目录导航
secator简介
secator
是一款用于安全评估的任务和工作流运行器。它支持数十种知名的安全工具,旨在提高渗透测试人员和安全研究人员的工作效率。
演示
https://github.com/freelabz/secator/raw/main/images/demo.gif
特色
- 精选命令列表
- 统一输入选项
- 统一输出架构
- CLI 和库的使用
- Celery 的分布式选项
- 从简单任务到复杂工作流程的复杂性
- 可定制
支持的工具
secator
集成了以下工具:
名称 | 描述 | 类别 |
---|---|---|
httpx | 快速 HTTP 探测器。 | http |
cariddi | 快速爬虫和端点秘密/API 密钥/令牌匹配器。 | http/crawler |
gau | 离线 URL 爬虫(Alien Vault、The Wayback Machine、Common Crawl、URLScan)。 | http/crawler |
gospider | 用 Go 编写的快速网络蜘蛛。 | http/crawler |
katana | 下一代爬行和蜘蛛框架。 | http/crawler |
dirsearch | Web 路径发现。 | http/fuzzer |
feroxbuster | 用 Rust 编写的简单、快速、递归内容发现工具。 | http/fuzzer |
ffuf | 用 Go 编写的快速 Web 模糊测试器。 | http/fuzzer |
h8mail | 电子邮件 OSINT 和违规搜寻工具。 | osint |
dnsx | 专为运行 DNS 查询而设计的快速、多用途 DNS 工具包。 | recon/dns |
dnsxbrute | 专为运行 DNS 查询(暴力破解模式)而设计的快速多用途 DNS 工具包。 | recon/dns |
subfinder | 快速子域名查找器。 | recon/dns |
fping | 在本地网络上查找活跃的主机。 | recon/ip |
mapcidr | 将 CIDR 范围扩展为 IP。 | recon/ip |
naabu | 快速端口发现工具。 | recon/port |
maigret | 在许多网站上搜寻用户帐户。 | recon/user |
gf | grep 的包装器以避免输入常见模式。 | tagger |
grype | 用于容器镜像和文件系统的漏洞扫描程序。 | vuln/code |
dalfox | 强大的XSS扫描工具和参数分析器。 | vuln/http |
msfconsole | CLI 用于访问和使用 Metasploit 框架。 | vuln/http |
wpscan | WordPress 安全扫描程序 | vuln/multi |
nmap | 使用 NSE 脚本的漏洞扫描程序。 | vuln/multi |
nuclei | 基于简单 YAML DSL 的快速且可定制的漏洞扫描程序。 | vuln/multi |
searchsploit | 漏洞利用搜索器。 | exploit/search |
您可以随时通过打开问题来请求添加新工具,但在这样做之前,请检查该工具是否符合我们的选择标准。如果不符合但您仍想将其集成到secator
,则可以将其插入(请参阅开发指南)。
安装
安装secator
pipx install secator
pip
pip install secator
bash
wget -O - https://raw.githubusercontent.com/freelabz/secator/main/scripts/install.sh | sh
Docker
docker run -it --rm --net=host -v ~/.secator:/root/.secator freelabz/secator --help
卷挂载 -v 是将所有 secator 报告保存到主机所必需的,并且建议使用 –net=host 授予对主机网络的完全访问权限。
您可以为此命令添加别名,以便更轻松地运行它:
alias secator="docker run -it --rm --net=host -v ~/.secator:/root/.secator freelabz/secator"
现在你可以运行 secator,就像它安装在裸机上一样:
secator --help
Docker Compose
git clone https://github.com/freelabz/secator cd secator docker-compose up -d docker-compose exec secator-client secator --help
注意:如果您选择了 Bash、Docker 或 Docker Compose 安装方法,则可以跳过下一部分并直接转到使用方法。
安装语言
secator
使用外部语言,因此您可能需要安装这些工具使用的语言(假设它们尚未安装在您的系统上)。
如果您不从外部管理所需的语言,我们会提供实用程序来安装它们:
go
secator install langs go
Ruby
secator install langs ruby
安装工具
secator
默认情况下不安装它支持的任何外部工具。
我们提供实用程序来安装或更新每个支持的工具,这些工具应适用于支持以下所有系统的系统apt
:
所有工具
secator install tools
特殊工具
secator install tools <TOOL_NAME>
例如,要安装httpx
,请使用:
secator install tools httpx
在运行 secator 之前,请确保您使用的是每个工具的最新可用版本,否则您可能会遇到解析/格式化问题。
安装插件
secator
安装有最少量的依赖项。
有多种可用的插件secator
:
worker
添加对 Celery 工作者的支持(请参阅使用 Celery 进行分布式运行)。
secator install addons worker
添加对 Google Drive 导出器的支持(-o gdrive
)。
secator install addons google
mongodb
添加对 MongoDB 驱动程序的支持(-driver mongodb
)。
secator install addons mongodb
redis
添加对 Redis 后端(Celery)的支持。
secator install addons redis
