Day 17 网页分析 - Web Application Analysis (WhatWeb)

WhatWeb是一个用来分析网站的工具，拥有超过1800种的插件来分析网站，包括服务器类型、版本、IP、框架资讯、SQL错误等等。而且可以设定分析级别，所以根据需求来进行快速且隐蔽的分析，或是耗时较久但彻底的渗透测试

先来看一下常用的使用方式，其中-v来详细显示插件资讯、-a则可以设定分析级别，另外也提供了扫描网域以及透过档案来批次执行分析的功能

EXAMPLE USAGE:
* Scan example.com.
  ./whatweb example.com
* Scan reddit.com slashdot.org with verbose plugin descriptions.
  ./whatweb -v reddit.com slashdot.org
* An aggressive scan of wired.com detects the exact version of WordPress.
  ./whatweb -a 3 www.wired.com
* Scan the local network quickly and suppress errors.
  whatweb --no-errors 192.168.0.0/24
* Scan the local network for https websites.
  whatweb --no-errors --url-prefix https:// 192.168.0.0/24
* Scan for crossdomain policies in the Alexa Top 1000.
  ./whatweb -i plugin-development/alexa-top-100.txt \
  --url-suffix /crossdomain.xml -p crossdomain_xml

-a --aggression参数，後面可以带数字1到4，分别对应不同等级，预设等级为1

1. Stealthy 每个目标发送一次HTTP请求，且会遵守redirect重导向
2. (无法使用)
3. Aggressive 如果符合了一个级别 1 的插件，就会另外发送额外的请求
4. Heavy 每个目标发出大量HTTP请求来测试每个插件

使用等级3来分析靶机

whatweb -v -a 3 http://192.168.1.86

从结果可以看到分析出相关插件以及其版本

WhatWeb report for http://192.168.1.86
Status    : 200 OK
Title     : Metasploitable2 - Linux
IP        : 192.168.1.86
Country   : RESERVED, ZZ

Summary   : WebDAV[2], PHP[5,5.2.4-2ubuntu5.10], Apache[2.2.8], X-Powered-By[PHP/5.2.4-2ubuntu5.10], HTTPServer[Ubuntu Linux][Apache/2.2.8 (Ubuntu) DAV/2]

Detected Plugins:
[ Apache ]
        The Apache HTTP Server Project is an effort to develop and 
        maintain an open-source HTTP server for modern operating 
        systems including UNIX and Windows NT. The goal of this 
        project is to provide a secure, efficient and extensible 
        server that provides HTTP services in sync with the current 
        HTTP standards. 

        Version      : 2.2.8 (from HTTP Server Header)
        Google Dorks: (3)
        Website     : http://httpd.apache.org/

[ HTTPServer ]
        HTTP server header string. This plugin also attempts to 
        identify the operating system from the server header. 

        OS           : Ubuntu Linux
        String       : Apache/2.2.8 (Ubuntu) DAV/2 (from server string)

[ PHP ]
        PHP is a widely-used general-purpose scripting language 
        that is especially suited for Web development and can be 
        embedded into HTML. This plugin identifies PHP errors, 
        modules and versions and extracts the local file path and 
        username if present. 

        Version      : 5.2.4-2ubuntu5.10
        Version      : 5
        Google Dorks: (2)
        Website     : http://www.php.net/

[ WebDAV ]
        Web-based Distributed Authoring and Versioning (WebDAV) is 
        a set of methods based on the Hypertext Transfer Protocol 
        (HTTP) that facilitates collaboration between users in 
        editing and managing documents and files stored on World 
        Wide Web servers. - More Info: 
        http://en.wikipedia.org/wiki/WebDAV 

        Version      : 2

[ X-Powered-By ]
        X-Powered-By HTTP header 

        String       : PHP/5.2.4-2ubuntu5.10 (from x-powered-by string)

HTTP Headers:
        HTTP/1.1 200 OK
        Date: Sat, 02 Oct 2021 03:22:45 GMT
        Server: Apache/2.2.8 (Ubuntu) DAV/2
        X-Powered-By: PHP/5.2.4-2ubuntu5.10
        Connection: close
        Transfer-Encoding: chunked
        Content-Type: text/html

虽然不知道为什麽这工具的等级2还没完成，但现有的插件就已经相当丰富，甚至可以自订套件。另外如果想知道目前支援的套件，或是寻找套件，可以透过以下参数来达成

  --list-plugins, -l            List all plugins.
  --info-plugins, -I=[SEARCH]   List all plugins with detailed information.
                                Optionally search with keywords in a comma
                                delimited list.
  --search-plugins=STRING       Search plugins for a keyword.