一个思路很不错的第三方应用漏洞扫描工具 YASUO

在github上看到一个不错的第三方应用程序漏洞扫描工具YASUO，所以拿来体验一把看看。工具是阉割版，但是可以看出来思路很赞！

安装

bash[root@localhost software]# git clone https://github.com/SecurityCompass/yasuo.git

因为是ruby开发的，然后我们需要安装一些依赖

bashgem install ruby-nmap
gem install net-http-persistent
gem install mechanize
gem install colorize
gem install text-table

安装好了以后运行一下看看：

bash[root@localhost yasuo]# ./yasuo.rb 
/usr/local/share/ruby/site_ruby/rubygems/core_ext/kernel_require.rb:54:in `require': cannot load such file -- json/pure (LoadError)
    from /usr/local/share/ruby/site_ruby/rubygems/core_ext/kernel_require.rb:54:in `require'
    from /usr/share/gems/gems/json-1.7.7/lib/json.rb:60:in `rescue in <module:JSON>'
    from /usr/share/gems/gems/json-1.7.7/lib/json.rb:57:in `<module:JSON>'
    from /usr/share/gems/gems/json-1.7.7/lib/json.rb:54:in `<top (required)>'
    from /usr/local/share/ruby/site_ruby/rubygems/core_ext/kernel_require.rb:128:in `require'
    from /usr/local/share/ruby/site_ruby/rubygems/core_ext/kernel_require.rb:128:in `rescue in require'
    from /usr/local/share/ruby/site_ruby/rubygems/core_ext/kernel_require.rb:39:in `require'
    from /usr/local/share/gems/gems/mime-types-2.5/lib/mime/type.rb:4:in `<top (required)>'
    from /usr/local/share/ruby/site_ruby/rubygems/core_ext/kernel_require.rb:54:in `require'
    from /usr/local/share/ruby/site_ruby/rubygems/core_ext/kernel_require.rb:54:in `require'
    from /usr/local/share/gems/gems/mime-types-2.5/lib/mime/types.rb:3:in `<top (required)>'
    from /usr/local/share/ruby/site_ruby/rubygems/core_ext/kernel_require.rb:54:in `require'
    from /usr/local/share/ruby/site_ruby/rubygems/core_ext/kernel_require.rb:54:in `require'
    from /usr/local/share/gems/gems/mechanize-2.7.3/lib/mechanize.rb:4:in `<top (required)>'
    from /usr/local/share/ruby/site_ruby/rubygems/core_ext/kernel_require.rb:128:in `require'
    from /usr/local/share/ruby/site_ruby/rubygems/core_ext/kernel_require.rb:128:in `rescue in require'
    from /usr/local/share/ruby/site_ruby/rubygems/core_ext/kernel_require.rb:39:in `require'
    from /home/goderci/software/yasuo/resp200.rb:2:in `<top (required)>'
    from /usr/local/share/ruby/site_ruby/rubygems/core_ext/kernel_require.rb:54:in `require'
    from /usr/local/share/ruby/site_ruby/rubygems/core_ext/kernel_require.rb:54:in `require'
    from ./yasuo.rb:34:in `<main>'

报了一个错，需要再安装一个依赖：

sh[root@localhost yasuo]# gem install json_pure
Fetching: json_pure-1.8.2.gem (100%)
Successfully installed json_pure-1.8.2
Parsing documentation for json_pure-1.8.2
Installing ri documentation for json_pure-1.8.2
1 gem installed

然后就好了：

sh[root@localhost yasuo]# ruby yasuo.rb -h

#########################################################################################
oooooo   oooo       .o.        .oooooo..o ooooo     ooo   .oooooo.
   `888.   .8'       .888.      d8P'    `Y8 `888'     `8'  d8P'  `Y8b
    `888. .8'       .88888.     Y88bo.       888       8  888      888
     `888.8'       .8' `888.     `ZY8888o.   888       8  888      888
      `888'       .88ooo8888.        `0Y88b  888       8  888      888
       888       .8'     `888.  oo     .d8P  `88.    .8'  `88b    d88'
      o888o     o88o     o8888o 88888888P'     `YbodP'     `Y8bood8P'
Welcome to Yasuo v0.1
Author: Saurabh Harit (@0xsauby) | Contribution & Coolness: Stephen Hall (@_stephen_h)
#########################################################################################

