ModSecurity 模块搭建 WAF

0. 运行环境：Ubuntu 16.04 LTS

1. 测试网页已前置 Apache

2.安装并配置 ModSecurity 模块，搭建 WAF。

2.1 环境安装

安装 LAMP Server

$ sudo apt-get install apache2 mysql-server libapache2-mod-auth-mysql php-mysql php libapache2-mod-php php-mcrypt

安装 libapache2-modsecurity 模块及其依赖包

$ sudo apt-get install libxml2 libxml2-dev libxml2-utils libaprutil1 libaprutil1-dev libapache2-modsecurity

查看安装情况，如果一切正常，您应该看到以下输出：

$ apachectl -M | grep security
security2_module (shared)

2.2 配置mod_security

默认情况下，mod_security 不起作用，因为它需要规则才能工作。首先，需要重命名位于/etc/modsecurity目录下的 modsecurity.conf-recommended 文件示例：

$ sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

然后修改配置文件

$ sudo vim /etc/modsecurity/modsecurity.conf

SecRuleEngine on

2.3 搭建 WAF

默认情况下，mod_security 附带位于 /usr/share/modsecurity-crs 目录的核心规则集（安全规则）。但建议从 GitHub 存储库下载 mod_security CRS 。

$ sudo rm -rf /usr/share/modsecurity-crs    #删除
$ sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs
$ cd /usr/share/modsecurity-crs
$ sudo mv crs-setup.conf.example crs-setup.conf

修改配置文件

$ sudo vim /etc/apache2/mods-enabled/security2.conf

<IfModule security2_module> 
     SecDataDir /var/cache/modsecurity 
     IncludeOptional /etc/modsecurity/*.conf 
     IncludeOptional /usr/share/modsecurity-crs/*.conf 
     IncludeOptional /usr/share/modsecurity-crs/rules/*.conf 
 </IfModule>

重启 Apache 服务

$ sudo systemctl restart apache2

3. 根据文档自行编写，或者在 OWASP ModSecurity CRS 规则库的基础上修改，对 SQL 注入攻击进行阻断并报警。

SQL 注入测试

测试 mod_security 如何保护 Apache Web 服务器免受 SQL 攻击
正常访问：

学号查询

查询结果

$ curl "http://127.0.0.1/student/search.php?id=15********7"
<h3>查询结果</h3><br>学号: 15********7姓名: 李华成绩: 86<br><br>

尝试 SQL 注入：http://127.0.0.1/student/search.php?id=123+or+1%3D1

image.png

在以下输出中看到 403 Forbidden 响应：

image.png

$ curl "http://127.0.0.1/student/search.php?id=15********7+or+1%3D1"
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /student/search.php
on this server.<br />
</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 127.0.0.1 Port 80</address>
</body></html>

查看日志文件，选择最下面的最新日志

$ sudo vim /var/log/apache2/modsec_audit.log

--adbda74e-A--
[11/Jul/2018:20:45:36 +0800] W0X78H8AAQEAACbUCz4AAAAA 127.0.0.1 33846 127.0.0.1 80
--adbda74e-B--
GET /student/search.php?id=15********7+or+1%3D1 HTTP/1.1
Host: 127.0.0.1
User-Agent: curl/7.47.0
Accept: */*

--adbda74e-F--
HTTP/1.1 403 Forbidden
Content-Length: 302
Content-Type: text/html; charset=iso-8859-1

--adbda74e-E--
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /student/search.php
on this server.<br />
</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 127.0.0.1 Port 80</address>
</body></html>

--adbda74e-H--
Message: Warning. Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "810"] [id "920350"] [rev "2"] [msg "Host header is a numeric IP address"] [data "127.0.0.1"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
Message: Warning. detected SQLi using libinjection with fingerprint '1&1' [file "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "68"] [id "942100"] [rev "1"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: 1&1 found within ARGS:id: 15********7 or 1=1"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 8 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Injection Attack Detected via libinjection"] [tag "event-correlation"]
Action: Intercepted (phase 2)
Apache-Handler: application/x-httpd-php
Stopwatch: 1531313136934105 1209 (- - -)
Stopwatch2: 1531313136934105 1209; combined=920, p1=247, p2=600, p3=0, p4=0, p5=72, sr=8, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); OWASP_CRS/3.0.2.
Server: Apache/2.4.18 (Ubuntu)
Engine-Mode: "ENABLED"

--adbda74e-Z--

4. 尝试对特定扫描器或发包工具（paros、w3af 等）的 User-Agent 进行检测和报警，并在单个 IP 访问数量超过一定门限后对来源 IP 进行封禁。

4.1 安装 W3AF

$ git clone https://github.com/andresriancho/w3af.git

$ cd w3af/

$ ./w3af_console

在执行 w3af_console 文件时，有时会提示系统未安装很多依赖环境，需要安装的环境，已经写在了 /tmp 目录下的 w3af_dependency_install.sh 文件里面，执行它即会自动下载安装所需的所有文件。

$ . /tmp/w3af_dependency_install.sh

上述步骤完成后可在终端中操作：

$ w3af_console 
w3af>>> exit
w3af>>> 
May the brute force be with you.

也可以启动器中搜索 W3AF 启动图形化界面操作：

image.png

4.2 使用 W3AF 进行 SQL 注入

两次注入使用同一规则

$ w3af_console 
w3af>>> plugins 
w3af/plugins>>> audit sqli,xss
w3af/plugins>>> back
w3af>>> plugins 
w3af/plugins>>> output htmlFile,console,gtkOutput
w3af/plugins>>> output config console 
w3af/plugins/output/config:console>>> set verbose True 
w3af/plugins/output/config:console>>> back 
w3af/plugins>>> output config gtkOutput
w3af/plugins/output/config:gtkOutput>>> back 
w3af/plugins>>> back 
w3af>>> plugins 
w3af/plugins>>> discovery webSpider 
w3af/plugins>>> back 
w3af>>> target 
w3af/config:target>>> set target http://127.0.0.1/student/
w3af/config:target>>> back 
w3af>>> start

