[研究]WhatWaf 2.1.6.3 檢測WAF工具 - 安裝、測試 (Rocky Linux 9.5)
2025-05-09
安裝
[user1@localhost ~]$ sudo dnf install -y python3 git We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for user1: Package python3-3.9.19-8.el9_5.1.x86_64 is already installed. Dependencies resolved. ================================================================================= Package Architecture Version Repository Size ================================================================================= Installing: git x86_64 2.43.5-2.el9_5 appstream 50 k Upgrading: python-unversioned-command noarch 3.9.21-1.el9_5 appstream 9.1 k python3 x86_64 3.9.21-1.el9_5 baseos 26 k python3-libs x86_64 3.9.21-1.el9_5 baseos 7.5 M Installing dependencies: git-core x86_64 2.43.5-2.el9_5 appstream 4.4 M git-core-doc noarch 2.43.5-2.el9_5 appstream 2.7 M perl-Error noarch 1:0.17029-7.el9 appstream 41 k perl-Git noarch 2.43.5-2.el9_5 appstream 37 k perl-TermReadKey x86_64 2.38-11.el9 appstream 36 k perl-lib x86_64 0.65-481.el9 appstream 13 k Transaction Summary ================================================================================= Install 7 Packages Upgrade 3 Packages Total download size: 15 M Downloading Packages: (1/10): perl-Error-0.17029-7.el9.noarch.rpm 111 kB/s | 41 kB 00:00 (2/10): perl-Git-2.43.5-2.el9_5.noarch.rpm 244 kB/s | 37 kB 00:00 (3/10): perl-TermReadKey-2.38-11.el9.x86_64.rpm 53 kB/s | 36 kB 00:00 (4/10): perl-lib-0.65-481.el9.x86_64.rpm 16 kB/s | 13 kB 00:00 (5/10): git-2.43.5-2.el9_5.x86_64.rpm 43 kB/s | 50 kB 00:01 (6/10): git-core-doc-2.43.5-2.el9_5.noarch.rpm 362 kB/s | 2.7 MB 00:07 (7/10): git-core-2.43.5-2.el9_5.x86_64.rpm 560 kB/s | 4.4 MB 00:08 (8/10): python-unversioned-command-3.9.21-1.el9_5.noarch.rpm 116 kB/s | 9.1 kB 00:00 (9/10): python3-3.9.21-1.el9_5.x86_64.rpm 6.2 kB/s | 26 kB 00:04 (10/10): python3-libs-3.9.21-1.el9_5.x86_64.rpm 233 kB/s | 7.5 MB 00:33 ------------------------------------------------------------------------------------------------ Total 392 kB/s | 15 MB 00:38 Rocky Linux 9 - AppStream 1.7 MB/s | 1.7 kB 00:00 Importing GPG key 0x350D275D: Userid : "Rocky Enterprise Software Foundation - Release key 2022 <releng@rockylinux.org>" Fingerprint: 21CB 256A E16F C54C 6E65 2949 702D 426D 350D 275D From : /etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-9 Key imported successfully Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : git-core-2.43.5-2.el9_5.x86_64 1/13 Installing : git-core-doc-2.43.5-2.el9_5.noarch 2/13 Upgrading : python-unversioned-command-3.9.21-1.el9_5.noarch 3/13 Upgrading : python3-3.9.21-1.el9_5.x86_64 4/13 Upgrading : python3-libs-3.9.21-1.el9_5.x86_64 5/13 Installing : perl-TermReadKey-2.38-11.el9.x86_64 6/13 Installing : perl-lib-0.65-481.el9.x86_64 7/13 Installing : perl-Error-1:0.17029-7.el9.noarch 8/13 Installing : git-2.43.5-2.el9_5.x86_64 9/13 Installing : perl-Git-2.43.5-2.el9_5.noarch 10/13 Cleanup : python3-libs-3.9.19-8.el9_5.1.x86_64 11/13 Cleanup : python3-3.9.19-8.el9_5.1.x86_64 12/13 Cleanup : python-unversioned-command-3.9.19-8.el9_5.1.noarch 13/13 Running scriptlet: python-unversioned-command-3.9.19-8.el9_5.1.noarch 