Difference between revisions of "Kali Linux: Scan Vulnerability menggunakan Grabber"
Jump to navigation
Jump to search
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
| Line 4: | Line 4: | ||
Grabber is a web application scanner. Basically it detects some kind of vulnerabilities in your website. Grabber is simple, not fast but portable and really adaptable. This software is designed to scan small websites such as personals, forums etc. absolutely not big application: it would take too long time and flood your network. | Grabber is a web application scanner. Basically it detects some kind of vulnerabilities in your website. Grabber is simple, not fast but portable and really adaptable. This software is designed to scan small websites such as personals, forums etc. absolutely not big application: it would take too long time and flood your network. | ||
| − | + | Fitur: | |
| − | + | * Cross-Site Scripting | |
| − | + | * SQL Injection (there is also a special Blind SQL Injection module) | |
| − | + | * File Inclusion | |
| − | + | * Backup files check | |
| − | + | * Simple AJAX check (parse every JavaScript and get the URL and try to get the parameters) | |
| − | + | * Hybrid analysis/Crystal ball testing for PHP application using PHP-SAT | |
| − | + | * JavaScript source code analyzer: Evaluation of the quality/correctness of the JavaScript with JavaScript Lint | |
| − | + | * Generation of a file [session_id, time(t)] for next stats analysis. | |
| − | + | ==Perintah Grabber== | |
| − | Grabber | ||
| − | + | grabber -h | |
| − | |||
| − | + | Usage: grabber.py [options] | |
| − | + | ||
| − | + | Options: | |
| − | + | -h, --help show this help message and exit | |
| + | -u ARCHIVES_URL, --url=ARCHIVES_URL | ||
| + | Adress to investigate | ||
| + | -s, --sql Look for the SQL Injection | ||
| + | -x, --xss Perform XSS attacks | ||
| + | -b, --bsql Look for blind SQL Injection | ||
| + | -z, --backup Look for backup files | ||
| + | -d SPIDER, --spider=SPIDER | ||
| + | Look for every files | ||
| + | -i, --include Perform File Insertion attacks | ||
| + | -j, --javascript Test the javascript code ? | ||
| + | -c, --crystal Simple crystal ball test. | ||
| + | -e, --session Session evaluations | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
==grabber Usage Example== | ==grabber Usage Example== | ||
| − | Spider | + | Spider web application untuk ke dalaman 2 (–spider 2), cek SQLi (--sql), XSS (--xss), blind SQLi (--bsql) attack untuk URL (--url http://192.168.0.100/DVWA-1.9/): |
| − | + | grabber --spider 2 --sql --xss --bsql --url http://192.168.0.100/DVWA-1.9/ | |
Start scanning... http://192.168.1.224 | Start scanning... http://192.168.1.224 | ||
Revision as of 05:32, 4 April 2017
Sumber: http://tools.kali.org/web-applications/grabber
Grabber is a web application scanner. Basically it detects some kind of vulnerabilities in your website. Grabber is simple, not fast but portable and really adaptable. This software is designed to scan small websites such as personals, forums etc. absolutely not big application: it would take too long time and flood your network.
Fitur:
- Cross-Site Scripting
- SQL Injection (there is also a special Blind SQL Injection module)
- File Inclusion
- Backup files check
- Simple AJAX check (parse every JavaScript and get the URL and try to get the parameters)
- Hybrid analysis/Crystal ball testing for PHP application using PHP-SAT
- JavaScript source code analyzer: Evaluation of the quality/correctness of the JavaScript with JavaScript Lint
- Generation of a file [session_id, time(t)] for next stats analysis.
Perintah Grabber
grabber -h
Usage: grabber.py [options]
Options:
-h, --help show this help message and exit
-u ARCHIVES_URL, --url=ARCHIVES_URL
Adress to investigate
-s, --sql Look for the SQL Injection
-x, --xss Perform XSS attacks
-b, --bsql Look for blind SQL Injection
-z, --backup Look for backup files
-d SPIDER, --spider=SPIDER
Look for every files
-i, --include Perform File Insertion attacks
-j, --javascript Test the javascript code ?
-c, --crystal Simple crystal ball test.
-e, --session Session evaluations
grabber Usage Example
Spider web application untuk ke dalaman 2 (–spider 2), cek SQLi (--sql), XSS (--xss), blind SQLi (--bsql) attack untuk URL (--url http://192.168.0.100/DVWA-1.9/):
grabber --spider 2 --sql --xss --bsql --url http://192.168.0.100/DVWA-1.9/
Start scanning... http://192.168.1.224 runSpiderScan @ http://192.168.1.224 | # 1 Start investigation... Method = GET http://192.168.1.224 [Cookie] 0 : <Cookie PHPSESSID=2742cljd8u6aclfktf1sh284u7 for 192.168.1.224/> [Cookie] 1 : <Cookie security=high for 192.168.1.224/> Method = GET http://192.168.1.224 [Cookie] 0 : <Cookie PHPSESSID=2742cljd8u6aclfktf1sh284u7 for 192.168.1.224/> [Cookie] 1 : <Cookie security=high for 192.168.1.224/>