2017年的双11开始造这个轮子的。把自己常用的功能加进去了。

TIM截图20171231222335.png

大致的功能

  • 1.扫描器的主机随时切换,不用把api密钥换来换去。
  • 2.可以选择扫描的速度频率
  • 3.支持拖放批量扫描,快捷键F8自动取剪切板目标进行单个扫描。
  • 4.可以设置代理服务器
  • 5.设置登陆账号,密码
  • 6.批量添加描述
  • 7.报告生成,下载
  • 8.可忽略鸡肋漏洞

说明

  • 程序是用易语言写的,调用了curl。随便你们怎么看,我还会其他语言的,只是觉得易语言方便和很快可以实现我想要的功能。不喜欢可以不用,或自己用其他语言写一个的。
  • 云盘里一共有五个文件,还有录屏教程。链接在文末。
 ca-bundle.crt //curl的证书 config.ini //配置文件 curl.exe //curl主程序 New.exe //主程序 忽略的漏洞.txt //放忽略漏洞的标题的 

0.准备

  • 在使用Acunetix-11的过程中发现一个一个添加目标,还要点扫描目标,还要选择类型,想想都觉得麻烦,特别是有一堆子域名的时候。所以想着造个轮子方便一下自己。就开始在网上找教程,在这里非常感谢【屌丝归档笔记】,我大部分的思路都是从他的博客里学的。

  • 怎么调用api?在Acunetix的Web控制台上的右上角点Profile,拉到最下面,刚刚开始是没有api-key的。所以要生成一个,先复制出来,一会要用到。

1. 我们先添加一个扫描目标:

curl -k --request POST --url https://localhost:3443/api/v1/targets --header "X-Auth: 1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0" --header "content-type: application/json" --data "{\"address\":\"http://127.0.0.1\",\"description\":\"\u4e09\u7c73\u524d\u6709\u8549\u76ae\",\"criticality\":\"10\"}" 
  • 解释一下:
 https://localhost:3443/   是host 1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0   是api-key  http://127.0.0.1`   是添加扫描的目标 \u4e09\u7c73\u524d\u6709\u8549\u76ae\`   是描述,解码后也就是三米前有蕉皮(可设置) 10 是目标的临界值 (Critical [30], High [20], Normal [10], Low [0])
  • 试着执行一下上面的命令,返回下面的信息

    {
    "criticality": 10,
    "description": "\u4e09\u7c73\u524d\u6709\u8549\u76ae",
    "address": "http://127.0.0.1",
    "target_id": "89054811-234b-49c1-84dd-b84b0b4631db" }
  • 返回target_id就表明添加成功了。

2. 现在我们来开始扫描刚刚添加的目标

curl -k --request POST --url https://localhost:3443/api/v1/scans --header "X-Auth:1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0" --header "content-type: application/json" --data "{\"target_id\":\"89054811-234b-49c1-84dd-b84b0b4631db\",\"profile_id\":\"11111111-1111-1111-1111-111111111111\",\"schedule\":{\"disable\":false,\"start_date\":null,\"time_sensitive\":false}}" 
  • 解释一下其中:

89054811-234b-49c1-84dd-b84b0b4631db是上面刚刚生成的target_id11111111-1111-1111-1111-111111111111是profile ID。我自己理解就是【Full Scan】扫描类型

  • 执行下面命令可以查看所有profile。
curl -k --request POST --url https://localhost:3443/api/v1/scanning_profiles --header "X-Auth: 1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0" 
  • 具体看看name后面的值。看下面的图就懂了。

