Neurohazard
暮雲煙月,皓首窮經;森羅萬象,如是我聞。

AWVS 接口文档

wpadmin~November 6, 2019 /InfoSec

AWVS 接口文档

正文

非官方的一个API文档
https://github.com/h4rdy/Acunetix11-API-Documentation

Acunetix-API-Documentation

内容

AWVS11 API
http://blog.csdn.net/qq_31497435/article/details/64441474
http://0cx.cc/about_awvs11_api.jspx

新建扫描目标
req:
curl -k –request POST –url https://127.0.0.1:3443/api/v1/targets –header “X-Auth: 1986ad8c0a5b3df4d7028d5f3c06e936c8efcfa5045294dc5b87080dd560639ab” –header “content-type: application/json” –data “{\”address\”:\”http://10.15.42.33:8090/DAPortal\”,\”description\”:\”OIDD-DAPortal\”,\”criticality\”:\”30\”}”
response:
{
“criticality”: 30,
“target_id”: “cc757cb0-f812-4d1e-b6db-ed4d0e14a025”,
“address”: “http://10.15.42.33:8090/DAPortal”,
“description”: “OIDD-DAPortal”
}

获取扫描目标列表
req:
curl -k –request GET –url https://127.0.0.1:3443/api/v1/targets –header “X-Auth: 1986ad8c0a5b3df4d7028d5f3c06e936c8efcfa5045294dc5b87080dd560639ab” –header “content-type: application/json”
response:
{
“pagination”: {
“previous_cursor”: 0,
“next_cursor”: null
},
“targets”: [
{
“last_scan_id”: null,
“manual_intervention”: null,
“last_scan_date”: null,
“continuous_mode”: false,
“last_scan_session_id”: null,
“criticality”: 30,
“last_scan_session_status”: null,
“threat”: null,
“severity_counts”: null,
“address”: “http://10.15.42.33:8090/DAPortal”,
“description”: “OIDD-DAPortal”,
“target_id”: “cc757cb0-f812-4d1e-b6db-ed4d0e14a025”
},
{
“last_scan_id”: “66a6bbde-5b87-48de-a927-64e83e6c8674”,
“manual_intervention”: false,
“last_scan_date”: “2017-08-23T11:05:13.707124+08:00”,
“continuous_mode”: false,
“last_scan_session_id”: “539c1fee-1390-4cde-915a-065eb7b92945”,
“criticality”: 10,
“last_scan_session_status”: “completed”,
“threat”: 3,
“severity_counts”: {
“info”: 17,
“medium”: 42,
“high”: 13,
“low”: 5
},
“address”: “http://10.15.42.33:8090/DAPortal/”,
“description”: “OIDD-DAPortal”,
“target_id”: “3b6b0895-91ff-4316-bb33-514efc30c39d”
}
]
}

获取扫描规则(profile)列表
req:
curl -k –request GET –url https://127.0.0.1:3443/api/v1/scanning_profiles –header “X-Auth: 1986ad8c0a5b3df4d7028d5f3c06e936c8efcfa5045294dc5b87080dd560639ab” –header “content-type: application/json”

自动登录设置:
curl -k –request PATCH –url https://127.0.0.1:3443/api/v1/targets/cc757cb0-f812-4d1e-b6db-ed4d0e14a025/configuration –header “X-Auth: 1986ad8c0a5b3df4d7028d5f3c06e936c8efcfa5045294dc5b87080dd560639ab” –header “content-type: application/json” –data “{\”login\”:{\”kind\”: \”automatic\”, \”credentials\”: {\”enabled\”: true, \”password\”: \”root123!!!\”, \”username\”: \”root\”}}}”

给扫描对象添加登录序列(第二步如果有中文,一定要全报文转码为UTF8,否则会报错):
req:
curl -k –request POST –url https://127.0.0.1:3443/api/v1/targets/cc757cb0-f812-4d1e-b6db-ed4d0e14a025/configuration/login_sequence –header “X-Auth: 1986ad8c0a5b3df4d7028d5f3c06e936c8efcfa5045294dc5b87080dd560639ab” –header “content-type: application/json” –data “{\”name\”:\”test.lsr\”,\”size\”:316}”
response:
{
“upload_url”: “/uploads/a802f7ea-a066-4a11-98a8-10a821b22ea6”
}