dev
添加运行测试所需的开发工具coverage
等。flake8
secator install addons dev
trace
添加跟踪功能所需的跟踪工具,如memray
和pyinstrument
。
secator install addons trace
build
添加hatch
用于构建和发布 PyPI 包。
secator install addons build
安装 CVEs
secator
对https://cve.circl.lu/进行远程 API 调用,以获取有关其遇到的 CVE 的详细信息。我们提供了一个子命令来将所有已知的 CVE 下载到本地,以便将来从磁盘进行查找:
secator install cves
检查安装健康状况
要确定您的系统上安装了哪些语言或工具(及其版本):
secator health

用法
secator --help

使用示例
运行模糊测试任务(ffuf
):
secator x ffuf http://testphp.vulnweb.com/FUZZ
运行 URL 爬取工作流程:
secator w url_crawl http://testphp.vulnweb.com
运行主机扫描:
secator s host mydomain.com
以及更多…列出您可以使用的所有任务/工作流程/扫描:
secator x --help secator w --help secator s --help
使用方法
本快速入门将重点介绍如何使用secator
查找http://testphp.vulnweb.com网站上的漏洞。
我们将从使用简单的secator
任务开始,然后展示如何使用工作流来显著加快会话速度。
使用任务
我们首先使用爬虫来查找一些可能对漏洞利用有用的 URL。我们最常用的katana
是 ProjectDiscovery 的工具。
我们将结果保存到.txt
文件中:
secator x katana http://testphp.vulnweb.com -o txt
__
________ _________ _/ /_____ _____
/ ___/ _ \/ ___/ __ `/ __/ __ \/ ___/
(__ / __/ /__/ /_/ / /_/ /_/ / /
/____/\___/\___/\__,_/\__/\____/_/ v0.0.1
freelabz.com
[13:34:53] katana -silent -jc -js-crawl -known-files all -u http://testphp.vulnweb.com -json -concurrency 50 _base.py:614
🔗 http://testphp.vulnweb.com [200] [Nginx:1.19.0, PHP:5.6.40, Ubuntu, DreamWeaver]
🔗 http://testphp.vulnweb.com/high [404] [Nginx:1.19.0]
🔗 http://testphp.vulnweb.com/index.php
🔗 http://testphp.vulnweb.com/style.css [200] [Nginx:1.19.0]
🔗 http://testphp.vulnweb.com/privacy.php [404] [PHP:5.6.40, Ubuntu, Nginx:1.19.0]
🔗 http://testphp.vulnweb.com/AJAX/index.php [200] [Nginx:1.19.0, PHP:5.6.40, Ubuntu]
🔗 http://testphp.vulnweb.com/categories.php [200] [Nginx:1.19.0, PHP:5.6.40, Ubuntu, DreamWeaver]
🔗 http://testphp.vulnweb.com/cart.php [200] [PHP:5.6.40, Ubuntu, DreamWeaver, Nginx:1.19.0]
🔗 http://testphp.vulnweb.com/artists.php [200] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu]
🔗 http://testphp.vulnweb.com/Mod_Rewrite_Shop/ [200] [Nginx:1.19.0, PHP:5.6.40, Ubuntu]
🔗 http://testphp.vulnweb.com/hpp/ [200] [Nginx:1.19.0, PHP:5.6.40, Ubuntu]
🔗 http://testphp.vulnweb.com/disclaimer.php [200] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu]
🔗 http://testphp.vulnweb.com/login.php [200] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu]
🔗 http://testphp.vulnweb.com/Templates/main_dynamic_template.dwt.php [200] [Ubuntu, Nginx:1.19.0, PHP:5.6.40]
🔗 http://testphp.vulnweb.com/guestbook.php [200] [Nginx:1.19.0, PHP:5.6.40, Ubuntu, DreamWeaver]
🔗 http://testphp.vulnweb.com/userinfo.php
🔗 http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/color-printer/3/ [200] [Nginx:1.19.0, PHP:5.6.40, Ubuntu]
🔗 http://testphp.vulnweb.com/comment.php?aid=3 [200] [Ubuntu, Nginx:1.19.0, PHP:5.6.40]
🔗 http://testphp.vulnweb.com/search.php?test=query [200] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu]