此时关闭 ModSecurity 模块：

Exiting setOutputPlugins()
Called w3afCore.start()
Enabling _dnsCache()
Called buildOpeners
keepalive: added one connection, len(self._hostmap["127.0.0.1"]): 1
DNS response from DNS server for domain: 127.0.0.1
GET http://127.0.0.1/student/ returned HTTP code "200" - id: 1
[thread manager] Successfully added function to threadpool. Work queue size: 1
[thread manager] Successfully added function to threadpool. Work queue size: 2
[thread manager] Successfully added function to threadpool. Work queue size: 3
[thread manager] Successfully added function to threadpool. Work queue size: 4
[thread manager] Successfully added function to threadpool. Work queue size: 5
[thread manager] Successfully added function to threadpool. Work queue size: 6
[thread manager] Successfully added function to threadpool. Work queue size: 7
[thread manager] Successfully added function to threadpool. Work queue size: 8
[thread manager] Successfully added function to threadpool. Work queue size: 9
[thread manager] Successfully added function to threadpool. Work queue size: 10
[thread manager] Successfully added function to threadpool. Work queue size: 11
[thread manager] Successfully added function to threadpool. Work queue size: 12
[thread manager] Successfully added function to threadpool. Work queue size: 13
[thread manager] Successfully added function to threadpool. Work queue size: 14
keepalive: added one connection, len(self._hostmap["127.0.0.1"]): 2
Cached DNS response for domain: 127.0.0.1
keepalive: added one connection, len(self._hostmap["127.0.0.1"]): 3
Cached DNS response for domain: 127.0.0.1
keepalive: added one connection, len(self._hostmap["127.0.0.1"]): 4
Cached DNS response for domain: 127.0.0.1
keepalive: added one connection, len(self._hostmap["127.0.0.1"]): 5
Cached DNS response for domain: 127.0.0.1
GET http://127.0.0.1/student/FUvnFBBV.do returned HTTP code "404" - id: 2
GET http://127.0.0.1/student/jsxoBpVu.htm returned HTTP code "404" - id: 3
No grep for: "http://127.0.0.1/student/FUvnFBBV.do", the plugin sent grep=False.
No grep for: "http://127.0.0.1/student/jsxoBpVu.htm", the plugin sent grep=False.
GET http://127.0.0.1/student/MsJuQg77.asp returned HTTP code "404" - id: 4
No grep for: "http://127.0.0.1/student/MsJuQg77.asp", the plugin sent grep=False.
GET http://127.0.0.1/student/KiRaEBmg. returned HTTP code "404" - id: 5
No grep for: "http://127.0.0.1/student/KiRaEBmg.", the plugin sent grep=False.
GET http://127.0.0.1/student/kOdH34Go.py returned HTTP code "404" - id: 6
No grep for: "http://127.0.0.1/student/kOdH34Go.py", the plugin sent grep=False.
GET http://127.0.0.1/student/57QkDA8a.htmls returned HTTP code "404" - id: 8
No grep for: "http://127.0.0.1/student/57QkDA8a.htmls", the plugin sent grep=False.
GET http://127.0.0.1/student/BON3jkWF.gif returned HTTP code "404" - id: 9
No grep for: "http://127.0.0.1/student/BON3jkWF.gif", the plugin sent grep=False.
GET http://127.0.0.1/student/wEbTIluY.jsp returned HTTP code "404" - id: 10
GET http://127.0.0.1/student/RGlBqtVR.rb returned HTTP code "404" - id: 7
GET http://127.0.0.1/student/gn3WcCeY.cgi returned HTTP code "404" - id: 11
No grep for: "http://127.0.0.1/student/gn3WcCeY.cgi", the plugin sent grep=False.
No grep for: "http://127.0.0.1/student/RGlBqtVR.rb", the plugin sent grep=False.
No grep for: "http://127.0.0.1/student/wEbTIluY.jsp", the plugin sent grep=False.
GET http://127.0.0.1/student/edBljb1t.php returned HTTP code "404" - id: 12
No grep for: "http://127.0.0.1/student/edBljb1t.php", the plugin sent grep=False.
GET http://127.0.0.1/student/JZlDh7jm.aspx returned HTTP code "404" - id: 13
No grep for: "http://127.0.0.1/student/JZlDh7jm.aspx", the plugin sent grep=False.
GET http://127.0.0.1/student/a1NH5ixa.pl returned HTTP code "404" - id: 14
GET http://127.0.0.1/student/SbH4QlRA.xhtml returned HTTP code "404" - id: 15
No grep for: "http://127.0.0.1/student/a1NH5ixa.pl", the plugin sent grep=False.
No grep for: "http://127.0.0.1/student/SbH4QlRA.xhtml", the plugin sent grep=False.
The 404 body result database has a length of 1.
"http://127.0.0.1/student/" (id:1) is NOT a 404 [similarity_index < 0.9].
Called _discover_worker()
Starting plugin: webSpider
webSpider plugin is testing: http://127.0.0.1/student/
GET http://127.0.0.1/student/ returned HTTP code "200" - id: 16 - from cache.
[thread manager] Successfully added function to threadpool. Work queue size: 1
[thread manager] Successfully added function to threadpool. Work queue size: 2
[thread manager] Successfully added function to threadpool. Work queue size: 3
GET http://127.0.0.1/student/search.php returned HTTP code "200" - id: 17
"http://127.0.0.1/student/search.php" (id:17) is NOT a 404 [similarity_index < 0.9].
Adding relative reference "http://127.0.0.1/student/search.php" to the result.
GET http://127.0.0.1/student/ returned HTTP code "200" - id: 18
"http://127.0.0.1/student/" (id:18) is NOT a 404 [similarity_index < 0.9].
Adding relative reference "http://127.0.0.1/student/" to the result.
GET http://127.0.0.1/ returned HTTP code "200" - id: 19
GET http://127.0.0.1/KOPcHnri/ returned HTTP code "404" - id: 20
No grep for: "http://127.0.0.1/KOPcHnri/", the plugin sent grep=False.
"http://127.0.0.1/" (id:19) is NOT a 404 [similarity_index < 0.9].
Adding relative reference "http://127.0.0.1/" to the result.
Starting plugin: webSpider
webSpider plugin is testing: http://127.0.0.1/student/search.php
GET http://127.0.0.1/student/search.php?id= returned HTTP code "200" - id: 21
[thread manager] Successfully added function to threadpool. Work queue size: 1
[thread manager] Successfully added function to threadpool. Work queue size: 2
GET http://127.0.0.1/student/ returned HTTP code "200" - id: 22 - from cache.
"http://127.0.0.1/student/" (id:22) is NOT a 404 [similarity_index < 0.9].
GET http://127.0.0.1/ returned HTTP code "200" - id: 23 - from cache.
Adding relative reference "http://127.0.0.1/student/" to the result.
GET http://127.0.0.1/QCidGWGN/ returned HTTP code "404" - id: 24
