫描的,就没有这个功能。有建议可以加上的。
-
执行完了添加扫描应该是返回下面的数据:
{
"schedule": {
"time_sensitive": false,
"start_date": null,
"disable": false },
"ui_session_id": null,
"profile_id": "11111111-1111-1111-1111-111111111111",
"target_id": "89054811-234b-49c1-84dd-b84b0b4631db" } 3. 查看扫描状态
curl -k https://localhost:3443/api/v1/scans --header "X-Auth:1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0" - 如果是扫描目标较多的话,会返回很多数据。这里只拿出一个目标看看。
{ "criticality": 10, "next_run": null, "scan_id": "7cd1c5b2-aca3-45e1-bfd3-07baf9d8a79d", "current_session": { "event_level": 0, "severity_counts": { "high": 0, "info": 0, "low": 1, "medium": 1 }, "scan_session_id": "02fcf3e2-f029-4440-a9f8-04f4929cef5a", "progress": 0, "start_date": "2017-11-11T20:37:53.126579+08:00", "status": "queued", "threat": 2 }, "report_template_id": null, "target_id": "89054811-234b-49c1-84dd-b84b0b4631db", "target": { "criticality": 10, "description": "\u4e09\u7c73\u524d\u6709\u8549\u76ae", "address": "http://127.0.0.1" }, "profile_name": "Full Scan", "schedule": { "start_date": null, "history_limit": null, "time_sensitive": false, "recurrence": null, "disable": false }, "profile_id": "11111111-1111-1111-1111-111111111111" }, 4. 删除一个扫描目标
- 按照屌丝归档笔记的方法死活不可以,最后通过抓包发现请求并不是GET方式的,而是DELETE方式。
curl -k --request DELETE --url https://localhost:3443/api/v1/targets/8000e46d-e361-4760-8b8a-b29fa8579604 --header "X-Auth:1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0" --header "content-type: application/json" -
解释一下:
8000e46d-e361-4760-8b8a-b29fa8579604是target_id,通过查看扫描状态的时候可以取到。
5. 报告方面
-
获取报告类型,大概就是下面这张图片里面的选项,还是看name的值
-
curl -k --url https://localhost:3443/api/v1/report_templates --header "X-Auth:1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0" --header "content-type: application/json" - 和name一一对应的
{
"templates": [
{
"accepted_sources": [ "all_vulnerabilities", "targets", "groups", "scans", "scan_result", "vulnerabilities", "scan_vulnerabilities", "scan_pair", "scan_result_pair" ],
"group": "Standard Reports",
"template_id": "11111111-1111-1111-1111-111111111111",
"name": "Developer" },
{
"accepted_sources": [ "all_vulnerabilities", "targets", "groups", "scans", "scan_result", "vulnerabilities", "scan_vulnerabilities", "scan_pair", "scan_result_pair" ],
"group": "Standard Reports",
"template_id": "11111111-1111-1111-1111-111111111112",
"name": "Quick" },
{
"accepted_sources": [ "all_vulnerabilities", "targets", "groups", "scans", "scan_result", "vulnerabilities", "scan_vulnerabilities", "scan_pair", "scan_result_pair" ],
"group": "Standard Reports",
"template_id": "11111111-1111-1111-1111-111111111113",
"name": "Executive Summary" },
{
"accepted_sources": [ "all_vulnerabilities", "targets", "groups", "scans", "scan_result", "vulnerabilities", "scan_vulnerabilities", "scan_pair", "scan_result_pair" ],
"group": "Compliance Reports",
"template_id": "11111111-1111-1111-1111-111111111114",
"name": "HIPAA" },
{
"accepted_sources": [ "all_vulnerabilities", "targets", "groups", "scans", "scan_result", "vulnerabilities", "scan_vulnerabilities", "scan_pair", "scan_result_pair" ],
"group": "Standard Reports",
"template_id": "11111111-1111-1111-1111-111111111115",
"name": "Affected Items" },
{
"accepted_sources": [ "all_vulnerabilities", "targets", "groups", "scans", "scan_result", "vulnerabilities", "scan_vulnerabilities", "scan_pair", "scan_result_pair" ],
"group": "Standard Reports",
"template_id": "11111111-1111-1111-1111-111111111124",
"name": "Scan Comparison" },
{
"accepted_sources": [ "all_vulnerabilities", "targets", "groups", "scans", "scan_result", "vulnerabilities", "scan_vulnerabilities", "scan_pair", "scan_result_pair" ],
"group": "Compliance Reports",
"template_id": "11111111-1111-1111-1111-111111111116",
"name": "CWE 2011" },
{
"accepted_sources": [ "all_vulnerabilities", "targets", "groups", "scans", "scan_result", "vulnerabilities", "scan_vulnerabilities", "scan_pair", "scan_result_pair" ],
"group": "Compliance Reports",
"template_id": "11111111-1111-1111-1111-111111111117",
"name": "ISO 27001" },
{
"accepted_sources": [ "all_vulnerabilities", "targets", "groups", "scans", "scan_result", "vulnerabilities", "scan_vulnerabilities", "scan_pair", "scan_result_pair" ],