🔗 http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/network-attached-storage-dlink/1/ [200] [Nginx:1.19.0, PHP:5.6.40, Ubuntu]
🔗 http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/web-camera-a4tech/2/ [200] [Nginx:1.19.0, PHP:5.6.40, Ubuntu]
🔗 http://testphp.vulnweb.com/Templates/high
🔗 http://testphp.vulnweb.com/comment.php?aid=2
🔗 http://testphp.vulnweb.com/artists.php?artist=1 [200] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu]
🔗 http://testphp.vulnweb.com/hpp/?pp=12 [200] [Nginx:1.19.0, PHP:5.6.40, Ubuntu]
🔗 http://testphp.vulnweb.com/signup.php [200] [Nginx:1.19.0, PHP:5.6.40, Ubuntu, DreamWeaver]
🔗 http://testphp.vulnweb.com/comment.php?aid=1
🔗 http://testphp.vulnweb.com/AJAX/showxml.php [200] [Nginx:1.19.0, PHP:5.6.40, Ubuntu]
🔗 http://testphp.vulnweb.com/AJAX/styles.css [200] [Nginx:1.19.0]
🔗 http://testphp.vulnweb.com/artists.php?artist=3 [200] [PHP:5.6.40, Ubuntu, DreamWeaver, Nginx:1.19.0]
🔗 http://testphp.vulnweb.com/listproducts.php?cat=3 [200] [Nginx:1.19.0, PHP:5.6.40, Ubuntu, DreamWeaver]
🔗 http://testphp.vulnweb.com/listproducts.php?cat=2 [200] [Nginx:1.19.0, PHP:5.6.40, Ubuntu, DreamWeaver]
🔗 http://testphp.vulnweb.com/showimage.php?file= [200] [Nginx:1.19.0, PHP:5.6.40, Ubuntu]
🔗 http://testphp.vulnweb.com/artists.php?artist=2 [200] [Nginx:1.19.0, PHP:5.6.40, Ubuntu, DreamWeaver]
🔗 http://testphp.vulnweb.com/listproducts.php?cat=4
🔗 http://testphp.vulnweb.com/listproducts.php?cat=1 [200] [Nginx:1.19.0, PHP:5.6.40, Ubuntu, DreamWeaver]
🗄 Saved TXT reports to
• /home/vagrant/.secator/reports/default/tasks/task_katana_target_2023_07_04-01_33_13_152782_PM.txt
• /home/vagrant/.secator/reports/default/tasks/task_katana_url_2023_07_04-01_33_13_152782_PM.txt
katana
发现了一些非常有趣的结果,包括一些可能存在漏洞的 PHP 文件。步骤 2:将httpx
找到的 URL 运行到活动 URL
爬虫通常从 HTML 响应主体中查找 URL,这意味着我们不知道这些 URL 是否真正响应 HTTP 请求。
为了仅过滤出提供有效 HTTP 状态代码的 URL,我们可以httpx
在之前的结果(txt 文件)上使用。我们将添加一些速率限制(-rl
),以尊重服务器,而不是无缘无故地对其进行 DDoS 攻击。
我们只想保留一些 HTTP 代码(-mc
),例如200
,,301
并且500
在出现错误时我们可以利用:
secator x httpx /home/vagrant/.secator/reports/default/tasks/task_katana_target_2023_07_04-01_33_13_152782_PM.txt -rl 10 -mc 200,301,500
__
________ _________ _/ /_____ _____
/ ___/ _ \/ ___/ __ `/ __/ __ \/ ___/
(__ / __/ /__/ /_/ / /_/ /_/ / /
/____/\___/\___/\__,_/\__/\____/_/ v0.0.1
freelabz.com
[13:19:35] httpx -silent -td -asn -cdn -l /tmp/httpx_2023_07_04-01_19_35_686343_PM.txt -json -threads 50 -match-code 200,301,500 _base.py:614
🔗 http://testphp.vulnweb.com/showimage.php?file [200] [nginx/1.19.0] [Nginx:1.19.0, PHP:5.6.40, Ubuntu] [image/jpeg] [196]
🔗 http://testphp.vulnweb.com/hpp [200] [HTTP Parameter Pollution Example] [nginx/1.19.0] [Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [203]
🔗 http://testphp.vulnweb.com/cart.php [200] [you cart] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [4903]