No grep for: "http://127.0.0.1/QCidGWGN/", the plugin sent grep=False.
"http://127.0.0.1/" (id:23) is NOT a 404 [similarity_index < 0.9].
Adding relative reference "http://127.0.0.1/" to the result.
New URL found by webSpider plugin: http://127.0.0.1/
New URL found by webSpider plugin: http://127.0.0.1/student/
New URL found by webSpider plugin: http://127.0.0.1/student/search.php
Starting plugin: webSpider
webSpider plugin is testing: http://127.0.0.1/student/search.php
GET http://127.0.0.1/student/search.php?id= returned HTTP code "200" - id: 25 - from cache.
[thread manager] Successfully added function to threadpool. Work queue size: 1
[thread manager] Successfully added function to threadpool. Work queue size: 2
GET http://127.0.0.1/student/ returned HTTP code "200" - id: 27 - from cache.
GET http://127.0.0.1/ returned HTTP code "200" - id: 26 - from cache.
GET http://127.0.0.1/QI6edyjx/ returned HTTP code "404" - id: 28
No grep for: "http://127.0.0.1/QI6edyjx/", the plugin sent grep=False.
"http://127.0.0.1/" (id:26) is NOT a 404 [similarity_index < 0.9].
Adding relative reference "http://127.0.0.1/" to the result.
"http://127.0.0.1/student/" (id:27) is NOT a 404 [similarity_index < 0.9].
Adding relative reference "http://127.0.0.1/student/" to the result.
Starting plugin: webSpider
webSpider plugin is testing: http://127.0.0.1/student/search.php
GET http://127.0.0.1/student/search.php returned HTTP code "200" - id: 29 - from cache.
[thread manager] Successfully added function to threadpool. Work queue size: 1
[thread manager] Successfully added function to threadpool. Work queue size: 2
GET http://127.0.0.1/student/ returned HTTP code "200" - id: 30 - from cache.
"http://127.0.0.1/student/" (id:30) is NOT a 404 [similarity_index < 0.9].
Adding relative reference "http://127.0.0.1/student/" to the result.
GET http://127.0.0.1/ returned HTTP code "200" - id: 31 - from cache.
GET http://127.0.0.1/ZLRP3B8O/ returned HTTP code "404" - id: 32
No grep for: "http://127.0.0.1/ZLRP3B8O/", the plugin sent grep=False.
"http://127.0.0.1/" (id:31) is NOT a 404 [similarity_index < 0.9].
Adding relative reference "http://127.0.0.1/" to the result.
Starting plugin: webSpider
webSpider plugin is testing: http://127.0.0.1/student/
GET http://127.0.0.1/student/ returned HTTP code "200" - id: 33 - from cache.
[thread manager] Successfully added function to threadpool. Work queue size: 1
[thread manager] Successfully added function to threadpool. Work queue size: 2
[thread manager] Successfully added function to threadpool. Work queue size: 3
GET http://127.0.0.1/student/ returned HTTP code "200" - id: 34 - from cache.
GET http://127.0.0.1/ returned HTTP code "200" - id: 35 - from cache.
GET http://127.0.0.1/wEFjddZU/ returned HTTP code "404" - id: 36
No grep for: "http://127.0.0.1/wEFjddZU/", the plugin sent grep=False.
"http://127.0.0.1/" (id:35) is NOT a 404 [similarity_index < 0.9].
Adding relative reference "http://127.0.0.1/" to the result.
"http://127.0.0.1/student/" (id:34) is NOT a 404 [similarity_index < 0.9].
Adding relative reference "http://127.0.0.1/student/" to the result.
GET http://127.0.0.1/student/search.php returned HTTP code "200" - id: 37 - from cache.
"http://127.0.0.1/student/search.php" (id:37) is NOT a 404 [similarity_index < 0.9].
Adding relative reference "http://127.0.0.1/student/search.php" to the result.
Starting plugin: webSpider
webSpider plugin is testing: http://127.0.0.1/
GET http://127.0.0.1/ returned HTTP code "200" - id: 38 - from cache.
[thread manager] Successfully added function to threadpool. Work queue size: 1
[thread manager] Successfully added function to threadpool. Work queue size: 2
[thread manager] Successfully added function to threadpool. Work queue size: 3
[thread manager] Successfully added function to threadpool. Work queue size: 4
[thread manager] Successfully added function to threadpool. Work queue size: 5
Ignoring new reference "http://127.0.0.1/" (it is simply a variant).
GET http://127.0.0.1/manual returned HTTP code "404" - id: 40
GET http://127.0.0.1/var/www/html/index.html returned HTTP code "404" - id: 39
GET http://127.0.0.1/usr/share/doc/apache2/README.Debian.gz returned HTTP code "404" - id: 41
GET http://127.0.0.1/etc/apache2/apache2.conf returned HTTP code "404" - id: 42
GET http://127.0.0.1/icons/ubuntu-logo.png returned HTTP code "200" - id: 43
GET http://127.0.0.1/icons/not-ubuntu-logo.png returned HTTP code "404" - id: 44
No grep for: "http://127.0.0.1/icons/not-ubuntu-logo.png", the plugin sent grep=False.
"http://127.0.0.1/icons/ubuntu-logo.png" (id:43) is NOT a 404 [similarity_index < 0.9].
Adding relative reference "http://127.0.0.1/icons/ubuntu-logo.png" to the result.
Starting plugin: webSpider
webSpider plugin is testing: http://127.0.0.1/student/
GET http://127.0.0.1/student/ returned HTTP code "200" - id: 45 - from cache.
Ignoring new reference "http://127.0.0.1/student/" (it is simply a variant).
Ignoring new reference "http://127.0.0.1/" (it is simply a variant).
[thread manager] Successfully added function to threadpool. Work queue size: 1
GET http://127.0.0.1/student/search.php returned HTTP code "200" - id: 46 - from cache.
"http://127.0.0.1/student/search.php" (id:46) is NOT a 404 [similarity_index < 0.9].
Adding relative reference "http://127.0.0.1/student/search.php" to the result.
Starting plugin: webSpider
webSpider plugin is testing: http://127.0.0.1/student/search.php
GET http://127.0.0.1/student/search.php?id= returned HTTP code "200" - id: 47
Ignoring new reference "http://127.0.0.1/" (it is simply a variant).
Ignoring new reference "http://127.0.0.1/student/" (it is simply a variant).
Starting plugin: webSpider
webSpider plugin is testing: http://127.0.0.1/
GET http://127.0.0.1/ returned HTTP code "200" - id: 48 - from cache.
[thread manager] Successfully added function to threadpool. Work queue size: 1
[thread manager] Successfully added function to threadpool. Work queue size: 2
[thread manager] Successfully added function to threadpool. Work queue size: 3