TIM截图20180101132400.png

{ "scanning_profiles": [
  { "custom": false, "checks": [], "name": "Full Scan",//完全扫描 "sort_order": 1, "profile_id": "11111111-1111-1111-1111-111111111111" },
  { "custom": false, "checks": [], "name": "High Risk Vulnerabilities",//扫描高危漏洞 "sort_order": 2, "profile_id": "11111111-1111-1111-1111-111111111112" },
  { "custom": false, "checks": [], "name": "Cross-site Scripting Vulnerabilities",//扫描跨站脚本漏洞 "sort_order": 3, "profile_id": "11111111-1111-1111-1111-111111111116" },
  { "custom": false, "checks": [], "name": "SQL Injection Vulnerabilities",//扫描SQL注入漏洞 "sort_order": 4, "profile_id": "11111111-1111-1111-1111-111111111113" },
  { "custom": false, "checks": [], "name": "Weak Passwords",//扫描弱口令 "sort_order": 5, "profile_id": "11111111-1111-1111-1111-111111111115" },
  { "custom": false, "checks": [], "name": "Crawl Only",//只是爬虫去爬网站的目录结构 "sort_order": 6, "profile_id": "11111111-1111-1111-1111-111111111117" }
 ]
} 
  • 写轮子的时候并没有把扫描类型加上去,一般都是完全扫描的,就没有这个功能。有建议可以加上的。

  • 执行完了添加扫描应该是返回下面的数据:

{
 "schedule": {
  "time_sensitive": false,
  "start_date": null,
  "disable": false },
 "ui_session_id": null,
 "profile_id": "11111111-1111-1111-1111-111111111111",
 "target_id": "89054811-234b-49c1-84dd-b84b0b4631db" } 

3. 查看扫描状态

curl -k https://localhost:3443/api/v1/scans --header "X-Auth:1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0" 
  • 如果是扫描目标较多的话,会返回很多数据。这里只拿出一个目标看看。
 { "criticality": 10, "next_run": null, "scan_id": "7cd1c5b2-aca3-45e1-bfd3-07baf9d8a79d", "current_session": { "event_level": 0, "severity_counts": { "high": 0, "info": 0, "low": 1, "medium": 1 }, "scan_session_id": "02fcf3e2-f029-4440-a9f8-04f4929cef5a", "progress": 0, "start_date": "2017-11-11T20:37:53.126579+08:00", "status": "queued", "threat": 2 }, "report_template_id": null, "target_id": "89054811-234b-49c1-84dd-b84b0b4631db", "target": { "criticality": 10, "description": "\u4e09\u7c73\u524d\u6709\u8549\u76ae", "address": "http://127.0.0.1" }, "profile_name": "Full Scan", "schedule": { "start_date": null, "history_limit": null, "time_sensitive": false, "recurrence": null, "disable": false }, "profile_id": "11111111-1111-1111-1111-111111111111" }, 

4. 删除一个扫描目标

  • 按照屌丝归档笔记的方法死活不可以,最后通过抓包发现请求并不是GET方式的,而是DELETE方式。
curl -k --request DELETE --url https://localhost:3443/api/v1/targets/8000e46d-e361-4760-8b8a-b29fa8579604 --header "X-Auth:1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0" --header "content-type: application/json" 
  • 解释一下:

