قالب وردپرس درنا توس
Home / Tips and Tricks / How to Detect Vulnerabilities in a Web Application Using Uniscan «Null Byte :: WonderHowTo

How to Detect Vulnerabilities in a Web Application Using Uniscan «Null Byte :: WonderHowTo



Scanning the Target

Uniscan offers several options for a scan. Just open the terminal and type uniscan at the command prompt . This will display version information, available setting options, and some usage examples.

  uniscan

#####################################
# Uniscan Project #
# http://uniscan.sourceforge.net/ #
#####################################
V. 6,3

OPTIONS:
-h help
-u  Example: https://www.example.com/
-f  List of URLs
-b Uniscan goes into the background
-q Enable directory checks
-w Enable file checks
-e Enable robots.txt and sitemap.xml validation
-d Enable dynamic checks
-s Enable static checks
Activate voltage tests
-i  Bing search
-o  Google search
-g web fingerprint
-j server fingerprint

Usage:
[1
] perl ./uniscan.pl -u http://www.example.com/qweds [2] perl ./uniscan.pl -f sites.txt -bqweds [3] perl ./uniscan.pl -i uniscan [4] perl ./uniscan.pl -i "ip: xxx.xxx.xxx.xxx" [5] perl ./uniscan.pl -o "inurl: test" [6] perl ./uniscan.pl -u https://www.example.com/ -r

The easiest way to use this tool is to give it a URL to scan by using the -u is set flag, followed by the domain of interest (see below). A short summary with server and IP address information is returned.

  uniscan -u http://172.16.1.102

#####################################
# Uniscan Project #
# http://uniscan.sourceforge.net/ #
#####################################
V. 6,3

Scandatum: 29-1-2019 14:52:26
================================================== =================================================
| Domain: http://172.16.1.102/
| Server: Apache / 2.2.8 (Ubuntu) DAV / 2
| IP: 172.16.1.102
================================================== =================================================
================================================== =================================================
End of scan: 29-1-2019 14:52:26

HTML report saved in: report / 172.16.1.102.html 

We can also run the server fingerprint in more detail with option -j . Just add it to the end of the command. This will perform a ping test and a traceroute test to determine the status of network connectivity, followed by an nslookup (name server lookup) to retrieve all available DNS records. This option also starts an Nmap scan to discover all open services and ports. Be aware of the goal, as some defenses consider it aggressive.

  uniscan -u http://172.16.1.102 -j

#####################################
# Uniscan Project #
# http://uniscan.sourceforge.net/ #
#####################################
V. 6,3

Scandatum: 29-1-2019 14:53:23
================================================== =================================================
| Domain: http://172.16.1.102/
| Server: Apache / 2.2.8 (Ubuntu) DAV / 2
| IP: 172.16.1.102
================================================== =================================================
================================================== =================================================
| RING
|
| PING 172.16.1.102 (172.16.1.102) 56 (84) Data bytes.
| 64 bytes of 172.16.1.102: icmp_seq = 1 ttl = 64 time = 0.937 ms
| 64 bytes of 172.16.1.102: icmp_seq = 2 ttl = 64 time = 1.77 ms
| 64 bytes from 172.16.1.102: icmp_seq = 3 ttl = 64 time = 1.16 ms
| 64 bytes of 172.16.1.102: icmp_seq = 4 ttl = 64 time = 1.18 ms
|
| --- 172.16.1.102 Ping Statistics ---
| 4 packets transmitted, 4 received, 0% packet loss, 8 ms time
| rtt min / avg / max / mdev = 0.937 / 1.261 / 1.767 / 0.309 ms
================================================== =================================================
| TRACE ROUTE
|
| Traceroute up to 172.16.1.102 (172.16.1.102), max. 30 hops, 60 byte packets
| 1 172.16.1.102 (172.16.1.102) 1,314 ms 1,554 ms 1,782 ms

... 

Uniscan also offers the option of fingerprinting web services. Use the option -g . It looks for interesting HTTP methods, error information and HTML strings as well as other small tidbits that could be helpful in the investigation. Below we can see that when logging into Metasploitable some 404 errors and welcome information were found.

  uniscan -u http://172.16.1.102 -g

#####################################
# Uniscan Project #
# http://uniscan.sourceforge.net/ #
#####################################
V. 6,3

Scandatum: 29-1-2019 14:54:43
================================================== =================================================
| Domain: http://172.16.1.102/
| Server: Apache / 2.2.8 (Ubuntu) DAV / 2
| IP: 172.16.1.102
================================================== =================================================
================================================== =================================================
| Search for Drupal plugins / modules
|
| GET, HEAD, POST, OPTIONS, TRACE
================================================== =================================================
================================================== =================================================
| INTERNET SERVICES
|
================================================== =================================================
| FAVICON.ICO
|
================================================== =================================================
| ERROR INFORMATION
|
| 404 Not found Not found The requested URL / lKBpm & lt; ^ reGdK (QpcajL + was not found on this server Apache / 2.2.8 (Ubuntu) DAV / 2 server under 172.16.1.102 port 80
| 404 Not found Not found The requested URL / 7) DGG` [0wNqh"" 2Q1, LY wurde auf diesem Server nicht gefunden. Apache / 2.2.8 (Ubuntu) DAV / 2-Server an 172.16.1.102 Port 80
================================================== =================================================
| TYPE ERROR
|
================================================== =================================================
| SERVER MOBILE
|
================================================== =================================================
| SPRACHE
|
================================================== =================================================
| Interessante Zeichenketten in HTML
|
| Warnung: Setzen Sie diese VM niemals einem nicht vertrauenswürdigen Netzwerk aus! Kontakt: msfdev [at] metasploit.com Log in with msfadmin / msfadmin to get started
| a href = "http://null-byte.wonderhowto.com/phpMyAdmin/"> phpMyAdmin
================================================== =================================================
| WHO IS
|
getaddrinfo (whois.arin.net): name or service unknown
================================================== =================================================
| BANNER GRABBING:
================================================== =================================================
================================================== ================================================== 19659004] We can search directories that are on the target by setting the  -q  flag. In my example, it looks like it has discovered some directories that may be of interest, including documentation documentation and PHP configuration information. 

