Contents
w3af 踩坑笔记
踩坑总结
如果只是 console 模式,还是比较好处理的。
但是搞 GUI 坑奇多, 主要在 GTK 方面。
Web UI (link) 又在 5, 6 年前就停止更新了(基于 Django)。
如果没有特别必要,建议使用集成环境的 w3af (比如 Kali 中的), 不要自己搭建。
【Update】 w3af removed from kali-rolling #14982
Console 记录
source ~/develop/venv_w3af/bin/activate
./w3af_console
GUI 采坑记录
w3af 的运行环境是 用 python 2.7。
建议先新建一个虚拟 python 环境。
virtualenv venv_w3af
source venv_w3af/bin/activate
pip install -r requirements.txt
npm install -g retire
# 之后运行 console 版 w3af
./w3af_console
# 会生成一个自动安装其他依赖的脚本
# 路径为 /tmp/w3af_dependency_install.sh
参考 requirements.txt
pyClamd==0.4.0
PyGithub==1.21.0
GitPython==2.1.3
pybloomfiltermmap==0.3.14
phply==0.9.1
nltk==3.0.1
tblib==0.2.0
pdfminer==20140328
futures==3.2.0
pyOpenSSL==18.0.0
ndg-httpsclient==0.4.0
pyasn1==0.4.2
lxml==3.4.4
scapy==2.4.0
guess-language==0.2
cluster==1.1.1b3
msgpack==0.5.6
python-ntlm==1.0.1
halberd==0.2.4
darts.util.lru==0.5
Jinja2==2.10
vulndb==0.1.0
markdown==2.6.1
psutil==2.2.1
ds-store==1.1.2
mitmproxy==0.13
ruamel.ordereddict==0.4.8
Flask==0.10.1
PyYAML==3.12
tldextract==1.7.2
pebble==4.3.8
acora==2.1
esmre==0.3.1
diff-match-patch==20121119
bravado-core==5.0.2
lz4==1.1.0
vulners==1.3.0
termcolor==1.1.0
xdot==0.6
GTK
sudo yum install pygtk2 -y
sudo yum install pygtk2-devel -y
sudo yum install pywebkitgtk -y
# sudo yum install gtksourceview2-devel gtksourceview2 gtksourceview gtksourceview-devel -y
# gnome-python2-gtksourceview -y
可以用 import PyGTK 来测试
graphviz
sudo yum install graphviz -y
OpenSSL
sudo yum install openssl -y
sudo yum install openssl-devel -y
分析 dependency
locate dependency | grep "/home/team/develop/w3af"
一些解决的问题
lz4 (your setuptools is too old <12)
使用 wget https://files.pythonhosted.org/packages/e7/b9/12bd58967c5df38e22e9db0c17d732fc456fd09d4b89b147ff1c73e59c5b/lz4-1.1.0.tar.gz
手动安装,安装(lz4-1.1.0)目录下的依赖, (venv_w3af) pip install -r requirements.txt。
之后是 python setup.py install。
Collecting lz4==1.1.0
Using cached https://files.pythonhosted.org/packages/e7/b9/12bd58967c5df38e22e9db0c17d732fc456fd09d4b89b147ff1c73e59c5b/lz4-1.1.0.tar.gz
Complete output from command python setup.py egg_info:
/usr/lib64/python2.7/distutils/dist.py:267: UserWarning: Unknown distribution option: 'python_requires'
warnings.warn(msg)
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/tmp/pip-install-QJkJ_x/lz4/setup.py", line 169, in <module>
'Programming Language :: Python :: 3.6',
File "/usr/lib64/python2.7/distutils/core.py", line 112, in setup
_setup_distribution = dist = klass(attrs)
File "/usr/lib/python2.7/site-packages/setuptools/dist.py", line 265, in __init__
self.fetch_build_eggs(attrs.pop('setup_requires'))
File "/usr/lib/python2.7/site-packages/setuptools/dist.py", line 289, in fetch_build_eggs
parse_requirements(requires), installer=self.fetch_build_egg
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 618, in resolve
dist = best[req.key] = env.best_match(req, self, installer)
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 862, in best_match
return self.obtain(req, installer) # try and download/install
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 874, in obtain
return installer(requirement)
File "/usr/lib/python2.7/site-packages/setuptools/dist.py", line 339, in fetch_build_egg
return cmd.easy_install(req)
File "/usr/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 623, in easy_install
return self.install_item(spec, dist.location, tmpdir, deps)
File "/usr/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 653, in install_item
dists = self.install_eggs(spec, download, tmpdir)
File "/usr/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 849, in install_eggs
return self.build_and_install(setup_script, setup_base)
File "/usr/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 1130, in build_and_install
self.run_setup(setup_script, setup_base, args)