[thread manager] Successfully added function to threadpool. Work queue size: 4
[thread manager] Successfully added function to threadpool. Work queue size: 5
Ignoring new reference "http://127.0.0.1/" (it is simply a variant).
GET http://127.0.0.1/manual returned HTTP code "404" - id: 50
GET http://127.0.0.1/var/www/html/index.html returned HTTP code "404" - id: 49
GET http://127.0.0.1/etc/apache2/apache2.conf returned HTTP code "404" - id: 51
GET http://127.0.0.1/icons/ubuntu-logo.png returned HTTP code "200" - id: 52 - from cache.
GET http://127.0.0.1/usr/share/doc/apache2/README.Debian.gz returned HTTP code "404" - id: 53
GET http://127.0.0.1/icons/not-ubuntu-logo.png returned HTTP code "404" - id: 54
No grep for: "http://127.0.0.1/icons/not-ubuntu-logo.png", the plugin sent grep=False.
"http://127.0.0.1/icons/ubuntu-logo.png" (id:52) is NOT a 404 [similarity_index < 0.9].
Adding relative reference "http://127.0.0.1/icons/ubuntu-logo.png" to the result.
New URL found by webSpider plugin: http://127.0.0.1/icons/ubuntu-logo.png
Starting plugin: webSpider
webSpider plugin is testing: http://127.0.0.1/icons/ubuntu-logo.png
GET http://127.0.0.1/icons/ubuntu-logo.png returned HTTP code "200" - id: 55 - from cache.
Starting plugin: webSpider
webSpider plugin is testing: http://127.0.0.1/icons/ubuntu-logo.png
GET http://127.0.0.1/icons/ubuntu-logo.png returned HTTP code "200" - id: 56 - from cache.
The following is a list of broken links that were found by the webSpider plugin:
- http://127.0.0.1/manual [ referenced from: http://127.0.0.1/ ]
Called _bruteforce()
Found 4 URLs and 6 different points of injection.
The list of URLs is:
- http://127.0.0.1/icons/ubuntu-logo.png
- http://127.0.0.1/student/search.php
- http://127.0.0.1/
- http://127.0.0.1/student/
The list of fuzzable requests is:
- http://127.0.0.1/ | Method: GET
- http://127.0.0.1/icons/ubuntu-logo.png | Method: GET
- http://127.0.0.1/student/ | Method: GET
- http://127.0.0.1/student/search.php | Method: GET
- http://127.0.0.1/student/search.php | Method: GET | Parameters: (id="")
- http://127.0.0.1/student/search.php | Method: GET | Parameters: (id="")
Called _audit()
Starting plugin: sqli
SQLi plugin is testing: http://127.0.0.1/
GET http://127.0.0.1/ returned HTTP code "200" - id: 57 - from cache.
Fuzzing query string
SQLi plugin is testing: http://127.0.0.1/student/search.php
GET http://127.0.0.1/student/search.php?id= returned HTTP code "200" - id: 58 - from cache.
Fuzzing query string
[thread manager] Successfully added function to threadpool. Work queue size: 1
GET http://127.0.0.1/student/search.php?id=d'z"0 returned HTTP code "200" - id: 59
SQLi plugin is testing: http://127.0.0.1/student/search.php
GET http://127.0.0.1/student/search.php returned HTTP code "200" - id: 60 - from cache.
Fuzzing query string
SQLi plugin is testing: http://127.0.0.1/student/search.php
GET http://127.0.0.1/student/search.php?id= returned HTTP code "200" - id: 61 - from cache.
Fuzzing query string
[thread manager] Successfully added function to threadpool. Work queue size: 1
GET http://127.0.0.1/student/search.php?id=d'z"0 returned HTTP code "200" - id: 62
SQLi plugin is testing: http://127.0.0.1/icons/ubuntu-logo.png
GET http://127.0.0.1/icons/ubuntu-logo.png returned HTTP code "200" - id: 63 - from cache.
Fuzzing query string
SQLi plugin is testing: http://127.0.0.1/student/
GET http://127.0.0.1/student/ returned HTTP code "200" - id: 64 - from cache.
Fuzzing query string
Starting plugin: xss
XSS plugin is testing: http://127.0.0.1/
Fuzzing query string
XSS plugin is testing: http://127.0.0.1/student/search.php
Fuzzing query string
GET http://127.0.0.1/student/search.php?id=2EYAr returned HTTP code "200" - id: 65
The variable id is NOT being echoed back.
Fuzzing query string
[thread manager] Successfully added function to threadpool. Work queue size: 1
[thread manager] Successfully added function to threadpool. Work queue size: 2
[thread manager] Successfully added function to threadpool. Work queue size: 3
GET http://127.0.0.1/student/search.php?id=<SCrIPT>fake_alert("TeOH")</SCrIPT> returned HTTP code "200" - id: 66
GET http://127.0.0.1/student/search.php?id=<ScRIPT>a=/TeOH/
fake_alert(a.source)</SCRiPT> returned HTTP code "200" - id: 67
GET http://127.0.0.1/student/search.php?id=<ScRIpT>fake_alert(String.fromCharCode(TeOH))</SCriPT> returned HTTP code "200" - id: 68
XSS plugin is testing: http://127.0.0.1/student/search.php
Fuzzing query string
XSS plugin is testing: http://127.0.0.1/student/search.php
Fuzzing query string
GET http://127.0.0.1/student/search.php?id=Ftf6h returned HTTP code "200" - id: 69
The variable id is NOT being echoed back.
Fuzzing query string
[thread manager] Successfully added function to threadpool. Work queue size: 1
[thread manager] Successfully added function to threadpool. Work queue size: 2
[thread manager] Successfully added function to threadpool. Work queue size: 3
GET http://127.0.0.1/student/search.php?id=<ScRIPT>a=/3lqp/
fake_alert(a.source)</SCRiPT> returned HTTP code "200" - id: 70
GET http://127.0.0.1/student/search.php?id=<SCrIPT>fake_alert("3lqp")</SCrIPT> returned HTTP code "200" - id: 71
GET http://127.0.0.1/student/search.php?id=<ScRIpT>fake_alert(String.fromCharCode(3lqp))</SCriPT> returned HTTP code "200" - id: 72
XSS plugin is testing: http://127.0.0.1/icons/ubuntu-logo.png
Fuzzing query string
XSS plugin is testing: http://127.0.0.1/student/
Fuzzing query string
GET http://127.0.0.1/ returned HTTP code "200" - id: 73
GET http://127.0.0.1/student/search.php?id= returned HTTP code "200" - id: 74
GET http://127.0.0.1/student/search.php returned HTTP code "200" - id: 75
GET http://127.0.0.1/student/search.php?id= returned HTTP code "200" - id: 76
GET http://127.0.0.1/icons/ubuntu-logo.png returned HTTP code "200" - id: 77
GET http://127.0.0.1/student/ returned HTTP code "200" - id: 78
Cleared urllib2 local cache.
Calling join on all daemon threads
Exiting setOutputPlugins()
Scan finished in 0 seconds.

