编写AWVS脚本探测web services
0x01思路
0x02编写代码
新建报告模板
新建探测脚本
0x3测试
0x4AWVS脚本编写资料
官方SDK文档
官方开发工具包
解密的扫描脚本
最后更新于
最后更新于
var target = new THTTPJob(); //实例化一个HTTP任务
var dir = getCurrentDirectory();//获取当前路径
target.url = new TURL(scanURL.url+ dir.fullPath + "/services");//构造请求url
target.execute();//执行http请求
var wsRes = target.response.body;//获取http请求内容
if(!target.wasError && !target.notFound ){//判断是否访问错误或者是404
if(wsRes.indexOf('wsdl') != -1){
logWarning(scanURL.url+dir.fullPath+'----->this web services is exists!!!');//在日志栏显示该调式信息
var ri = new TReportItem();//新建一个报告结果,返回给扫描器界面
ri.loadFromFile('Web_Services.xml');//载入模板
ri.severity = "high"//影响等级
ri.affects = dir.fullPath + "/services";
ri.Request = target.Request.headersString;//测试请求HTTP头输出到界面
ri.response = target.response.body;//测试请求HTTP响应内容输出到界面
ri.fullResponse = target.fullResponse;//测试请求的完整HTTP响应内容输出到界面
//ri.description = "web services";
ri.addReference("how do sql inject web services","http://gv7.me/2017/08/12/how-do-sql-inject-web-services/");
AddReportItem(ri);
}
else
{
logError(scanURL.url+dir.fullPath+"----->This's not web services!!!");
}
}else{
logWarning(scanURL.url+dir.fullPath+"notFound web services!!!!");
}https://www.acunetix.com/resources/sdk/http://www.acunetix.com/download/tools/WVSSDK.ziphttps://github.com/c0ny1/awvs_script_decodedXJs77yaaHR0cHM6Ly9wYW4uYmFpZHUuY29tL3MvMXNscjRIUHogcHdk77yaYjNtbw==