  uniscan -u http://172.16.1.102 -q

#####################################
# Uniscan Project #
# http://uniscan.sourceforge.net/ #
#####################################
V. 6,3

Scandatum: 29-1-2019 14:56:28
================================================== =================================================
| Domain: http://172.16.1.102/
| Server: Apache / 2.2.8 (Ubuntu) DAV / 2
| IP: 172.16.1.102
================================================== =================================================
|
| Directory test:
| [+] CODE: 200 URL: http://172.16.1.102/doc/
| [+] CODE: 200 URL: http://172.16.1.102/icons/
| [+] CODE: 200 URL: http://172.16.1.102/index/
| [+] CODE: 200 URL: http://172.16.1.102/phpinfo/
| [+] CODE: 200 URL: http://172.16.1.102/payload/
================================================== =================================================
================================================== ================================================== 19659004] We can also enable file checks with the flag  -w . Below we see that some files were found that could provide valuable information. 

  uniscan -u http://172.16.1.102 -w

#####################################
# Uniscan Project #
# http://uniscan.sourceforge.net/ #
#####################################
V. 6,3

Scandatum: 29-1-2019 14:57:46
================================================== =================================================
| Domain: http://172.16.1.102/
| Server: Apache / 2.2.8 (Ubuntu) DAV / 2
| IP: 172.16.1.102
================================================== =================================================
|
| File Checker:
| [+] CODE: 200 URL: http://172.16.1.102/test
| [+] CODE: 200 URL: http://172.16.1.102/index.php
| [+] CODE: 200 URL: http://172.16.1.102/phpinfo.php
================================================== =================================================
================================================== ================================================== 19659004] Uniscan can automatically search a Web site with the option  -e  for a robots.txt file and a sitemap. In my example, these files do not seem to exist on the target, but they are still a useful option if you are looking for other sites. 

  uniscan -u http://172.16.1.102 -e

#####################################
# Uniscan Project #
# http://uniscan.sourceforge.net/ #
#####################################
V. 6,3

Scandatum: 29-1-2019 14:58:36
================================================== =================================================
| Domain: http://172.16.1.102/
| Server: Apache / 2.2.8 (Ubuntu) DAV / 2
| IP: 172.16.1.102
================================================== =================================================
|
| Check robots.txt:
|
| Check sitemap.xml:
================================================== =================================================
================================================== ================================================== 19659004] Uniscan loads some plugins to perform dynamic scans of the target, including email identification, backdoor detection and detection of SQL and other types of injection points. Set the flag  -d . The execution can take some time and does not always work correctly. You can use this at your own discretion. 

  uniscan -u http://172.16.1.102 -d

#####################################
# Uniscan Project #
# http://uniscan.sourceforge.net/ #
#####################################
V. 6,3

Scandatum: 29-1-2019 14:59:13
================================================== =================================================
| Domain: http://172.16.1.102/
| Server: Apache / 2.2.8 (Ubuntu) DAV / 2
| IP: 172.16.1.102
================================================== =================================================
|
| Crawler started:
| Plugin Name: Web Backdoor Disclosure v.1.1 Loaded.
| Plugin Name: Upload Form Detect v.1.1 Loaded.
| Plugin name: phpinfo () Disclosure v.1 Loaded.
| Name of the plugin: External Host Detect v.1.2 Loaded.
| Plugin Name: FCKeditor Upload Test v.1 Loaded.
| Plugin Name: Email Detection v.1.1 Loaded.
| Plugin Name: Code Disclosure v.1.1 Loaded.
| Plugin Name: Timthumb <= 1.32 Vulnerability v.1 Loaded.
| [*] Crawling: [28 - 134]

... 

With the option -s we can also activate static checks of the target. This performs tests that detect local files, remote command execution, and remote file vulnerabilities.

  uniscan -u http://172.16.1.102 -s

#####################################
# Uniscan Project #
# http://uniscan.sourceforge.net/ #
#####################################
V. 6,3

Scandatum: 29-1-2019 15: 12: 3
================================================== =================================================
| Domain: http://172.16.1.102/
| Server: Apache / 2.2.8 (Ubuntu) DAV / 2
| IP: 172.16.1.102
================================================== =================================================
================================================== =================================================
| Static tests:
| Name of the plugin: Local File Include Tests v.1.1 Loaded.
| Name of the plugin: Remote Command Execution Tests v.1.1 Loaded.
| Name of the plugin: Remote File Include Tests v.1.1 Loaded.
|
|
| Local file included:
|
|
| Remote command execution:
|
|
| Remote file included:
[*] Remaining Tests: 1

... 

In addition to the command-line tool, Uniscan has a graphical user interface. Simply type uniscan-gui at the terminal prompt to start the program. From here it works much the same way as in the command-line interface. We can list the destination URL and all the options that should be enabled, and then press "Start scan" to start the search.

Personally, I like the command-line utility a little better because the scan runs the same way, and you still need to open the terminal to start the GUI, but for each one of his own. It should be noted that several options can be set at the same time in the command-line version, such as:

  uniscan -u http://172.16.1.102 -qwds 

Uniscan also saves each scan as an HTML file at / usr / share / uniscan / report / if scan results are needed at a later date.


Source link