ModSecurity 模块开启后：

Exiting setOutputPlugins()
Called w3afCore.start()
Enabling _dnsCache()
Called buildOpeners
GET http://127.0.0.1/student/ returned HTTP code "200" - id: 79 - from cache.
"http://127.0.0.1/student/" (id:79) is NOT a 404 [similarity_index < 0.9].
Called _discover_worker()
Starting plugin: webSpider
webSpider plugin is testing: http://127.0.0.1/
GET http://127.0.0.1/ returned HTTP code "200" - id: 80 - from cache.
[thread manager] Successfully added function to threadpool. Work queue size: 1
[thread manager] Successfully added function to threadpool. Work queue size: 2
[thread manager] Successfully added function to threadpool. Work queue size: 3
[thread manager] Successfully added function to threadpool. Work queue size: 4
[thread manager] Successfully added function to threadpool. Work queue size: 5
[thread manager] Successfully added function to threadpool. Work queue size: 6
GET http://127.0.0.1/var/www/html/index.html returned HTTP code "404" - id: 82
GET http://127.0.0.1/ returned HTTP code "200" - id: 81 - from cache.
GET http://127.0.0.1/etc/apache2/apache2.conf returned HTTP code "404" - id: 84
keepalive: removed one connection, len(self._hostmap["127.0.0.1"]): 4
keepalive: replacing bad connection with a new one
Cached DNS response for domain: 127.0.0.1
GET http://127.0.0.1/icons/ubuntu-logo.png returned HTTP code "200" - id: 85 - from cache.
GET http://127.0.0.1/manual returned HTTP code "404" - id: 83
GET http://127.0.0.1/GEYxGKYe/ returned HTTP code "403" - id: 86
No grep for: "http://127.0.0.1/GEYxGKYe/", the plugin sent grep=False.
"http://127.0.0.1/" (id:81) is NOT a 404 [similarity_index < 0.9].
Adding relative reference "http://127.0.0.1/" to the result.
keepalive: removed one connection, len(self._hostmap["127.0.0.1"]): 4
keepalive: replacing bad connection with a new one
Cached DNS response for domain: 127.0.0.1
GET http://127.0.0.1/usr/share/doc/apache2/README.Debian.gz returned HTTP code "404" - id: 87
GET http://127.0.0.1/icons/not-ubuntu-logo.png returned HTTP code "403" - id: 88
No grep for: "http://127.0.0.1/icons/not-ubuntu-logo.png", the plugin sent grep=False.
"http://127.0.0.1/icons/ubuntu-logo.png" (id:85) is NOT a 404 [similarity_index < 0.9].
Adding relative reference "http://127.0.0.1/icons/ubuntu-logo.png" to the result.
Starting plugin: webSpider
webSpider plugin is testing: http://127.0.0.1/student/search.php
GET http://127.0.0.1/student/search.php?id= returned HTTP code "200" - id: 89 - from cache.
[thread manager] Successfully added function to threadpool. Work queue size: 1
[thread manager] Successfully added function to threadpool. Work queue size: 2
GET http://127.0.0.1/student/ returned HTTP code "200" - id: 90 - from cache.
"http://127.0.0.1/student/" (id:90) is NOT a 404 [similarity_index < 0.9].
Adding relative reference "http://127.0.0.1/student/" to the result.
GET http://127.0.0.1/ returned HTTP code "200" - id: 91 - from cache.
keepalive: removed one connection, len(self._hostmap["127.0.0.1"]): 4
keepalive: replacing bad connection with a new one
Cached DNS response for domain: 127.0.0.1
GET http://127.0.0.1/uPK8fafH/ returned HTTP code "403" - id: 92
No grep for: "http://127.0.0.1/uPK8fafH/", the plugin sent grep=False.
"http://127.0.0.1/" (id:91) is NOT a 404 [similarity_index < 0.9].
Adding relative reference "http://127.0.0.1/" to the result.
Starting plugin: webSpider
webSpider plugin is testing: http://127.0.0.1/student/search.php
GET http://127.0.0.1/student/search.php returned HTTP code "200" - id: 93 - from cache.
[thread manager] Successfully added function to threadpool. Work queue size: 1
[thread manager] Successfully added function to threadpool. Work queue size: 2
GET http://127.0.0.1/ returned HTTP code "200" - id: 94 - from cache.
keepalive: removed one connection, len(self._hostmap["127.0.0.1"]): 4
keepalive: replacing bad connection with a new one
Cached DNS response for domain: 127.0.0.1
GET http://127.0.0.1/student/ returned HTTP code "200" - id: 95 - from cache.
GET http://127.0.0.1/liR6EW0m/ returned HTTP code "403" - id: 96
No grep for: "http://127.0.0.1/liR6EW0m/", the plugin sent grep=False.
"http://127.0.0.1/" (id:94) is NOT a 404 [similarity_index < 0.9].
Adding relative reference "http://127.0.0.1/" to the result.
"http://127.0.0.1/student/" (id:95) is NOT a 404 [similarity_index < 0.9].
Adding relative reference "http://127.0.0.1/student/" to the result.
Starting plugin: webSpider
webSpider plugin is testing: http://127.0.0.1/student/search.php
GET http://127.0.0.1/student/search.php?id= returned HTTP code "200" - id: 97 - from cache.
[thread manager] Successfully added function to threadpool. Work queue size: 1
[thread manager] Successfully added function to threadpool. Work queue size: 2
GET http://127.0.0.1/ returned HTTP code "200" - id: 98 - from cache.
keepalive: removed one connection, len(self._hostmap["127.0.0.1"]): 4
keepalive: replacing bad connection with a new one
Cached DNS response for domain: 127.0.0.1
GET http://127.0.0.1/gOlOzfLm/ returned HTTP code "403" - id: 99
No grep for: "http://127.0.0.1/gOlOzfLm/", the plugin sent grep=False.
"http://127.0.0.1/" (id:98) is NOT a 404 [similarity_index < 0.9].
Adding relative reference "http://127.0.0.1/" to the result.
GET http://127.0.0.1/student/ returned HTTP code "200" - id: 100 - from cache.
"http://127.0.0.1/student/" (id:100) is NOT a 404 [similarity_index < 0.9].
Adding relative reference "http://127.0.0.1/student/" to the result.
Starting plugin: webSpider
webSpider plugin is testing: http://127.0.0.1/icons/ubuntu-logo.png
GET http://127.0.0.1/icons/ubuntu-logo.png returned HTTP code "200" - id: 101 - from cache.
Starting plugin: webSpider
webSpider plugin is testing: http://127.0.0.1/student/
GET http://127.0.0.1/student/ returned HTTP code "200" - id: 102 - from cache.
[thread manager] Successfully added function to threadpool. Work queue size: 1
[thread manager] Successfully added function to threadpool. Work queue size: 2
[thread manager] Successfully added function to threadpool. Work queue size: 3
GET http://127.0.0.1/student/search.php returned HTTP code "200" - id: 103 - from cache.
"http://127.0.0.1/student/search.php" (id:103) is NOT a 404 [similarity_index < 0.9].
Adding relative reference "http://127.0.0.1/student/search.php" to the result.
GET http://127.0.0.1/ returned HTTP code "200" - id: 104 - from cache.
GET http://127.0.0.1/sblhIenS/ returned HTTP code "403" - id: 106
No grep for: "http://127.0.0.1/sblhIenS/", the plugin sent grep=False.
"http://127.0.0.1/" (id:104) is NOT a 404 [similarity_index < 0.9].
Adding relative reference "http://127.0.0.1/" to the result.
GET http://127.0.0.1/student/ returned HTTP code "200" - id: 105 - from cache.
"http://127.0.0.1/student/" (id:105) is NOT a 404 [similarity_index < 0.9].
Adding relative reference "http://127.0.0.1/student/" to the result.
New URL found by webSpider plugin: http://127.0.0.1/
New URL found by webSpider plugin: http://127.0.0.1/icons/ubuntu-logo.png
New URL found by webSpider plugin: http://127.0.0.1/student/
New URL found by webSpider plugin: http://127.0.0.1/student/search.php
Starting plugin: webSpider
webSpider plugin is testing: http://127.0.0.1/
GET http://127.0.0.1/ returned HTTP code "200" - id: 107 - from cache.
[thread manager] Successfully added function to threadpool. Work queue size: 1
[thread manager] Successfully added function to threadpool. Work queue size: 2
[thread manager] Successfully added function to threadpool. Work queue size: 3