curl -k –request POST –url https://127.0.0.1:3443/uploads/a802f7ea-a066-4a11-98a8-10a821b22ea6 –header “X-Auth: 1986ad8c0a5b3df4d7028d5f3c06e936c8efcfa5045294dc5b87080dd560639ab” –header “content-type: application/octet-stream; charset=utf8” –header “Content-Range: bytes 0-315/316” –header “Content-Disposition: attachment; filename=\”test.lsr\”” –data “{{ \”actions\”: [ { \”parameters\”: { }, \”target\”: \”http://10.15.42.33:8090/DAPortal/\”, \”timeout\”: 20000, \”type\”: \”navigate\” } ], \”detection\”: { \”pattern\”: \”\”, \”request\”: \”\”, \”type\”: \”none\” }, \”restrictions\”: [ ]}}”
response:
HTTP/1.1 204 OK

curl -k –request PATCH –url https://127.0.0.1:3443/api/v1/targets/cc757cb0-f812-4d1e-b6db-ed4d0e14a025/configuration –header “X-Auth: 1986ad8c0a5b3df4d7028d5f3c06e936c8efcfa5045294dc5b87080dd560639ab” –header “content-type: application/json” –data “{\”login\”:{\”kind\”:\”sequence\”}}”
response:
HTTP/1.1 204 No Content

删除扫描对象绑定的登录序列:
req:
curl -k –request DELETE –url https://127.0.0.1:3443/api/v1/targets/cc757cb0-f812-4d1e-b6db-ed4d0e14a025/configuration/login_sequence –header “X-Auth: 1986ad8c0a5b3df4d7028d5f3c06e936c8efcfa5045294dc5b87080dd560639ab” –header “content-type: application/json”

查看扫描对象的配置
curl -k –request GET –url https://127.0.0.1:3443/api/v1/targets/cc757cb0-f812-4d1e-b6db-ed4d0e14a025/configuration –header “X-Auth: 1986ad8c0a5b3df4d7028d5f3c06e936c8efcfa5045294dc5b87080dd560639ab” –header “content-type: application/json”

启动扫描:
req:
curl -k -i –request POST –url https://127.0.0.1:3443/api/v1/scans –header “X-Auth: 1986ad8c0a5b3df4d7028d5f3c06e936c8efcfa5045294dc5b87080dd560639ab” –header “content-type: application/json” –data “{\”target_id\”:\”cc757cb0-f812-4d1e-b6db-ed4d0e14a025\”,\”profile_id\”:\”11111111-1111-1111-1111-111111111111\”,\”schedule\”:{\”disable\”:false,\”start_date\”:null,\”time_sensitive\”:false}}”
response:
HTTP/1.1 201 Created
Content-type: application/json; charset=utf8
Cache-Control: no-cache, must-revalidate
Expires: -1
Location: /api/v1/scans/b16c1c44-5862-4e62-ab6b-becaf302a7c1
Pragma: no-cache
Date: Thu, 24 Aug 2017 08:05:19 GMT
Transfer-Encoding: chunked

{
“profile_id”: “11111111-1111-1111-1111-111111111111”,
“schedule”: {
“time_sensitive”: false,
“disable”: false,
“start_date”: null
},
“target_id”: “cc757cb0-f812-4d1e-b6db-ed4d0e14a025”,
“ui_session_id”: null
}

停止扫描:
req:
curl -k -i –request GET –url https://127.0.0.1:3443/api/v1/scans/b16c1c44-5862-4e62-ab6b-becaf302a7c1/abort –header “X-Auth: 1986ad8c0a5b3df4d7028d5f3c06e936c8efcfa5045294dc5b87080dd560639ab” –header “content-type: application/json”

查看扫描状态:
req:
curl -k -i –request GET –url https://127.0.0.1:3443/api/v1/scans/b16c1c44-5862-4e62-ab6b-becaf302a7c1 –header “X-Auth: 1986ad8c0a5b3df4d7028d5f3c06e936c8efcfa5045294dc5b87080dd560639ab” –header “content-type: application/json”
response:
HTTP/1.1 200 OK
Content-type: application/json; charset=utf8
Cache-Control: no-cache, must-revalidate
Expires: -1
Pragma: no-cache
Date: Thu, 24 Aug 2017 08:26:14 GMT
Transfer-Encoding: chunked