🔗 http://testphp.vulnweb.com/categories.php [200] [picture categories] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [6115]
🔗 http://testphp.vulnweb.com/artists.php?artist=3 [200] [artists] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [6193]
🔗 http://testphp.vulnweb.com/comment.php?aid=3 [200] [comment on artist] [nginx/1.19.0] [Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [1252]
🔗 http://testphp.vulnweb.com/comment.php?aid=2 [200] [comment on artist] [nginx/1.19.0] [Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [1252]
🔗 http://testphp.vulnweb.com/AJAX/showxml.php [200] [nginx/1.19.0] [Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [11]
🔗 http://testphp.vulnweb.com/style.css [200] [nginx/1.19.0] [Nginx:1.19.0] [text/css] [5482]
🔗 http://testphp.vulnweb.com/artists.php?artist=1 [200] [artists] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [6251]
🔗 http://testphp.vulnweb.com/Templates/main_dynamic_template.dwt.php [200] [Document titleg] [nginx/1.19.0] [Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [4697]
🔗 http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/color-printer/3 [200] [nginx/1.19.0] [Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [313]
🔗 http://testphp.vulnweb.com/AJAX/styles.css [200] [nginx/1.19.0] [Nginx:1.19.0] [text/css] [562]
🔗 http://testphp.vulnweb.com/hpp/?pp=12 [200] [HTTP Parameter Pollution Example] [nginx/1.19.0] [Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [383]
🔗 http://testphp.vulnweb.com/login.php [200] [login page] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [5523]
🔗 http://testphp.vulnweb.com/guestbook.php [200] [guestbook] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [5390]
🔗 http://testphp.vulnweb.com/signup.php [200] [signup] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [6033]
🔗 http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/network-attached-storage-dlink/1 [200] [nginx/1.19.0] [Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [319]
🔗 http://testphp.vulnweb.com/search.php?test=query [200] [search] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [4732]
🔗 http://testphp.vulnweb.com/listproducts.php?cat=3 [200] [pictures] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [4699]
🔗 http://testphp.vulnweb.com/AJAX/index.php [200] [ajax test] [nginx/1.19.0] [Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [4236]
🔗 http://testphp.vulnweb.com/disclaimer.php [200] [disclaimer] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [5524]
🔗 http://testphp.vulnweb.com/artists.php?artist=2 [200] [artists] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [6193]
🔗 http://testphp.vulnweb.com/listproducts.php?cat=4 [200] [pictures] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [4699]
🔗 http://testphp.vulnweb.com/artists.php [200] [artists] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [5328]