[thread manager] Successfully added function to threadpool. Work queue size: 4
[thread manager] Successfully added function to threadpool. Work queue size: 5
Ignoring new reference "http://127.0.0.1/" (it is simply a variant).
GET http://127.0.0.1/var/www/html/index.html returned HTTP code "404" - id: 108
GET http://127.0.0.1/manual returned HTTP code "404" - id: 109
GET http://127.0.0.1/etc/apache2/apache2.conf returned HTTP code "404" - id: 110
GET http://127.0.0.1/icons/ubuntu-logo.png returned HTTP code "200" - id: 111 - from cache.
GET http://127.0.0.1/usr/share/doc/apache2/README.Debian.gz returned HTTP code "404" - id: 112
GET http://127.0.0.1/icons/not-ubuntu-logo.png returned HTTP code "403" - id: 113
No grep for: "http://127.0.0.1/icons/not-ubuntu-logo.png", the plugin sent grep=False.
"http://127.0.0.1/icons/ubuntu-logo.png" (id:111) is NOT a 404 [similarity_index < 0.9].
Adding relative reference "http://127.0.0.1/icons/ubuntu-logo.png" to the result.
Starting plugin: webSpider
webSpider plugin is testing: http://127.0.0.1/icons/ubuntu-logo.png
GET http://127.0.0.1/icons/ubuntu-logo.png returned HTTP code "200" - id: 114 - from cache.
Starting plugin: webSpider
webSpider plugin is testing: http://127.0.0.1/student/
GET http://127.0.0.1/student/ returned HTTP code "200" - id: 115 - from cache.
[thread manager] Successfully added function to threadpool. Work queue size: 1
[thread manager] Successfully added function to threadpool. Work queue size: 2
Ignoring new reference "http://127.0.0.1/" (it is simply a variant).
GET http://127.0.0.1/student/search.php returned HTTP code "200" - id: 116 - from cache.
"http://127.0.0.1/student/search.php" (id:116) is NOT a 404 [similarity_index < 0.9].
Adding relative reference "http://127.0.0.1/student/search.php" to the result.
GET http://127.0.0.1/student/ returned HTTP code "200" - id: 117 - from cache.
"http://127.0.0.1/student/" (id:117) is NOT a 404 [similarity_index < 0.9].
Adding relative reference "http://127.0.0.1/student/" to the result.
Starting plugin: webSpider
webSpider plugin is testing: http://127.0.0.1/student/search.php
GET http://127.0.0.1/student/search.php?id= returned HTTP code "200" - id: 118 - from cache.
Ignoring new reference "http://127.0.0.1/" (it is simply a variant).
Ignoring new reference "http://127.0.0.1/student/" (it is simply a variant).
Starting plugin: webSpider
webSpider plugin is testing: http://127.0.0.1/
GET http://127.0.0.1/ returned HTTP code "200" - id: 119 - from cache.
[thread manager] Successfully added function to threadpool. Work queue size: 1
[thread manager] Successfully added function to threadpool. Work queue size: 2
[thread manager] Successfully added function to threadpool. Work queue size: 3
[thread manager] Successfully added function to threadpool. Work queue size: 4
[thread manager] Successfully added function to threadpool. Work queue size: 5
Ignoring new reference "http://127.0.0.1/" (it is simply a variant).
GET http://127.0.0.1/var/www/html/index.html returned HTTP code "404" - id: 120
GET http://127.0.0.1/manual returned HTTP code "404" - id: 121
GET http://127.0.0.1/etc/apache2/apache2.conf returned HTTP code "404" - id: 122
GET http://127.0.0.1/usr/share/doc/apache2/README.Debian.gz returned HTTP code "404" - id: 124
GET http://127.0.0.1/icons/ubuntu-logo.png returned HTTP code "200" - id: 123 - from cache.
GET http://127.0.0.1/icons/not-ubuntu-logo.png returned HTTP code "403" - id: 125
No grep for: "http://127.0.0.1/icons/not-ubuntu-logo.png", the plugin sent grep=False.
"http://127.0.0.1/icons/ubuntu-logo.png" (id:123) is NOT a 404 [similarity_index < 0.9].
Adding relative reference "http://127.0.0.1/icons/ubuntu-logo.png" to the result.
Starting plugin: webSpider
webSpider plugin is testing: http://127.0.0.1/
GET http://127.0.0.1/ returned HTTP code "200" - id: 126 - from cache.
[thread manager] Successfully added function to threadpool. Work queue size: 1
[thread manager] Successfully added function to threadpool. Work queue size: 2
[thread manager] Successfully added function to threadpool. Work queue size: 3
[thread manager] Successfully added function to threadpool. Work queue size: 4
[thread manager] Successfully added function to threadpool. Work queue size: 5
Ignoring new reference "http://127.0.0.1/" (it is simply a variant).
GET http://127.0.0.1/var/www/html/index.html returned HTTP code "404" - id: 127
GET http://127.0.0.1/manual returned HTTP code "404" - id: 128
GET http://127.0.0.1/etc/apache2/apache2.conf returned HTTP code "404" - id: 129
GET http://127.0.0.1/usr/share/doc/apache2/README.Debian.gz returned HTTP code "404" - id: 131
GET http://127.0.0.1/icons/ubuntu-logo.png returned HTTP code "200" - id: 130 - from cache.
GET http://127.0.0.1/icons/not-ubuntu-logo.png returned HTTP code "403" - id: 132
No grep for: "http://127.0.0.1/icons/not-ubuntu-logo.png", the plugin sent grep=False.
"http://127.0.0.1/icons/ubuntu-logo.png" (id:130) is NOT a 404 [similarity_index < 0.9].
Adding relative reference "http://127.0.0.1/icons/ubuntu-logo.png" to the result.
Starting plugin: webSpider
webSpider plugin is testing: http://127.0.0.1/student/
GET http://127.0.0.1/student/ returned HTTP code "200" - id: 133 - from cache.
Ignoring new reference "http://127.0.0.1/" (it is simply a variant).
Ignoring new reference "http://127.0.0.1/student/" (it is simply a variant).
[thread manager] Successfully added function to threadpool. Work queue size: 1
GET http://127.0.0.1/student/search.php returned HTTP code "200" - id: 134 - from cache.
"http://127.0.0.1/student/search.php" (id:134) is NOT a 404 [similarity_index < 0.9].
Adding relative reference "http://127.0.0.1/student/search.php" to the result.
Starting plugin: webSpider
webSpider plugin is testing: http://127.0.0.1/student/search.php
GET http://127.0.0.1/student/search.php?id= returned HTTP code "200" - id: 135 - from cache.
Ignoring new reference "http://127.0.0.1/student/" (it is simply a variant).
Ignoring new reference "http://127.0.0.1/" (it is simply a variant).
Starting plugin: webSpider
webSpider plugin is testing: http://127.0.0.1/
GET http://127.0.0.1/ returned HTTP code "200" - id: 136 - from cache.
Ignoring new reference "http://127.0.0.1/" (it is simply a variant).
[thread manager] Successfully added function to threadpool. Work queue size: 1
[thread manager] Successfully added function to threadpool. Work queue size: 2
[thread manager] Successfully added function to threadpool. Work queue size: 3
[thread manager] Successfully added function to threadpool. Work queue size: 4
[thread manager] Successfully added function to threadpool. Work queue size: 5
GET http://127.0.0.1/var/www/html/index.html returned HTTP code "404" - id: 137
GET http://127.0.0.1/manual returned HTTP code "404" - id: 138
GET http://127.0.0.1/etc/apache2/apache2.conf returned HTTP code "404" - id: 139
GET http://127.0.0.1/icons/ubuntu-logo.png returned HTTP code "200" - id: 140 - from cache.
GET http://127.0.0.1/usr/share/doc/apache2/README.Debian.gz returned HTTP code "404" - id: 141
GET http://127.0.0.1/icons/not-ubuntu-logo.png returned HTTP code "403" - id: 142
No grep for: "http://127.0.0.1/icons/not-ubuntu-logo.png", the plugin sent grep=False.
"http://127.0.0.1/icons/ubuntu-logo.png" (id:140) is NOT a 404 [similarity_index < 0.9].
Adding relative reference "http://127.0.0.1/icons/ubuntu-logo.png" to the result.
Starting plugin: webSpider
webSpider plugin is testing: http://127.0.0.1/student/