    8000e46d-e361-4760-8b8a-b29fa8579604是target_id,通过查看扫描状态的时候可以取到。

5. 报告方面

  • 获取报告类型,大概就是下面这张图片里面的选项,还是看name的值

  • TIM截图20180101132747.png

curl -k --url https://localhost:3443/api/v1/report_templates --header "X-Auth:1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0" --header "content-type: application/json" 
  • 和name一一对应的
{
  "templates": [
    {
      "accepted_sources": [ "all_vulnerabilities", "targets", "groups", "scans", "scan_result", "vulnerabilities", "scan_vulnerabilities", "scan_pair", "scan_result_pair" ],
      "group": "Standard Reports",
      "template_id": "11111111-1111-1111-1111-111111111111",
      "name": "Developer" },
    {
      "accepted_sources": [ "all_vulnerabilities", "targets", "groups", "scans", "scan_result", "vulnerabilities", "scan_vulnerabilities", "scan_pair", "scan_result_pair" ],
      "group": "Standard Reports",
      "template_id": "11111111-1111-1111-1111-111111111112",
      "name": "Quick" },
    {
      "accepted_sources": [ "all_vulnerabilities", "targets", "groups", "scans", "scan_result", "vulnerabilities", "scan_vulnerabilities", "scan_pair", "scan_result_pair" ],
      "group": "Standard Reports",
      "template_id": "11111111-1111-1111-1111-111111111113",
      "name": "Executive Summary" },
    {
      "accepted_sources": [ "all_vulnerabilities", "targets", "groups", "scans", "scan_result", "vulnerabilities", "scan_vulnerabilities", "scan_pair", "scan_result_pair" ],
      "group": "Compliance Reports",
      "template_id": "11111111-1111-1111-1111-111111111114",
      "name": "HIPAA" },
    {
      "accepted_sources": [ "all_vulnerabilities", "targets", "groups", "scans", "scan_result", "vulnerabilities", "scan_vulnerabilities", "scan_pair", "scan_result_pair" ],
      "group": "Standard Reports",
      "template_id": "11111111-1111-1111-1111-111111111115",
      "name": "Affected Items" },
    {
      "accepted_sources": [ "all_vulnerabilities", "targets", "groups", "scans", "scan_result", "vulnerabilities", "scan_vulnerabilities", "scan_pair", "scan_result_pair" ],
      "group": "Standard Reports",
      "template_id": "11111111-1111-1111-1111-111111111124",
      "name": "Scan Comparison" },
    {
      "accepted_sources": [ "all_vulnerabilities", "targets", "groups", "scans", "scan_result", "vulnerabilities", "scan_vulnerabilities", "scan_pair", "scan_result_pair" ],
      "group": "Compliance Reports",
      "template_id": "11111111-1111-1111-1111-111111111116",
      "name": "CWE 2011" },
    {
      "accepted_sources": [ "all_vulnerabilities", "targets", "groups", "scans", "scan_result", "vulnerabilities", "scan_vulnerabilities", "scan_pair", "scan_result_pair" ],
      "group": "Compliance Reports",
      "template_id": "11111111-1111-1111-1111-111111111117",
      "name": "ISO 27001" },
    {
      "accepted_sources": [ "all_vulnerabilities", "targets", "groups", "scans", "scan_result", "vulnerabilities", "scan_vulnerabilities", "scan_pair", "scan_result_pair" ],
      "group": "Compliance Reports",
      "template_id": "11111111-1111-1111-1111-111111111118",
      "name": "NIST SP800 53" },
    {
      "accepted_sources": [ "all_vulnerabilities", "targets", "groups", "scans", "scan_result", "vulnerabilities", "scan_vulnerabilities", "scan_pair", "scan_result_pair" ],
      "group": "Compliance Reports",
      "template_id": "11111111-1111-1111-1111-111111111119",
      "name": "OWASP Top 10 2013" },
    {
      "accepted_sources": [ "all_vulnerabilities", "targets", "groups", "scans", "scan_result", "vulnerabilities", "scan_vulnerabilities", "scan_pair", "scan_result_pair" ],
      "group": "Compliance Reports",
      "template_id": "11111111-1111-1111-1111-111111111120",
      "name": "PCI DSS 3.2" },
    {
      "accepted_sources": [ "all_vulnerabilities", "targets", "groups", "scans", "scan_result", "vulnerabilities", "scan_vulnerabilities", "scan_pair", "scan_result_pair" ],
      "group": "Compliance Reports",
      "template_id": "11111111-1111-1111-1111-111111111121",
      "name": "Sarbanes Oxley" },
    {
      "accepted_sources": [ "all_vulnerabilities", "targets", "groups", "scans", "scan_result", "vulnerabilities", "scan_vulnerabilities", "scan_pair", "scan_result_pair" ],
      "group": "Compliance Reports",
      "template_id": "11111111-1111-1111-1111-111111111122",
      "name": "STIG DISA" },
    {
      "accepted_sources": [ "all_vulnerabilities", "targets", "groups", "scans", "scan_result", "vulnerabilities", "scan_vulnerabilities", "scan_pair", "scan_result_pair" ],
      "group": "Compliance Reports",
      "template_id": "11111111-1111-1111-1111-111111111123",
      "name": "WASC Threat Classification" }
  ]
} 
  • 添加报告生成任务,下面的是默认使用Developer
curl -k -i --request POST --url https://localhost:3443//api/v1/reports --header "X-Auth: 1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0" --header "content-type: application/json" --data "{\"template_id\":\"11111111-1111-1111-1111-111111111111\",\"source\":{\"list_type\":\"scans\", \"id_list\":[\"64113dd8-3a37-447a-bde7-c5fef9924b83"\"]}} 