"group": "Compliance Reports",
"template_id": "11111111-1111-1111-1111-111111111118",
"name": "NIST SP800 53" },
{
"accepted_sources": [ "all_vulnerabilities", "targets", "groups", "scans", "scan_result", "vulnerabilities", "scan_vulnerabilities", "scan_pair", "scan_result_pair" ],
"group": "Compliance Reports",
"template_id": "11111111-1111-1111-1111-111111111119",
"name": "OWASP Top 10 2013" },
{
"accepted_sources": [ "all_vulnerabilities", "targets", "groups", "scans", "scan_result", "vulnerabilities", "scan_vulnerabilities", "scan_pair", "scan_result_pair" ],
"group": "Compliance Reports",
"template_id": "11111111-1111-1111-1111-111111111120",
"name": "PCI DSS 3.2" },
{
"accepted_sources": [ "all_vulnerabilities", "targets", "groups", "scans", "scan_result", "vulnerabilities", "scan_vulnerabilities", "scan_pair", "scan_result_pair" ],
"group": "Compliance Reports",
"template_id": "11111111-1111-1111-1111-111111111121",
"name": "Sarbanes Oxley" },
{
"accepted_sources": [ "all_vulnerabilities", "targets", "groups", "scans", "scan_result", "vulnerabilities", "scan_vulnerabilities", "scan_pair", "scan_result_pair" ],
"group": "Compliance Reports",
"template_id": "11111111-1111-1111-1111-111111111122",
"name": "STIG DISA" },
{
"accepted_sources": [ "all_vulnerabilities", "targets", "groups", "scans", "scan_result", "vulnerabilities", "scan_vulnerabilities", "scan_pair", "scan_result_pair" ],
"group": "Compliance Reports",
"template_id": "11111111-1111-1111-1111-111111111123",
"name": "WASC Threat Classification" }
]
} - 添加报告生成任务,下面的是默认使用Developer
curl -k -i --request POST --url https://localhost:3443//api/v1/reports --header "X-Auth: 1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0" --header "content-type: application/json" --data "{\"template_id\":\"11111111-1111-1111-1111-111111111111\",\"source\":{\"list_type\":\"scans\", \"id_list\":[\"64113dd8-3a37-447a-bde7-c5fef9924b83"\"]}} 其中
64113dd8-3a37-447a-bde7-c5fef9924b83是scan_id,通过查看扫描状态的时候可以取到。
-
获取所有的报告状态
curl -k --url https://localhost:3443/api/v1/reports --header "X-Auth:1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0" --header "content-type: application/json" -
返回的数据
{
"reports": [
{
"report_id": "0c8ddda2-13f1-4e57-8472-37f7a24ad466",
"template_name": "Developer",
"template_id": "11111111-1111-1111-1111-111111111111",
"generation_date": "2017-11-11T22:48:34.225360+08:00",
"source": {
"list_type": "scans",
"description": "http://127.0.0.1;\u4e09\u7c73\u524d\u6709\u8549\u76ae",
"id_list": [ "64113dd8-3a37-447a-bde7-c5fef9924b83" ]
},
"download": [ "/reports/download/0c8ddda2-13f1-4e57-8472-37f7a24ad466.html", "/reports/download/0c8ddda2-13f1-4e57-8472-37f7a24ad466.pdf" ],
"template_type": 0,
"status": "completed" }
],
"pagination": {
"previous_cursor": 0,
"next_cursor": null }
} -
值得注意的是
download和status的值,下载支持HTML和PDF格式,等一下要用到。就是当status为完成的时候就可以下载了,下载地址是host加上download里的值。 -
比如:https://localhost:3443/reports/download/0c8ddda2-13f1-4e57-8472-37f7a24ad466.html
6.忽视低危漏洞
- 有时候扫出来的一些鸡肋漏洞实在没有什么作用,而且数量也很多,非常烦人。
-
先获取所有的漏洞ID,
vulnerabilities中的vt_name是漏洞的标题,vuln_id是漏洞的ID这两个都在下面要用到的。先判断漏洞的标题是否在忽视漏洞的列表里,再获取漏洞的ID,进行忽视。
curl -s -k --request GET --url https://localhost:3443/api/v1/vulnerabilities?q=status:open -H "content-type: application/json" -H "X-Auth:1986ad8c0a5b3df4d7028d5f3c06e936cd9526c84695c4cd3a1ca7a248246cb77" -
忽视漏洞的请求是用PUT方式:
curl -s -k --request GET --url https://localhost:3443/api/v1/vulnerabilities?q=status:open -H "content-type: application/json" -H "X-Auth:1986ad8c0a5b3df4d7028d5f3c06e936cd9526c84695c4cd3a1ca7a248246cb77" -
还要提交
{"status":"ignored"}表示忽视该漏洞 -
这里的
1679149810550048216就是漏洞ID,在上面可以获取到。 -
在curl里就是这样子的。
curl -s -k --request PUT --url https://10.18.1.14:3443/api/v1/vulnerabilities/1681238316512446232/status --data "{\"status\":\"ignored\"}" -H "content-type: application/json" -H "X-Auth:1986ad8c0a5b3df4d7028d5f3c06e936cd9526c84695c4cd3a1ca7a248246cb77"
1681238316512446232就是要忽略的漏洞ID
-
漏洞统一放在了程序运行目录下的
忽略的漏洞.txt文件里,一行一个。 -
代理就是设置下面的,只有http的,其他协议自己想办法。
更新:
-
2017年11月11日开始造这个轮子。
-
2017年最后一晚更新了,可调扫描速度,主机改成列表了,可忽视某些漏洞,可以设置代理。
附件
-
链接: https://pan.baidu.com/s/1bpjjnTd 密码: h4p6
-
里面有录屏教程。
参考
https://github.com/h4rdy/Acunetix11-API-Documentation