Neurohazard
暮雲煙月,皓首窮經;森羅萬象,如是我聞。

w3af 踩坑笔记

wpadmin~November 28, 2018 /InfoSec

w3af 踩坑笔记

踩坑总结

如果只是 console 模式,还是比较好处理的。
但是搞 GUI 坑奇多, 主要在 GTK 方面。
Web UI (link) 又在 5, 6 年前就停止更新了(基于 Django)。

如果没有特别必要,建议使用集成环境的 w3af (比如 Kali 中的), 不要自己搭建。

【Update】 w3af removed from kali-rolling #14982

Console 记录

source ~/develop/venv_w3af/bin/activate
./w3af_console

GUI 采坑记录

w3af 的运行环境是 用 python 2.7。
建议先新建一个虚拟 python 环境。

virtualenv venv_w3af
source venv_w3af/bin/activate
pip install -r requirements.txt

npm install -g retire

# 之后运行 console 版 w3af
./w3af_console
# 会生成一个自动安装其他依赖的脚本
# 路径为 /tmp/w3af_dependency_install.sh

参考 requirements.txt

pyClamd==0.4.0 
PyGithub==1.21.0 
GitPython==2.1.3 
pybloomfiltermmap==0.3.14 
phply==0.9.1 
nltk==3.0.1 
tblib==0.2.0 
pdfminer==20140328 
futures==3.2.0 
pyOpenSSL==18.0.0 
ndg-httpsclient==0.4.0 
pyasn1==0.4.2 
lxml==3.4.4
scapy==2.4.0
guess-language==0.2 
cluster==1.1.1b3 
msgpack==0.5.6 
python-ntlm==1.0.1 
halberd==0.2.4 
darts.util.lru==0.5 
Jinja2==2.10 
vulndb==0.1.0 
markdown==2.6.1 
psutil==2.2.1 
ds-store==1.1.2 
mitmproxy==0.13 
ruamel.ordereddict==0.4.8 
Flask==0.10.1 
PyYAML==3.12 
tldextract==1.7.2 
pebble==4.3.8 
acora==2.1 
esmre==0.3.1 
diff-match-patch==20121119 
bravado-core==5.0.2 
lz4==1.1.0 
vulners==1.3.0
termcolor==1.1.0
xdot==0.6

GTK

sudo yum install pygtk2 -y
sudo yum install pygtk2-devel -y
sudo yum install pywebkitgtk -y
# sudo yum install gtksourceview2-devel gtksourceview2 gtksourceview gtksourceview-devel -y
# gnome-python2-gtksourceview -y

可以用 import PyGTK 来测试

graphviz

sudo yum install graphviz -y

OpenSSL

sudo yum install openssl -y
sudo yum install openssl-devel -y

分析 dependency

locate dependency | grep "/home/team/develop/w3af"

一些解决的问题

lz4 (your setuptools is too old <12)

使用 wget https://files.pythonhosted.org/packages/e7/b9/12bd58967c5df38e22e9db0c17d732fc456fd09d4b89b147ff1c73e59c5b/lz4-1.1.0.tar.gz

手动安装,安装(lz4-1.1.0)目录下的依赖, (venv_w3af) pip install -r requirements.txt
之后是 python setup.py install

Collecting lz4==1.1.0
  Using cached https://files.pythonhosted.org/packages/e7/b9/12bd58967c5df38e22e9db0c17d732fc456fd09d4b89b147ff1c73e59c5b/lz4-1.1.0.tar.gz
    Complete output from command python setup.py egg_info:
    /usr/lib64/python2.7/distutils/dist.py:267: UserWarning: Unknown distribution option: 'python_requires'
      warnings.warn(msg)
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "/tmp/pip-install-QJkJ_x/lz4/setup.py", line 169, in <module>
        'Programming Language :: Python :: 3.6',
      File "/usr/lib64/python2.7/distutils/core.py", line 112, in setup
        _setup_distribution = dist = klass(attrs)
      File "/usr/lib/python2.7/site-packages/setuptools/dist.py", line 265, in __init__
        self.fetch_build_eggs(attrs.pop('setup_requires'))
      File "/usr/lib/python2.7/site-packages/setuptools/dist.py", line 289, in fetch_build_eggs
        parse_requirements(requires), installer=self.fetch_build_egg
      File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 618, in resolve
        dist = best[req.key] = env.best_match(req, self, installer)
      File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 862, in best_match
        return self.obtain(req, installer) # try and download/install
      File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 874, in obtain
        return installer(requirement)
      File "/usr/lib/python2.7/site-packages/setuptools/dist.py", line 339, in fetch_build_egg
        return cmd.easy_install(req)
      File "/usr/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 623, in easy_install
        return self.install_item(spec, dist.location, tmpdir, deps)
      File "/usr/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 653, in install_item
        dists = self.install_eggs(spec, download, tmpdir)
      File "/usr/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 849, in install_eggs
        return self.build_and_install(setup_script, setup_base)
      File "/usr/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 1130, in build_and_install
        self.run_setup(setup_script, setup_base, args)
      File "/usr/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 1115, in run_setup
        run_setup(setup_script, args)
      File "/usr/lib/python2.7/site-packages/setuptools/sandbox.py", line 69, in run_setup
        lambda: execfile(
      File "/usr/lib/python2.7/site-packages/setuptools/sandbox.py", line 120, in run
        return func()
      File "/usr/lib/python2.7/site-packages/setuptools/sandbox.py", line 71, in <lambda>
        {'__file__':setup_script, '__name__':'__main__'}
      File "setup.py", line 76, in <module>

