如何使用XSpear完成XSS扫描与参数分析
来源:岁月联盟
时间:2020-01-29
-c, --config=FILENAME [optional] Using config.json
-v, --verbose=0~3 [optional] Show log depth
+ v=0 : quite mode(only result)
+ v=1 : show scanning status(default)
+ v=2 : show scanning logs
+ v=3 : show detail log(req/res)
-h, --help Prints this help
--version Show XSpear version
--update Show how to update
输出结果类型
(I)NFO: 获取信息,例如SQL错误,过滤规则和反射参数等
(V)UNL: 脆弱的XSS,检测 alert/prompt/confirm
(L)OW: 低级安全问题
(M)EDIUM: 中级安全问题
(H)IGH: 高级安全问题
Verbose模式
【0】静默模式(只显示结果)
$ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123" -v 0
you see report
【1】显示进程条(默认)
$ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123" -v 1
[*] analysis request..
[*] used test-reflected-params mode(default)
[*] creating a test query [for reflected 2 param + blind XSS ]
[*] test query generation is complete. [249 query]
[*] starting XSS Scanning. [10 threads]
[#######################################] [249/249] [100.00%] [01:05] [00:00] [ 3.83/s]
...
you see report
【2】显示扫描日志
$ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123" -v 2
[*] analysis request..
[I] [22:42:41] [200/OK] [param: cat][Found SQL Error Pattern]
[-] [22:42:41] [200/OK] 'STATIC' not reflected
[-] [22:42:41] [200/OK] 'cat' not reflected script>alert(45)script>
[I] [22:42:41] [200/OK] reflected rEfe6[param: cat][reflected parameter]
[*] used test-reflected-params mode(default)
[*] creating a test query [for reflected 2 param + blind XSS ]
[*] test query generation is complete. [249 query]
[*] starting XSS Scanning. [10 threads]
[I] [22:42:43] [200/OK] reflected onhwul=64[param: cat][reflected EHon{any} pattern]
[-] [22:42:54] [200/OK] 'cat' not reflected img/src onerror=alert(45)>
[-] [22:42:54] [200/OK] 'cat' not reflected svg/onload=alert(45)>
[H] [22:42:54] [200/OK] reflected script>alert(45)script>[param: cat][reflected XSS
上一页 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] 下一页
上一篇:XXE从入门到放弃
下一篇:安全小游戏:寻找漏洞