GET http://127.0.0.1/student/ returned HTTP code "200" - id: 143 - from cache.
Ignoring new reference "http://127.0.0.1/student/" (it is simply a variant).
Ignoring new reference "http://127.0.0.1/" (it is simply a variant).
[thread manager] Successfully added function to threadpool. Work queue size: 1
GET http://127.0.0.1/student/search.php returned HTTP code "200" - id: 144 - from cache.
"http://127.0.0.1/student/search.php" (id:144) is NOT a 404 [similarity_index < 0.9].
Adding relative reference "http://127.0.0.1/student/search.php" to the result.
Starting plugin: webSpider
webSpider plugin is testing: http://127.0.0.1/student/search.php
GET http://127.0.0.1/student/search.php?id= returned HTTP code "200" - id: 145 - from cache.
Ignoring new reference "http://127.0.0.1/" (it is simply a variant).
Ignoring new reference "http://127.0.0.1/student/" (it is simply a variant).
Starting plugin: webSpider
webSpider plugin is testing: http://127.0.0.1/student/search.php
GET http://127.0.0.1/student/search.php?id= returned HTTP code "200" - id: 146 - from cache.
Ignoring new reference "http://127.0.0.1/" (it is simply a variant).
Ignoring new reference "http://127.0.0.1/student/" (it is simply a variant).
Starting plugin: webSpider
webSpider plugin is testing: http://127.0.0.1/student/search.php
GET http://127.0.0.1/student/search.php returned HTTP code "200" - id: 147 - from cache.
Ignoring new reference "http://127.0.0.1/student/" (it is simply a variant).
Ignoring new reference "http://127.0.0.1/" (it is simply a variant).
Starting plugin: webSpider
webSpider plugin is testing: http://127.0.0.1/
GET http://127.0.0.1/ returned HTTP code "200" - id: 148 - from cache.
Ignoring new reference "http://127.0.0.1/" (it is simply a variant).
Ignoring new reference "http://127.0.0.1/var/www/html/index.html" (it is simply a variant).
Ignoring new reference "http://127.0.0.1/manual" (it is simply a variant).
Ignoring new reference "http://127.0.0.1/etc/apache2/apache2.conf" (it is simply a variant).
Ignoring new reference "http://127.0.0.1/icons/ubuntu-logo.png" (it is simply a variant).
Ignoring new reference "http://127.0.0.1/usr/share/doc/apache2/README.Debian.gz" (it is simply a variant).
Starting plugin: webSpider
webSpider plugin is testing: http://127.0.0.1/student/
GET http://127.0.0.1/student/ returned HTTP code "200" - id: 149 - from cache.
Ignoring new reference "http://127.0.0.1/" (it is simply a variant).
Ignoring new reference "http://127.0.0.1/student/" (it is simply a variant).
[thread manager] Successfully added function to threadpool. Work queue size: 1
GET http://127.0.0.1/student/search.php returned HTTP code "200" - id: 150 - from cache.
"http://127.0.0.1/student/search.php" (id:150) is NOT a 404 [similarity_index < 0.9].
Adding relative reference "http://127.0.0.1/student/search.php" to the result.
The following is a list of broken links that were found by the webSpider plugin:
- http://127.0.0.1/manual [ referenced from: http://127.0.0.1/ ]
Called _bruteforce()
Found 4 URLs and 6 different points of injection.
The list of URLs is:
- http://127.0.0.1/student/
- http://127.0.0.1/icons/ubuntu-logo.png
- http://127.0.0.1/
- http://127.0.0.1/student/search.php
The list of fuzzable requests is:
- http://127.0.0.1/ | Method: GET
- http://127.0.0.1/icons/ubuntu-logo.png | Method: GET
- http://127.0.0.1/student/ | Method: GET
- http://127.0.0.1/student/search.php | Method: GET
- http://127.0.0.1/student/search.php | Method: GET | Parameters: (id="")
- http://127.0.0.1/student/search.php | Method: GET | Parameters: (id="")
Called _audit()
Starting plugin: sqli
SQLi plugin is testing: http://127.0.0.1/
GET http://127.0.0.1/ returned HTTP code "200" - id: 151 - from cache.
Fuzzing query string
SQLi plugin is testing: http://127.0.0.1/student/search.php
GET http://127.0.0.1/student/search.php?id= returned HTTP code "200" - id: 152 - from cache.
Fuzzing query string
[thread manager] Successfully added function to threadpool. Work queue size: 1
GET http://127.0.0.1/student/search.php?id=d'z"0 returned HTTP code "200" - id: 153 - from cache.
SQLi plugin is testing: http://127.0.0.1/student/search.php
GET http://127.0.0.1/student/search.php returned HTTP code "200" - id: 154 - from cache.
Fuzzing query string
SQLi plugin is testing: http://127.0.0.1/student/search.php
GET http://127.0.0.1/student/search.php?id= returned HTTP code "200" - id: 155 - from cache.
Fuzzing query string
[thread manager] Successfully added function to threadpool. Work queue size: 1
GET http://127.0.0.1/student/search.php?id=d'z"0 returned HTTP code "200" - id: 156 - from cache.
SQLi plugin is testing: http://127.0.0.1/icons/ubuntu-logo.png
GET http://127.0.0.1/icons/ubuntu-logo.png returned HTTP code "200" - id: 157 - from cache.
Fuzzing query string
SQLi plugin is testing: http://127.0.0.1/student/
GET http://127.0.0.1/student/ returned HTTP code "200" - id: 158 - from cache.
Fuzzing query string
Starting plugin: xss
XSS plugin is testing: http://127.0.0.1/
Fuzzing query string
XSS plugin is testing: http://127.0.0.1/student/search.php
Fuzzing query string
GET http://127.0.0.1/student/search.php?id=hM3VD returned HTTP code "403" - id: 159
The variable id is NOT being echoed back.
Fuzzing query string
[thread manager] Successfully added function to threadpool. Work queue size: 1
[thread manager] Successfully added function to threadpool. Work queue size: 2
[thread manager] Successfully added function to threadpool. Work queue size: 3
GET http://127.0.0.1/student/search.php?id=%3CSCrIPT%3Efake_alert%28%22uUlk%22%29%3C%2FSCrIPT%3E returned HTTP code "403" - id: 160
GET http://127.0.0.1/student/search.php?id=%3CScRIPT%3Ea%3D%2FuUlk%2F%0Afake_alert%28a.source%29%3C%2FSCRiPT%3E returned HTTP code "403" - id: 161
GET http://127.0.0.1/student/search.php?id=%3CScRIpT%3Efake_alert%28String.fromCharCode%28uUlk%29%29%3C%2FSCriPT%3E returned HTTP code "403" - id: 162
XSS plugin is testing: http://127.0.0.1/student/search.php
Fuzzing query string
XSS plugin is testing: http://127.0.0.1/student/search.php
Fuzzing query string
GET http://127.0.0.1/student/search.php?id=w8DQE returned HTTP code "403" - id: 163
The variable id is NOT being echoed back.
Fuzzing query string
[thread manager] Successfully added function to threadpool. Work queue size: 1
[thread manager] Successfully added function to threadpool. Work queue size: 2
[thread manager] Successfully added function to threadpool. Work queue size: 3
GET http://127.0.0.1/student/search.php?id=<SCrIPT>fake_alert("dZSq")</SCrIPT> returned HTTP code "403" - id: 164
GET http://127.0.0.1/student/search.php?id=<ScRIPT>a=/dZSq/%0Afake_alert(a.source)</SCRiPT> returned HTTP code "403" - id: 165
GET http://127.0.0.1/student/search.php?id=<ScRIpT>fake_alert(String.fromCharCode(dZSq))</SCriPT> returned HTTP code "403" - id: 166
XSS plugin is testing: http://127.0.0.1/icons/ubuntu-logo.png
Fuzzing query string
XSS plugin is testing: http://127.0.0.1/student/
Fuzzing query string
GET http://127.0.0.1/ returned HTTP code "403" - id: 167
GET http://127.0.0.1/student/search.php?id= returned HTTP code "403" - id: 168
GET http://127.0.0.1/student/search.php returned HTTP code "403" - id: 169
GET http://127.0.0.1/student/search.php?id= returned HTTP code "403" - id: 170
GET http://127.0.0.1/icons/ubuntu-logo.png returned HTTP code "403" - id: 171
GET http://127.0.0.1/student/ returned HTTP code "403" - id: 172
Cleared urllib2 local cache.
Calling join on all daemon threads
Exiting setOutputPlugins()
Scan finished in 1 second.