其中64113dd8-3a37-447a-bde7-c5fef9924b83是scan_id,通过查看扫描状态的时候可以取到。

  • 获取所有的报告状态

    curl -k --url https://localhost:3443/api/v1/reports --header "X-Auth:1986ad8c0a5b3df4d7028d5f3c06e936cb8ba5ea4a1784a779d5ae25eb73b19a0" --header "content-type: application/json" 
  • 返回的数据

{
 "reports": [
  {
   "report_id": "0c8ddda2-13f1-4e57-8472-37f7a24ad466",
   "template_name": "Developer",
   "template_id": "11111111-1111-1111-1111-111111111111",
   "generation_date": "2017-11-11T22:48:34.225360+08:00",
   "source": {
    "list_type": "scans",
    "description": "http://127.0.0.1;\u4e09\u7c73\u524d\u6709\u8549\u76ae",
    "id_list": [ "64113dd8-3a37-447a-bde7-c5fef9924b83" ]
   },
   "download": [ "/reports/download/0c8ddda2-13f1-4e57-8472-37f7a24ad466.html", "/reports/download/0c8ddda2-13f1-4e57-8472-37f7a24ad466.pdf" ],
   "template_type": 0,
   "status": "completed" }
 ],
 "pagination": {
  "previous_cursor": 0,
  "next_cursor": null }
} 

6.忽视低危漏洞

  • 有时候扫出来的一些鸡肋漏洞实在没有什么作用,而且数量也很多,非常烦人。
  • 先获取所有的漏洞ID,vulnerabilities中的vt_name是漏洞的标题,vuln_id是漏洞的ID这两个都在下面要用到的。先判断漏洞的标题是否在忽视漏洞的列表里,再获取漏洞的ID,进行忽视。
curl -s -k --request GET --url https://localhost:3443/api/v1/vulnerabilities?q=status:open -H "content-type: application/json" -H "X-Auth:1986ad8c0a5b3df4d7028d5f3c06e936cd9526c84695c4cd3a1ca7a248246cb77" 
  • 忽视漏洞的请求是用PUT方式:
    curl -s -k --request GET --url https://localhost:3443/api/v1/vulnerabilities?q=status:open -H "content-type: application/json" -H "X-Auth:1986ad8c0a5b3df4d7028d5f3c06e936cd9526c84695c4cd3a1ca7a248246cb77" 
  • 还要提交{"status":"ignored"}表示忽视该漏洞
  • 这里的1679149810550048216就是漏洞ID,在上面可以获取到。
  • 在curl里就是这样子的。
    curl -s -k --request PUT --url https://10.18.1.14:3443/api/v1/vulnerabilities/1681238316512446232/status --data "{\"status\":\"ignored\"}" -H "content-type: application/json" -H "X-Auth:1986ad8c0a5b3df4d7028d5f3c06e936cd9526c84695c4cd3a1ca7a248246cb77" 

1681238316512446232就是要忽略的漏洞ID

  • 漏洞统一放在了程序运行目录下的忽略的漏洞.txt文件里,一行一个。

  • 代理就是设置下面的,只有http的,其他协议自己想办法。

更新:

  • 2017年11月11日开始造这个轮子。

  • 2017年最后一晚更新了,可调扫描速度,主机改成列表了,可忽视某些漏洞,可以设置代理。

附件

参考

https://github.com/h4rdy/Acunetix11-API-Documentation

https://github.com/0xa-saline/acunetix-api

http://www.chamd5.org/json.html