나의 웹서버가 취약한 상태인지 확인할 필요가 있다. 그럴 때 nessus를 사용하면 유용하다.
사용방법은 다음과 같다.
1. 정상적으로 Nessus 를 설치한 후 실행시킨다.
2. 플러그인 항목에서 웹 어플리케이션 항목을 선택한 뒤 다른 것은 모두 disabled 시킨 후 Web Servers 항목만 활성화 시킨다. 시간이 된다면 모두 활성화 해도 무관하다.
3. 상위의 Scans를 클릭한뒤 이름을 입력하고 Policy는 Web Application을 선택한다. 그리고 타겟의 IP를 입력한다.
4. 스캔을 약 5분정도 돌리면 다음과 같은 취약점 결과를 확인할 수 있다.
전에 아파치 서버를 셋팅한 뒤 info.php 파일을 그대로 두었더니 다음과 같은 취약점이 발견되었다.
위에서 부터 결과를 요약하면 다음과 같다.
Plug-in ID | 49704 |
Name | External URLs |
Published | 2010/10/04 |
Modified | 2011/08/19 |
Port | 80/TCP/WWW |
Description | Nessus gathered HREF links to external sites by crawling the remote web server. |
output | 9 external URLs were gathered on this web server : URL... - Seen on... http://httpd.apache.org/docs/2.4/mod/mod_userdir.html - / http://manpages.debian.org/cgi-bin/man.cgi?query=a2disconf - / http://manpages.debian.org/cgi-bin/man.cgi?query=a2dismod - / http://manpages.debian.org/cgi-bin/man.cgi?query=a2dissite - / http://manpages.debian.org/cgi-bin/man.cgi?query=a2enconf - / http://manpages.debian.org/cgi-bin/man.cgi?query=a2enmod - / |
Plug-in ID | 43111 |
Name | HTTP Methods Allowed (per directory) |
Published | 2009/12/10 |
Modified | 2013/05/09 |
Port | 80/TCP/WWW |
Description | By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory. As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web applications tests' is set to 'yes' in the scan policy - various known HTTP methods on each directory and considers them as unsupported if it receives a response code of 400, 403, 405, or 501. |
output | Based on the response to an OPTIONS request : - HTTP methods GET HEAD OPTIONS POST are allowed on : / //192.168.1.129 /icons Based on tests of each method : |
Plug-in ID | 11032 |
Name | Web Server Directory Enumeration |
Published | 2002/06/26 |
Modified | 2013/04/02 |
Port | 80/TCP/WWW |
Description | This plugin attempts to determine the presence of various common directories on the remote web server. By sending a request for a directory, the web server response code indicates if it is a valid directory or not. |
output | The following directories were discovered: /icons While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with company security standards |
실제로 URL/icons 페이지를 들어가면 다음과 같은 웹페이지가 나온다. 이로써 나의 서버에는 icons 폴더가 있음을 확인할 수 있다.
Plug-in ID | 10107 |
Name | HTTP Server Type and Version |
Published | 2000/01/04 |
Modified | 2014/08/01 |
Port | 80/TCP/WWW |
Description | This plugin attempts to determine the type and the version of the remote web server. |
output | The remote web server type is : Apache/2.4.7 (Ubuntu) You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers. |
Plug-in ID | 24260 |
Name | HyperText Transfer Protocol (HTTP) Information |
Published | 2000/01/04 |
Modified | 2014/08/01 |
Port | 80/TCP/WWW |
Description | This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc...
This test is informational only and does not denote any security problem. |
output | Protocol version : HTTP/1.1 SSL : no Keep-Alive : yes Options allowed : (Not implemented) Headers :
Date: Mon, 10 Nov 2014 12:45:36 GMT Server: Apache/2.4.7 (Ubuntu) Last-Modified: Mon, 10 Nov 2014 10:45:34 GMT ETag: "2cf6-5077edcc4b1e3"
|
이 결과는 실제로 DOM explorer (IE 환경에서 F12를 누르면 됨) 을 통해 확인할 수 있었다.
아파치 서버의 버전과 아이피주소, 포트 번호 등을 확인할 수 있었다.
Plug-in ID | 48243 |
Name | PHP Version |
Published | 2010/08/04 |
Modified | 2014/10/31 |
Port | 80/TCP/WWW |
Description | This plugin attempts to determine the version of PHP available on the remote web server. |
output | Nessus was able to identify the following PHP version information : Version : 5.5.9-1ubuntu4.5 Source : http://192.168.1.129//info.php |
이 취약점 또한 Internet Explorer에서 F12을 눌러 DOM explorer을 실행시키면 info.php를 통해 PHP 의 버전 정보등을 알아낼 수 있다.
Plug-in ID | 11219 |
Name | Nessus SYN scanner |
Published | 2009/02/04 |
Modified | 2014/01/23 |
Port | 80/TCP/WWW |
Description | This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target. Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded. |
output | Port 80/tcp was found to be open |
Plug-in ID | 11229 |
Name | Web Server info.php/ phpinfo.php Detection |
Published | 2003/02/12 |
Modified | 2013/10/23 |
Port | 80/TCP/WWW |
Description | Many PHP installation tutorials instruct the user to create a PHP file that calls the PHP function 'phpinfo()' for debugging purposes. Various PHP applications may also include such a file. By accessing such a file, a remote attacker can discover a large amount of information about the remote web server, including : - The username of the user who installed PHP and if they are a SUDO user. - The IP address of the host. - The version of the operating system. - The web server version. - The root directory of the web server. - Configuration information about the remote PHP installation. |
output | Nessus discovered the following URLs that call phpinfo() : - http://192.168.2.128/info.php - http://192.168.2.128//info.php |
info.php 를 통해 사용자이름, 아이피 주소, OS 버전, 서버 버전, 웹서버의 루트 디렉토리, PHP 설치 정보 등을 알아낼 수 있었다. 빨리 지우는 것이 이로울 것 같다.
'개발 > 웹' 카테고리의 다른 글
| LAMP 설치 (Linux, apache, MySQL, PHP) (0) | 2015.03.19 |
|---|---|
| Ajax (0) | 2015.03.09 |
| MySQL (0) | 2015.02.19 |
| PHP 문법 (0) | 2015.02.18 |
| 웹 개발 환경 설정 (0) | 2015.02.18 |