🔗 http://testphp.vulnweb.com/listproducts.php?cat=2 [200] [pictures] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [5311]
🔗 http://testphp.vulnweb.com/Mod_Rewrite_Shop [200] [nginx/1.19.0] [Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [975]
🔗 http://testphp.vulnweb.com/listproducts.php?cat=1 [200] [pictures] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [7880]
🔗 http://testphp.vulnweb.com/comment.php?aid=1 [200] [comment on artist] [nginx/1.19.0] [Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [1252]
🔗 http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/web-camera-a4tech/2 [200] [nginx/1.19.0] [Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [279]
🔗 http://testphp.vulnweb.com [200] [Home of Acunetix Art] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [4958]
🔗 http://testphp.vulnweb.com/index.php [200] [Home of Acunetix Art] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [4958]
🗄 Saved TXT reports to
• /home/vagrant/.secator/reports/default/tasks/task_httpx_target_2023_07_04-01_34_22_081275_PM.txt
• /home/vagrant/.secator/reports/default/tasks/task_httpx_url_2023_07_04-01_34_22_081275_PM.txt
gf
允许在 URL 上运行模式,我们可以使用它来快速检测潜在的有趣 URL,包括 XSS、LFI、SSRF、RCE、有趣的参数或不安全的直接对象引用。让我们寻找潜在的 XSS:
secator x gf --pattern xss /home/vagrant/.secator/reports/default/tasks/task_httpx_target_2023_07_04-01_34_22_081275_PM.tx
🏷️ [xss] http://testphp.vulnweb.com/comment.php?aid=1 []
🏷️ [xss] http://testphp.vulnweb.com/comment.php?aid=2 []
🏷️ [xss] http://testphp.vulnweb.com/comment.php?aid=3 []
🏷️ [xss] http://testphp.vulnweb.com/hpp/?pp=12 []
嗯,看来我们这里可能有一些有趣的 XSS 目标。让我们来dalfox
找出答案吧!步骤 4:dalfox
在潜在的 XSS 链接上运行
dalfox
是一个非常全面的 XSS 检查器,让我们在已识别的目标上运行它:
secator x dalfox http://testphp.vulnweb.com/hpp/?pp=12
__
________ _________ _/ /_____ _____
/ ___/ _ \/ ___/ __ `/ __/ __ \/ ___/
(__ / __/ /__/ /_/ / /_/ /_/ / /
/____/\___/\___/\__,_/\__/\____/_/ v0.0.1
freelabz.com
[13:41:28] dalfox --silence url 'http://testphp.vulnweb.com/hpp/?pp=12' --format json --worker 50 _base.py:614
🚨 [Verified XSS] [high] http://testphp.vulnweb.com/hpp/ [CWE-83] [inject_type:inATTR-double(3)-URL, poc_type:plain, method:GET,
data:http://testphp.vulnweb.com/hpp/?pp=12%22id%3Dx+tabindex%3D1+style%3D%22display%3Ablock%3Btransition%3Aoutline+1s%3B%22+ontransitionend%3Dalert.apply%28null%2C1%29+class%3Ddalfox+, param:pp, payload:"id=x tabindex=1
style="display:block;transition:outline 1s;" ontransitionend=alert.apply(null,1) class=dalfox , evidence:4 line: ms.php?p=valid&pp=12"id=x tabindex=1 style="display:block;transition:outline 1s;, message_id:1103, message_str:Triggered XSS Payload
(found DOM Object): pp="id=x tabindex=1 style="display:block;transition:outline 1s;" ontransitionend=alert.apply(null,1) class=dalfox ]
我们发现了已验证的 XSS!