对比两次 SQL 注入的返回数据可观察出：

在关闭 ModSecurity 模块的情况下：HTTP 请求返回的都是 returned HTTP code "200"

在开启 ModSecurity 模块的情况下：HTTP 请求返回的都是 returned HTTP code "403"
ModSecurity有效的阻止了 SQL 注入。

总结

学习了 ModSecurity 搭建 WAF 的方法，这在数据库运维管理有着很重要的意义，结合课堂上老师讲的关于安全的实例，对数据库安全保护有了更高的认识，这几天也学会了很多技能，如何一步步的解决问题，怎样配置环境，总计经验并转化为自己的知识技能。
总结这几个实验，更多学到的是解决问题的方法，相信这在以后的工作学习之中都会对自己有所帮助。

最后编辑于：2021.07.04 11:01:37

人面猴
序言：七十年代末，一起剥皮案震惊了整个滨河市，随后出现的几起案子，更是在滨河造成了极大的恐慌，老刑警刘岩，带你破解...
沈念sama阅读 203,547评论 6赞 477
死咒
序言：滨河连续发生了三起死亡事件，死亡现场离奇诡异，居然都是意外死亡，警方通过查阅死者的电脑和手机，发现死者居然都...
沈念sama阅读 85,399评论 2赞 381
救了他两次的神仙让他今天三更去死
文/潘晓璐我一进店门，熙熙楼的掌柜王于贵愁眉苦脸地迎上来，“玉大人，你说我怎么就摊上这事。” “怎么了？”我有些...
开封第一讲书人阅读 150,428评论 0赞 337
道士缉凶录：失踪的卖姜人
文/不坏的土叔我叫张陵，是天一观的道长。经常有香客问我，道长，这世上最难降的妖魔是什么？我笑而不...
开封第一讲书人阅读 54,599评论 1赞 274
港岛之恋（遗憾婚礼）
正文为了忘掉前任，我火速办了婚礼，结果婚礼上，老公的妹妹穿的比我还像新娘。我一直安慰自己，他们只是感情好，可当我...
茶点故事阅读 63,612评论 5赞 365
恶毒庶女顶嫁案：这布局不是一般人想出来的
文/花漫我一把揭开白布。她就那样静静地躺着，像睡着了一般。火红的嫁衣衬着肌肤如雪。梳的纹丝不乱的头发上，一...
开封第一讲书人阅读 48,577评论 1赞 281
城市分裂传说
那天，我揣着相机与录音，去河边找鬼。笑死，一个胖子当着我的面吹牛，可吹牛的内容都是我干的。我是一名探鬼主播，决...
沈念sama阅读 37,941评论 3赞 395
双鸳鸯连环套：你想象不到人心有多黑
文/苍兰香墨我猛地睁开眼，长吁一口气：“原来是场噩梦啊……” “哼！你这毒妇竟也来了？” 一声冷哼从身侧响起，我...
开封第一讲书人阅读 36,603评论 0赞 258
万荣杀人案实录
序言：老挝万荣一对情侣失踪，失踪者是张志新（化名）和其女友刘颖，没想到半个月后，有当地人在树林里发现了一具尸体，经...
沈念sama阅读 40,852评论 1赞 297
护林员之死
正文独居荒郊野岭守林人离奇死亡，尸身上长有42处带血的脓包…… 初始之章·张勋以下内容为张勋视角年9月15日...
茶点故事阅读 35,605评论 2赞 321
白月光启示录
正文我和宋清朗相恋三年，在试婚纱的时候发现自己被绿了。大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
茶点故事阅读 37,693评论 1赞 329
活死人
序言：一个原本活蹦乱跳的男人离奇死亡，死状恐怖，灵堂内的尸体忽然破棺而出，到底是诈尸还是另有隐情，我是刑警宁泽，带...
沈念sama阅读 33,375评论 4赞 318
日本核电站爆炸内幕
正文年R本政府宣布，位于F岛的核电站，受9级特大地震影响，放射性物质发生泄漏。R本人自食恶果不足惜，却给世界环境...
茶点故事阅读 38,955评论 3赞 307
男人毒药：我在死后第九天来索命
文/蒙蒙一、第九天我趴在偏房一处隐蔽的房顶上张望。院中可真热闹，春花似锦、人声如沸。这庄子的主人今日做“春日...
开封第一讲书人阅读 29,936评论 0赞 19
一桩弑父案，背后竟有这般阴谋
文/苍兰香墨我抬头看了看天上的太阳。三九已至，却和暖如春，着一层夹袄步出监牢的瞬间，已是汗流浃背。一阵脚步声响...
开封第一讲书人阅读 31,172评论 1赞 259
情欲美人皮
我被黑心中介骗来泰国打工，没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留，地道东北人。一个月前我还...
沈念sama阅读 43,970评论 2赞 349
代替公主和亲
正文我出身青楼，却偏偏与公主长得像，于是被迫代替她去往敌国和亲。传闻我的和亲对象是个残疾皇子，可洞房花烛夜当晚...
茶点故事阅读 42,414评论 2赞 342

ModSecurity 模块搭建 WAF

0. 运行环境：Ubuntu 16.04 LTS

1. 测试网页已前置 Apache

2.安装并配置 ModSecurity 模块，搭建 WAF。

2.1 环境安装

2.2 配置mod_security

2.3 搭建 WAF

3. 根据文档自行编写，或者在 OWASP ModSecurity CRS 规则库的基础上修改，对 SQL 注入攻击进行阻断并报警。

SQL 注入测试

4. 尝试对特定扫描器或发包工具（paros、w3af 等）的 User-Agent 进行检测和报警，并在单个 IP 访问数量超过一定门限后对来源 IP 进行封禁。

4.1 安装 W3AF

4.2 使用 W3AF 进行 SQL 注入

总结

推荐阅读更多精彩内容