File "/usr/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 1115, in run_setup
run_setup(setup_script, args)
File "/usr/lib/python2.7/site-packages/setuptools/sandbox.py", line 69, in run_setup
lambda: execfile(
File "/usr/lib/python2.7/site-packages/setuptools/sandbox.py", line 120, in run
return func()
File "/usr/lib/python2.7/site-packages/setuptools/sandbox.py", line 71, in <lambda>
{'__file__':setup_script, '__name__':'__main__'}
File "setup.py", line 76, in <module>
File "/usr/lib64/python2.7/distutils/core.py", line 112, in setup
_setup_distribution = dist = klass(attrs)
File "/usr/lib/python2.7/site-packages/setuptools/dist.py", line 269, in __init__
_Distribution.__init__(self,attrs)
File "/usr/lib64/python2.7/distutils/dist.py", line 287, in __init__
self.finalize_options()
File "/usr/lib/python2.7/site-packages/setuptools/dist.py", line 302, in finalize_options
ep.load()(self, ep.name, value)
File "/tmp/easy_install-fvc3_R/pytest-runner-4.2/setuptools_scm-3.1.0-py2.7.egg/setuptools_scm/integration.py", line 10, in version_keyword
File "/tmp/easy_install-fvc3_R/pytest-runner-4.2/setuptools_scm-3.1.0-py2.7.egg/setuptools_scm/version.py", line 66, in _warn_if_setuptools_outdated
setuptools_scm.version.SetuptoolsOutdatedWarning: your setuptools is too old (<12)
----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-install-QJkJ_x/lz4/
You are using pip version 18.0, however version 18.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
pyOpenSSL 的问题
team@blacklotus ~/develop/w3af master ./w3af_gui
Your python installation needs the following modules to run w3af:
OpenSSL
After installing any missing operating system packages, use pip to install the remaining modules:
sudo pip install pyOpenSSL==18.0.0
A script with these commands has been created for you at /tmp/w3af_dependency_install.sh
尝试注释 pyOpenSSL 依赖跳过检查 (失败)
vim ./w3af/core/controllers/dependency_check/requirements.py
查看检查过程
vim ./w3af/core/controllers/dependency_check/dependency_check.py
添加
for w3af_req in platform.PIP_PACKAGES[dependency_set]:
for dist in pkg_resources.working_set:
if w3af_req.package_name.lower() == dist.project_name.lower():
w3af_req_version = str(Version(w3af_req.package_version))
dist_version = str(Version(dist.version))
print w3af_req, '#', dist
print w3af_req_version
print dist_version
if w3af_req_version == dist_version:
# It's installed and the version matches!
break
else:
failed_deps.append(w3af_req)
把匹配失败的组件全都列出来
TLSv1_2_METHOD
Something went wrong, w3af failed to start the output manager.
Exception: "There was an error while importing w3af.plugins.output.console: "'module' object has no attribute 'TLSv1_2_METHOD'"."
解决
locate "ssl_wrapper" | grep "/home/team/develop/w3af"
vim ~/develop/w3af/w3af/core/data/url/openssl/ssl_wrapper.py
把 TLSv1_2_METHOD 那行直接注释了
结果
Traceback (most recent call last):
File "./w3af_gui", line 110, in <module>
_main()
File "./w3af_gui", line 106, in _main
sys.exit(main())
File "./w3af_gui", line 100, in main
from w3af.core.ui.gui.main import main as gui_main
File "/home/team/develop/w3af/w3af/core/ui/gui/main.py", line 54, in <module>
from w3af.core.ui.gui import scanrun, helpers, profiles, compare
File "/home/team/develop/w3af/w3af/core/ui/gui/scanrun.py", line 34, in <module>
from w3af.core.ui.gui import httpLogTab, entries
File "/home/team/develop/w3af/w3af/core/ui/gui/httpLogTab.py", line 27, in <module>
from w3af.core.ui.gui.reqResViewer import ReqResViewer
File "/home/team/develop/w3af/w3af/core/ui/gui/reqResViewer.py", line 38, in <module>
from w3af.core.ui.gui.httpeditor import HttpEditor
File "/home/team/develop/w3af/w3af/core/ui/gui/httpeditor.py", line 27, in <module>
import gtksourceview2 as gtksourceview
ImportError: No module named gtksourceview2
GTK 的 gtksourceview2 问题未解决。最终决定切换直接用 Kali 的 w3af 。
参考资料
w3af 文档
http://docs.w3af.org/en/latest/install.html
Leave a Reply