我们可以在浏览器中验证这个 XSS,但这dalfox
已经给我们提供了它有效的证据……
使用任务管道
secator
支持开箱即用的 UNIX 管道。您可以编写一个secator
管道来自动执行前面 4 个步骤:
secator x katana http://testphp.vulnweb.com | secator x httpx | secator x gf --pattern lfi -fmt '{match}' | secator x dalfox
您不需要指定任何额外的标志,除了正常运行时,因为它secator
会检测到您正在运行 UNIX 管道并在任务调用之间自动传递正确的输入:
- 默认情况下,它将传递上一个
stdin
任务的原始字符串结果。如果任务可以输出多个输出类型output_types
,则选择类定义属性中的第一个。 - 我们可以使用选项指定在传递原始字符串时要使用的字段
-fmt
。在上一个命令中,该-fmt '{match}'
选项将告诉 secator 仅将我们找到的对象match
的字段作为字符串输入传递给。Tag
gf
dalfox
[13:50:29] katana -silent -jc -js-crawl -known-files all -u http://testphp.vulnweb.com -json -concurrency 50 _base.py:614
[13:50:43] httpx -silent -td -asn -cdn -l /tmp/httpx_2023_07_04-01_50_43_044323_PM.txt -json -threads 50 _base.py:614
[13:50:49] cat /tmp/gf_2023_07_04-01_50_49_787397_PM.txt | gf xss _base.py:614
[13:50:49] dalfox --silence file /tmp/dalfox_2023_07_04-01_50_49_855768_PM.txt --format json --worker 50 _base.py:614
🚨 [Verified XSS] [high] http://testphp.vulnweb.com/hpp/ [CWE-83] [inject_type:inATTR-double(3)-URL, poc_type:plain, method:GET,
data:http://testphp.vulnweb.com/hpp/?pp=12%22%26%2339%3B%3E%3Caudio+controls+ondurationchange%3Dprompt%281%29+id%3Ddalfox%3E%3Csource+src%3D1.mp3+type%3Daudio%2Fmpeg%3E%3C%2Faudio%3E, param:pp, payload:"'><audio controls
ondurationchange=prompt(1) id=dalfox><source src=1.mp3 type=audio/mpeg></audio>, evidence:4 line: ms.php?p=valid&pp=12"'><audio controls ondurationchange=prompt(1) id=dalfox>, message_id:1862, message_str:Triggered XSS Payload (found DOM
Object): pp="'><audio controls ondurationchange=prompt(1) id=dalfox><source src=1.mp3 type=audio/mpeg></audio>]
与之前的冗长任务相比,这已经是很好的时间改进了。
使用工作流
任务管道适合快速查找事物,但工作流程更适合在不同的目标集上重复同一组任务,所有任务使用相同的输入选项,同时过滤最终结果并对实时结果做出反应等……
以下是secator
与上一组任务相对应的工作流程:xss_finder.yaml
type: workflow
name: xss_finder
description: XSS Finder
tasks:
katana:
description: Crawling root URL
httpx:
description: Finding alive URLs
targets_:
- type: url
field: url
condition: item.status_code == 0
gf:
description: Identifying XSS
targets_:
- url.url
dalfox:
description: Verifying XSS
targets_:
- type: tag
field: match
condition: item.name == 'xss'
以下是使用以下方式运行的工作流程secator
:
secator w xss_finder.yaml http://testphp.vulnweb.com
命令输出
__
________ _________ _/ /_____ _____
/ ___/ _ \/ ___/ __ `/ __/ __ \/ ___/
(__ / __/ /__/ /_/ / /_/ /_/ / /
/____/\___/\___/\__,_/\__/\____/_/ v0.0.1
freelabz.com
╭────── Workflow xss_finder ──────╮
│ 📜 Description: XSS Finder │
│ 👷 Workspace: default │
│ 🍐 Targets: │
│ • http://testphp.vulnweb.com │
│ 📌 Options: │
│ • threads: 50 │
│ • headless: False │
│ • system_chrome: False │
│ • follow_redirect: False │
│ • debug_resp: False │
│ ✉ Exporters: │
│ • json │
│ • csv │
╰─────────────────────────────────╯
[14:03:31] 🎉 Workflow xss_finder starting... _base.py:614
🔧 Crawling root URL ...