Yasuo 0.1
    -s, --path-signatures            CSV file of vulnerable app signatures
    -f, --file [FILE]                Nmap output in xml format
    -r, --range [RANGE]              IP Range to Scan
    -n, --noping                     Run the full TCP scan with no ping
    -p, --port [PORT NUMBER]         Ports to Scan
    -A, --all_ports                  Scan on all 65535 ports
    -b, --brute [all/form/basic]     Bruteforce
    -h, -?, --help, --?              Get Help
    -v, --version                    Get Version

开扫试一试

[root@localhost yasuo]# ./yasuo.rb -r 120.132.58.24
#########################################################################################
oooooo   oooo       .o.        .oooooo..o ooooo     ooo   .oooooo.
   `888.   .8'       .888.      d8P'    `Y8 `888'     `8'  d8P'  `Y8b
    `888. .8'       .88888.     Y88bo.       888       8  888      888
     `888.8'       .8' `888.     `ZY8888o.   888       8  888      888
      `888'       .88ooo8888.        `0Y88b  888       8  888      888
       888       .8'     `888.  oo     .d8P  `88.    .8'  `88b    d88'
      o888o     o88o     o8888o 88888888P'     `YbodP'     `Y8bood8P'
Welcome to Yasuo v0.1
Author: Saurabh Harit (@0xsauby) | Contribution & Coolness: Stephen Hall (@_stephen_h)
#########################################################################################

Initiating port scan
----------------------
Using nmap scan output file nmap_output_20150519143403UTC.xml