{
“profile_id”: “11111111-1111-1111-1111-111111111111”,
“schedule”: {
“time_sensitive”: false,
“recurrence”: null,
“disable”: false,
“history_limit”: null,
“start_date”: null
},
“report_template_id”: null,
“target”: {
“criticality”: 30,
“address”: “http://10.15.42.33:8090/DAPortal”,
“description”: “OIDD-DAPortal”
},
“scan_id”: “b16c1c44-5862-4e62-ab6b-becaf302a7c1”,
“profile_name”: “Full Scan”,
“current_session”: {
“threat”: 3,
“severity_counts”: {
“info”: 14,
“medium”: 12,
“high”: 6,
“low”: 8
},
“progress”: 0,
“scan_session_id”: “8509eaae-1b72-431c-85f4-a08418e1393b”,
“event_level”: 0,
“status”: “completed”,
“start_date”: “2017-08-24T16:05:20.034078+08:00”
},
“criticality”: 30,
“next_run”: null,
“target_id”: “cc757cb0-f812-4d1e-b6db-ed4d0e14a025”
}

查看扫描概况:
req:
curl -k -i –request GET –url https://127.0.0.1:3443/api/v1/scans/b16c1c44-5862-4e62-ab6b-becaf302a7c1/results/8509eaae-1b72-431c-85f4-a08418e1393b/statistics –header “X-Auth: 1986ad8c0a5b3df4d7028d5f3c06e936c8efcfa5045294dc5b87080dd560639ab” –header “content-type: application/json”

查看扫描漏洞结果:
req:
curl -k -i –request GET –url https://127.0.0.1:3443/api/v1/scans/b16c1c44-5862-4e62-ab6b-becaf302a7c1/results/8509eaae-1b72-431c-85f4-a08418e1393b/vulnerabilities –header “X-Auth: 1986ad8c0a5b3df4d7028d5f3c06e936c8efcfa5045294dc5b87080dd560639ab” –header “content-type: application/json”

获取报告模板:
req:
curl -k –url https://127.0.0.1:3443/api/v1/report_templates –header “X-Auth:1986ad8c0a5b3df4d7028d5f3c06e936c8efcfa5045294dc5b87080dd560639ab” –header “content-type: application/json”
template_id:
类型 值
Affected Items 11111111-1111-1111-1111-111111111115
CWE 2011 11111111-1111-1111-1111-111111111116
Developer 11111111-1111-1111-1111-111111111111
Executive Summary 11111111-1111-1111-1111-111111111113
HIPAA 11111111-1111-1111-1111-111111111114
ISO 27001 11111111-1111-1111-1111-111111111117
NIST SP800 53 11111111-1111-1111-1111-111111111118
OWASP Top 10 2013 11111111-1111-1111-1111-111111111119
PCI DSS 3.2 11111111-1111-1111-1111-111111111120
Quick 11111111-1111-1111-1111-111111111112
Sarbanes Oxley 11111111-1111-1111-1111-111111111121
Scan Comparison 11111111-1111-1111-1111-111111111124
STIG DISA 11111111-1111-1111-1111-111111111122
WASC Threat Classification 11111111-1111-1111-1111-111111111123

生成报告:
req:
curl -k -i –request POST –url https://127.0.0.1:3443/api/v1/reports –header “X-Auth: 1986ad8c0a5b3df4d7028d5f3c06e936c8efcfa5045294dc5b87080dd560639ab” –header “content-type: application/json” –data “{\”template_id\”:\”11111111-1111-1111-1111-111111111111\”,\”source\”:{\”list_type\”:\”scans\”, \”id_list\”:[\”b16c1c44-5862-4e62-ab6b-becaf302a7c1\”]}}
response:
HTTP/1.1 201 Created
Content-type: application/json; charset=utf8
Cache-Control: no-cache, must-revalidate
Expires: -1
Location: /api/v1/reports/1a283cf1-e015-4743-b976-cfc9dbf24d5a
Pragma: no-cache
Date: Thu, 24 Aug 2017 08:39:12 GMT
Transfer-Encoding: chunked

会有一个201 HTTP回复显示了请求是成功的 ,并且会包含一个带有id的Location header(例如 Location: /api/v1/reports/1a283cf1-e015-4743-b976-cfc9dbf24d5a )。一旦报告被URL: https://127.0.0.1:3443/reports/download/1a283cf1-e015-4743-b976-cfc9dbf24d5a.pdf 访问,这个id可以被用来下载报告。最新版本还会提供HTML版本的报告,并且可以从https://127.0.0.1:3443/reports/download/1a283cf1-e015-4743-b976-cfc9dbf24d5a.html 访问。

下载报告:
req:
curl -k -o E:\myFile.html –url https://127.0.0.1:3443/reports/download/1a283cf1-e015-4743-b976-cfc9dbf24d5a.html

部分参考:
https://github.com/h4rdy/Acunetix11-API-Documentation

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.