Tools
The tools are divided into comprehensive ones, including awvs, xray, and single-point tools such as wpscan, which specializes in scanning wordpress. And when we use tools, we may trigger waf.
Trigger point
The first is the scanning speed, which is too fast. It can be bypassed through demonstrations, proxy pools, and whitelists; the second is tool fingerprints. Popular tools have clear fingerprints. You can simulate real users by modifying their characteristics. The data packet is sent; the third point is that the vulnerability pyload, with keywords, will also trigger waf. This requires data mutation of the vulnerability pyload, or the use of unpopular scanning tools.
#Proxy pool Proxy_pool project construction and usage explanation
This tool is free and its functions are not that powerful, so it is not very suitable. Search for http proxy on the Internet and you can find free websites
However, the survival time of this kind of agent is only three minutes. For example, the latest submitted score of 31 points may not be usable at 34 points. Because it is free of charge, it is reasonable and basically cannot be used.
How to use the proxy pool tutorial
Technology sharing: Proxy-Pool proxy pool to build IP proxy – Zhihu
Borrowed this person’s technology and posted a link
After installing the environment
Modify this thing like this,
Then go directly to the command line to run
Start running ip, py -3 because my computer has python2 and python3 at the same time.
After turning on the web service, you can call this proxy pool.
Available Agents will exist, but free stuff is definitely not good.
test code
import requests def get_proxy(): #5000: The listening port set in settings is not the port of the Redis service. return requests.get("http://127.0.0.1:5010/get/").json() def delete_proxy(proxy): requests.get("http://127.0.0.1:5010/delete/?proxy={}".format(proxy)) # Main code def getHtml(): retry_count = 5 proxy = get_proxy().get("proxy") print(proxy) while retry_count > 0: try: html = requests.get('http://www.baidu.com', proxies={"http": "http://{}".format(proxy)}) print(html.text) break exceptException: retry_count -= 1 # Delete the agent in the agent pool delete_proxy(proxy) return None getHtml()
ok, let’s do this for now
If you pay, you need to buy a tunnel proxy, which changes the IP address every time you request it.
When you start scanning, there will be no interception. Even if it is intercepted, it will only intercept one or two IPs, but the IP will be returned every time you visit.
It’s very cool, but the charges are different.
Take a look at the interception of waf. It is caused by the malicious URL address, which triggers the interception of pyload. This requires making a fuss about pyload.
Safedog-awvs leaky scan injection test bypass-delay, whitelist
Open the range for sql injection
Our goal is to use awvs to scan for vulnerabilities without triggering waf interception.
The first method is to delay
Just reduce this speed.
Alright Change to crawler whitelist to simulate white engine access.
This is for safety dogs only.
The characteristics of each scanning tool are different, so it is a good choice to use more than one tool when scanning; not every tool has a delay function and other functions.
There is a method but it is very inapplicable. Open the burp proxy, capture the data packets, and send out a packet every three seconds. You can borrow the button wizard for this.
BT(baota)-awvs + xray missed scan Payload bypass-delay passive
We can use awvs to control xray packet characteristics and scanning speed,
For example, awvs is first sent to burp, and then sent to xray, three interfaces,
Demonstrate the process
Use this to go to the xray directory, run xray, and configure the port
Then configure the forwarding port of burp
After clicking OK, it will appear in the box, and then check it to implement port forwarding.
Configure the crawler whitelist in awvs, set the slow speed, and then start scanning
Start xray scan
xray The scan will be consistent with the data packets captured by burp, which means each one is the same simulated crawler whitelist as awvs, delayed scanning
The deposit agent pool directly exploits Safedog + BT + AliyunOS vulnerability discovery
Set up a crawler whitelist
Use a paid agent and start working directly
This website is a three-layer stack of Alibaba Cloud, Pagoda, and Security Dog. Using this method, SQL injection was also scanned.
fa
cai