[14:03:32] katana -silent -jc -js-crawl -known-files all -u http://testphp.vulnweb.com -json -concurrency 50 _base.py:614
🔗 http://testphp.vulnweb.com [200] [Nginx:1.19.0, Ubuntu, PHP:5.6.40, DreamWeaver]
🔗 http://testphp.vulnweb.com/high [404] [Nginx:1.19.0]
🔗 http://testphp.vulnweb.com/Mod_Rewrite_Shop/ [200] [Nginx:1.19.0, Ubuntu, PHP:5.6.40]
🔗 http://testphp.vulnweb.com/index.php
🔗 http://testphp.vulnweb.com/style.css [200] [Nginx:1.19.0]
🔗 http://testphp.vulnweb.com/guestbook.php [200] [Nginx:1.19.0, Ubuntu, PHP:5.6.40, DreamWeaver]
🔗 http://testphp.vulnweb.com/Templates/main_dynamic_template.dwt.php [200] [PHP:5.6.40, Nginx:1.19.0, Ubuntu]
🔗 http://testphp.vulnweb.com/AJAX/index.php [200] [PHP:5.6.40, Nginx:1.19.0, Ubuntu]
🔗 http://testphp.vulnweb.com/login.php [200] [Nginx:1.19.0, Ubuntu, PHP:5.6.40, DreamWeaver]
🔗 http://testphp.vulnweb.com/cart.php [200] [PHP:5.6.40, Nginx:1.19.0, Ubuntu, DreamWeaver]
🔗 http://testphp.vulnweb.com/privacy.php [404] [Nginx:1.19.0, Ubuntu, PHP:5.6.40]
🔗 http://testphp.vulnweb.com/hpp/ [200] [Nginx:1.19.0, Ubuntu, PHP:5.6.40]
🔗 http://testphp.vulnweb.com/categories.php [200] [Nginx:1.19.0, Ubuntu, PHP:5.6.40, DreamWeaver]
🔗 http://testphp.vulnweb.com/artists.php [200] [Nginx:1.19.0, Ubuntu, PHP:5.6.40, DreamWeaver]
🔗 http://testphp.vulnweb.com/disclaimer.php [200] [Nginx:1.19.0, Ubuntu, PHP:5.6.40, DreamWeaver]
🔗 http://testphp.vulnweb.com/userinfo.php
🔗 http://testphp.vulnweb.com/listproducts.php?cat=3
🔗 http://testphp.vulnweb.com/comment.php?aid=1 [200] [Nginx:1.19.0, Ubuntu, PHP:5.6.40]
🔗 http://testphp.vulnweb.com/listproducts.php?cat=4 [200] [Nginx:1.19.0, Ubuntu, PHP:5.6.40, DreamWeaver]
🔗 http://testphp.vulnweb.com/comment.php?aid=3
🔗 http://testphp.vulnweb.com/artists.php?artist=2 [200] [Nginx:1.19.0, Ubuntu, PHP:5.6.40, DreamWeaver]
🔗 http://testphp.vulnweb.com/comment.php?aid=2
🔗 http://testphp.vulnweb.com/signup.php [200] [PHP:5.6.40, DreamWeaver, Nginx:1.19.0, Ubuntu]
🔗 http://testphp.vulnweb.com/artists.php?artist=3 [200] [Nginx:1.19.0, Ubuntu, PHP:5.6.40, DreamWeaver]
🔗 http://testphp.vulnweb.com/artists.php?artist=1 [200] [Ubuntu, PHP:5.6.40, DreamWeaver, Nginx:1.19.0]
🔗 http://testphp.vulnweb.com/listproducts.php?cat=1 [200] [Nginx:1.19.0, Ubuntu, PHP:5.6.40, DreamWeaver]
🔗 http://testphp.vulnweb.com/AJAX/showxml.php [200] [Nginx:1.19.0, Ubuntu, PHP:5.6.40]
🔗 http://testphp.vulnweb.com/showimage.php?file= [200] [Nginx:1.19.0, Ubuntu, PHP:5.6.40]
🔗 http://testphp.vulnweb.com/hpp/?pp=12 [200] [Ubuntu, PHP:5.6.40, Nginx:1.19.0]
🔗 http://testphp.vulnweb.com/AJAX/styles.css [200] [Nginx:1.19.0]
🔗 http://testphp.vulnweb.com/Templates/high
🔗 http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/network-attached-storage-dlink/1/ [200] [PHP:5.6.40, Nginx:1.19.0, Ubuntu]
🔗 http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/web-camera-a4tech/2/ [200] [PHP:5.6.40, Nginx:1.19.0, Ubuntu]
🔗 http://testphp.vulnweb.com/listproducts.php?cat=2 [200] [PHP:5.6.40, Nginx:1.19.0, Ubuntu, DreamWeaver]
🔗 http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/color-printer/3/ [200] [PHP:5.6.40, Nginx:1.19.0, Ubuntu]
🔗 http://testphp.vulnweb.com/search.php?test=query [200] [Nginx:1.19.0, Ubuntu, DreamWeaver, PHP:5.6.40]
🔧 Finding alive URLs ...