      File "/usr/lib64/python2.7/distutils/core.py", line 112, in setup
        _setup_distribution = dist = klass(attrs)
      File "/usr/lib/python2.7/site-packages/setuptools/dist.py", line 269, in __init__
        _Distribution.__init__(self,attrs)
      File "/usr/lib64/python2.7/distutils/dist.py", line 287, in __init__
        self.finalize_options()
      File "/usr/lib/python2.7/site-packages/setuptools/dist.py", line 302, in finalize_options
        ep.load()(self, ep.name, value)
      File "/tmp/easy_install-fvc3_R/pytest-runner-4.2/setuptools_scm-3.1.0-py2.7.egg/setuptools_scm/integration.py", line 10, in version_keyword
      File "/tmp/easy_install-fvc3_R/pytest-runner-4.2/setuptools_scm-3.1.0-py2.7.egg/setuptools_scm/version.py", line 66, in _warn_if_setuptools_outdated
    setuptools_scm.version.SetuptoolsOutdatedWarning: your setuptools is too old (<12)

    ----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-install-QJkJ_x/lz4/
You are using pip version 18.0, however version 18.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.

pyOpenSSL 的问题

team@blacklotus  ~/develop/w3af   master  ./w3af_gui
Your python installation needs the following modules to run w3af:
    OpenSSL


After installing any missing operating system packages, use pip to install the remaining modules:
    sudo pip install pyOpenSSL==18.0.0

A script with these commands has been created for you at /tmp/w3af_dependency_install.sh

尝试注释 pyOpenSSL 依赖跳过检查 (失败)
vim ./w3af/core/controllers/dependency_check/requirements.py

查看检查过程
vim ./w3af/core/controllers/dependency_check/dependency_check.py

添加

    for w3af_req in platform.PIP_PACKAGES[dependency_set]:
        for dist in pkg_resources.working_set:
            if w3af_req.package_name.lower() == dist.project_name.lower():

                w3af_req_version = str(Version(w3af_req.package_version))
                dist_version = str(Version(dist.version))

                print w3af_req, '#', dist
                print w3af_req_version
                print dist_version

                if w3af_req_version == dist_version:
                    # It's installed and the version matches!
                    break
        else:
            failed_deps.append(w3af_req)

把匹配失败的组件全都列出来

TLSv1_2_METHOD

Something went wrong, w3af failed to start the output manager.
Exception: "There was an error while importing w3af.plugins.output.console: "'module' object has no attribute 'TLSv1_2_METHOD'"."

解决

locate "ssl_wrapper" | grep "/home/team/develop/w3af"
vim ~/develop/w3af/w3af/core/data/url/openssl/ssl_wrapper.py

把 TLSv1_2_METHOD 那行直接注释了

结果

Traceback (most recent call last):
  File "./w3af_gui", line 110, in <module>
    _main()
  File "./w3af_gui", line 106, in _main
    sys.exit(main())
  File "./w3af_gui", line 100, in main
    from w3af.core.ui.gui.main import main as gui_main
  File "/home/team/develop/w3af/w3af/core/ui/gui/main.py", line 54, in <module>
    from w3af.core.ui.gui import scanrun, helpers, profiles, compare
  File "/home/team/develop/w3af/w3af/core/ui/gui/scanrun.py", line 34, in <module>
    from w3af.core.ui.gui import httpLogTab, entries
  File "/home/team/develop/w3af/w3af/core/ui/gui/httpLogTab.py", line 27, in <module>
    from w3af.core.ui.gui.reqResViewer import ReqResViewer
  File "/home/team/develop/w3af/w3af/core/ui/gui/reqResViewer.py", line 38, in <module>
    from w3af.core.ui.gui.httpeditor import HttpEditor
  File "/home/team/develop/w3af/w3af/core/ui/gui/httpeditor.py", line 27, in <module>
    import gtksourceview2 as gtksourceview
ImportError: No module named gtksourceview2

GTK 的 gtksourceview2 问题未解决。最终决定切换直接用 Kali 的 w3af 。

参考资料

w3af 文档
http://docs.w3af.org/en/latest/install.html

Leave a Reply

Your email address will not be published. Required fields are marked *