<<<Testing host - 120.132.58.24>>>
Discovered open port: 120.132.58.24:80

<<<Enumerating vulnerable applications>>>
-------------------------------------------
Testing ----> http://120.132.58.24:80/jmx-console
Testing ----> http://120.132.58.24:80/manager/html
Testing ----> http://120.132.58.24:80/manager
Testing ----> http://120.132.58.24:80/testlink-1.9.3/login.php
Testing ----> http://120.132.58.24:80/testlink/login.php
Testing ----> http://120.132.58.24:80/jenkins/
Testing ----> http://120.132.58.24:80/script/
Testing ----> http://120.132.58.24:80/axis2/axis2-admin
Testing ----> http://120.132.58.24:80/cms400min/
Testing ----> http://120.132.58.24:80/imc
Testing ----> http://120.132.58.24:80/umbraco/
Testing ----> http://120.132.58.24:80/vfolder.ghp
Testing ----> http://120.132.58.24:80/ctc/servlet
Testing ----> http://120.132.58.24:80/SiteScope/
Testing ----> http://120.132.58.24:80/ws/control
Testing ----> http://120.132.58.24:80/autopass
Testing ----> http://120.132.58.24:80/php/test.php
Testing ----> http://120.132.58.24:80/d4d/statusFilter.php
Testing ----> http://120.132.58.24:80/jos.php
Testing ----> http://120.132.58.24:80/moodle/
Testing ----> http://120.132.58.24:80/Auxiliumpetratepro/
Testing ----> http://120.132.58.24:80/IDC.php
Testing ----> http://120.132.58.24:80/sflog/
Testing ----> http://120.132.58.24:80/struts2-blank/example/HelloWorld.action
Testing ----> http://120.132.58.24:80/mobilecartly/
Testing ----> http://120.132.58.24:80/mediawiki/index.php?title=Special:UserLogin&returnto=Main_Page
Testing ----> http://120.132.58.24:80/qdPM/
Testing ----> http://120.132.58.24:80/www/
Testing ----> http://120.132.58.24:80/gestioip/
Testing ----> http://120.132.58.24:80/polarbearcms
Testing ----> http://120.132.58.24:80/SiteScope/
Testing ----> http://120.132.58.24:80/invoker/JMXInvokerServlet
Testing ----> http://120.132.58.24:80/blank-struts2/login.action
Testing ----> http://120.132.58.24:80/log1cms2.0/
Testing ----> http://120.132.58.24:80/wikka/
Testing ----> http://120.132.58.24:80/cuteflow_v.2.11.2/
Testing ----> http://120.132.58.24:80/roller
Testing ----> http://120.132.58.24:80/jenkins/
Testing ----> http://120.132.58.24:80/SiteScope/
Testing ----> http://120.132.58.24:80/phptax/
Testing ----> http://120.132.58.24:80/AjaXplorer-2.5.5/plugins/access.ssh/checkInstall.php
Testing ----> http://120.132.58.24:80/phpmyadmin/
Testing ----> http://120.132.58.24:80/vtigercrm/
Testing ----> http://120.132.58.24:80/com_extplorer_2.1.0/
Testing ----> http://120.132.58.24:80/vtigercrm/
Testing ----> http://120.132.58.24:80/openx/
Testing ----> http://120.132.58.24:80/glossword/1.8/
Testing ----> http://120.132.58.24:80/glpi/
Testing ----> http://120.132.58.24:80/kordil_edms/
Testing ----> http://120.132.58.24:80/mt
Testing ----> http://120.132.58.24:80/zabbix/
Testing ----> http://120.132.58.24:80/bf102/
Testing ----> http://120.132.58.24:80/struts2-blank/example/HelloWorld.action
Testing ----> http://120.132.58.24:80/appRain-q-0.1.5
Testing ----> http://120.132.58.24:80/interface/
Testing ----> http://120.132.58.24:80/tiki/
Testing ----> http://120.132.58.24:80/forums/
Testing ----> http://120.132.58.24:80/wordpress
Testing ----> http://120.132.58.24:80/zimbraAdmin
Testing ----> http://120.132.58.24:80/nagios3/cgi-bin/history.cgi
Testing ----> http://120.132.58.24:80/php-charts_v1.0/
Testing ----> http://120.132.58.24:80/php-ofc-library/
Testing ----> http://120.132.58.24:80/librettoCMS_v.2.2.2/
Testing ----> http://120.132.58.24:80/horde/
Testing ----> http://120.132.58.24:80/wordpress
Testing ----> http://120.132.58.24:80/xoda/
Testing ----> http://120.132.58.24:80/zm/
Testing ----> http://120.132.58.24:80/seportal
Testing ----> http://120.132.58.24:80/webtester5/
Testing ----> http://120.132.58.24:80/hastymail2/
Testing ----> http://120.132.58.24:80/joomla
Testing ----> http://120.132.58.24:80/kimai/
Testing ----> http://120.132.58.24:80/chat/
Testing ----> http://120.132.58.24:80/simple_e_document_v_1_31/
Testing ----> http://120.132.58.24:80/sample
Testing ----> http://120.132.58.24:80/openemr
Testing ----> http://120.132.58.24:80/openemr
Testing ----> http://120.132.58.24:80/basilic-1.5.14/
Testing ----> http://120.132.58.24:80/narcissus-master/
Testing ----> http://120.132.58.24:80/pp088/
Testing ----> http://120.132.58.24:80/opensis/
Testing ----> http://120.132.58.24:80/vcms/
Testing ----> http://120.132.58.24:80/zabbix
Testing ----> http://120.132.58.24:80/WebCalendar-1.2.4/
Testing ----> http://120.132.58.24:80/spywall/pbcontrol.php
Testing ----> http://120.132.58.24:80/WeBid
Testing ----> http://120.132.58.24:80/dolibarr/
Testing ----> http://120.132.58.24:80/ctc/servlet
Testing ----> http://120.132.58.24:80/users/password
Testing ----> http://120.132.58.24:80/apply.cgi
Testing ----> http://120.132.58.24:80/seam-booking/home.seam
Testing ----> http://120.132.58.24:80/cgi-bin/admin.cgi
Testing ----> http://120.132.58.24:80/openbravo/
Testing ----> http://120.132.58.24:80/BEMS
Testing ----> http://120.132.58.24:80/CimWeb
Testing ----> http://120.132.58.24:80/PI/services/UCP/
Testing ----> http://120.132.58.24:80/_all_dbs
Testing ----> http://120.132.58.24:80/sap/bc/soap/rfc
Testing ----> http://120.132.58.24:80/admin/index.jsp
Testing ----> http://120.132.58.24:80/.svn/
Yasuo found - http://120.132.58.24:80/.svn/. No authentication required


--------------------------------------------------------
<<<Yasuo discovered following vulnerable applications>>>
--------------------------------------------------------
+-------------------------------+----------------------------------------------+----------+----------+
|      URL to Application       |              Potential Exploit               | Username | Password |
+-------------------------------+----------------------------------------------+----------+----------+
| http://120.132.58.24:80/.svn/ | ./auxiliary/scanner/http/svn_wcdb_scanner.rb | None     | None     |
+-------------------------------+----------------------------------------------+----------+----------+
[root@localhost yasuo]#

不过exp貌似作者没有放出来。应该是一个阉割版。哎，只能等作者放exp出来了。

小结

整体来说思路是不错的，如果exp放出来会比较完美；其实输入就是一个ip，然后先进行端口扫描，再根据web端口扫描应用，再根据应用扫描应用漏洞，甚至暴力破解，思路是很不错的。有点可惜，后面对这个工具保持持续关注。

原文地址：http://www.codefrom.com/paper/%E4%B8%80%E4%B8%AA%E6%80%9D%E8%B7%AF%E5%...