[14:03:45] httpx -silent -td -asn -cdn -l /tmp/httpx_2023_07_04-02_03_45_807367_PM.txt -json -threads 50 _base.py:614
🔗 http://testphp.vulnweb.com/Templates/high [404] [404 Not Found] [nginx/1.19.0] [Nginx:1.19.0] [text/html] [153]
🔗 http://testphp.vulnweb.com/index.php [200] [Home of Acunetix Art] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [4958]
🔗 http://testphp.vulnweb.com/comment.php?aid=2 [200] [comment on artist] [nginx/1.19.0] [Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [1252]
🔗 http://testphp.vulnweb.com/userinfo.php [302] [nginx/1.19.0] [Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [14]
🔗 http://testphp.vulnweb.com/comment.php?aid=3 [200] [comment on artist] [nginx/1.19.0] [Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [1252]
🔗 http://testphp.vulnweb.com/listproducts.php?cat=3 [200] [pictures] [nginx/1.19.0] [DreamWeaver, Nginx:1.19.0, PHP:5.6.40, Ubuntu] [text/html] [4699]
🔧 Identifying XSS ...
[14:03:52] cat /tmp/gf_2023_07_04-02_03_52_398624_PM.txt | gf xss _base.py:614
🏷️ [xss] http://testphp.vulnweb.com/comment.php?aid=1 []
🏷️ [xss] http://testphp.vulnweb.com/comment.php?aid=2 []
🏷️ [xss] http://testphp.vulnweb.com/comment.php?aid=3 []
🏷️ [xss] http://testphp.vulnweb.com/hpp/?pp=12 []
🔧 Verifying XSS ...
[14:03:54] dalfox --silence file /tmp/dalfox_2023_07_04-02_03_52_411553_PM.txt --format json --worker 50 _base.py:614
🚨 [Verified XSS] [high] http://testphp.vulnweb.com/hpp/ [CWE-83] [inject_type:inATTR-double(3)-URL, poc_type:plain, method:GET,
data:http://testphp.vulnweb.com/hpp/?pp=12%22onmouseenter%3Dprompt.call%28null%2C1%29+class%3Ddalfox+, param:pp, payload:"onmouseenter=prompt.call(null,1) class=dalfox , evidence:4 line: ms.php?p=valid&pp=12"onmouseenter=prompt.call(null,1)
class=dalfox ">link2</a><b, message_id:1540, message_str:Triggered XSS Payload (found DOM Object): pp="onmouseenter=prompt.call(null,1) class=dalfox ]
[14:04:20] 🎉 Workflow xss_finder succeeded in 48 seconds. _base.py:614
🗄 Saved JSON report to /home/vagrant/.secator/reports/default/workflows/workflow_xss_finder_2023_07_04-02_04_20_160856_PM.json
🗄 Saved CSV reports to
• /home/vagrant/.secator/reports/default/workflows/workflow_xss_finder_target_2023_07_04-02_04_20_160856_PM.csv
• /home/vagrant/.secator/reports/default/workflows/workflow_xss_finder_url_2023_07_04-02_04_20_160856_PM.csv
• /home/vagrant/.secator/reports/default/workflows/workflow_xss_finder_tag_2023_07_04-02_04_20_160856_PM.csv
• /home/vagrant/.secator/reports/default/workflows/workflow_xss_finder_vulnerability_2023_07_04-02_04_20_160856_PM.csv
了解更多
要深入了解secator
,请查看:
项目地址
GitHub:
https://github.com/freelabz/secator
转载请注明出处及链接