13/13 Verifying : perl-Error-1:0.17029-7.el9.noarch 1/13 Verifying : perl-lib-0.65-481.el9.x86_64 2/13 Verifying : perl-TermReadKey-2.38-11.el9.x86_64 3/13 Verifying : perl-Git-2.43.5-2.el9_5.noarch 4/13 Verifying : git-core-doc-2.43.5-2.el9_5.noarch 5/13 Verifying : git-core-2.43.5-2.el9_5.x86_64 6/13 Verifying : git-2.43.5-2.el9_5.x86_64 7/13 Verifying : python3-libs-3.9.21-1.el9_5.x86_64 8/13 Verifying : python3-libs-3.9.19-8.el9_5.1.x86_64 9/13 Verifying : python3-3.9.21-1.el9_5.x86_64 10/13 Verifying : python3-3.9.19-8.el9_5.1.x86_64 11/13 Verifying : python-unversioned-command-3.9.21-1.el9_5.noarch 12/13 Verifying : python-unversioned-command-3.9.19-8.el9_5.1.noarch 13/13 Upgraded: python-unversioned-command-3.9.21-1.el9_5.noarch python3-3.9.21-1.el9_5.x86_64 python3-libs-3.9.21-1.el9_5.x86_64 Installed: git-2.43.5-2.el9_5.x86_64 git-core-2.43.5-2.el9_5.x86_64 git-core-doc-2.43.5-2.el9_5.noarch perl-Error-1:0.17029-7.el9.noarch perl-Git-2.43.5-2.el9_5.noarch perl-TermReadKey-2.38-11.el9.x86_64 perl-lib-0.65-481.el9.x86_64 Complete! [user1@localhost ~]$ python3 --version Python 3.9.21 [user1@localhost ~]$ git clone https://github.com/Ekultek/WhatWaf.git Cloning into 'WhatWaf'... remote: Enumerating objects: 2481, done. remote: Counting objects: 100% (750/750), done. remote: Compressing objects: 100% (177/177), done. remote: Total 2481 (delta 617), reused 573 (delta 573), pack-reused 1731 (from 1) Receiving objects: 100% (2481/2481), 453.40 KiB | 53.00 KiB/s, done. Resolving deltas: 100% (1646/1646), done. [user1@localhost ~]$ cd WhatWaf [user1@localhost WhatWaf]$ python3 -m venv venv [user1@localhost WhatWaf]$ source venv/bin/activate (venv) [user1@localhost WhatWaf]$ pip install -r requirements.txt Collecting beautifulsoup4>=4.6.3 Downloading beautifulsoup4-4.13.4-py3-none-any.whl (187 kB) |████████████████████████████████| 187 kB 1.5 MB/s Collecting requests>=2.20.0 Downloading requests-2.32.3-py3-none-any.whl (64 kB) |████████████████████████████████| 64 kB 4.9 MB/s Collecting psutil>=5.7.0 Downloading psutil-7.0.0-cp36-abi3-manylinux_2_12_x86_64.manylinux2010_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl (277 kB) |████████████████████████████████| 277 kB 639 kB/s Collecting gitpython Downloading GitPython-3.1.44-py3-none-any.whl (207 kB) |████████████████████████████████| 207 kB 1.6 MB/s Collecting soupsieve>1.2 Downloading soupsieve-2.7-py3-none-any.whl (36 kB) Collecting typing-extensions>=4.0.0 Downloading typing_extensions-4.13.2-py3-none-any.whl (45 kB) |████████████████████████████████| 45 kB 134 kB/s Collecting urllib3<3,>=1.21.1 Downloading urllib3-2.4.0-py3-none-any.whl (128 kB) |████████████████████████████████| 128 kB 57 kB/s Collecting certifi>=2017.4.17 Downloading certifi-2025.4.26-py3-none-any.whl (159 kB) |████████████████████████████████| 159 kB 30 kB/s Collecting charset-normalizer<4,>=2 Downloading charset_normalizer-3.4.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (149 kB) |████████████████████████████████| 149 kB 121 kB/s Collecting idna<4,>=2.5 Downloading idna-3.10-py3-none-any.whl (70 kB) |████████████████████████████████| 70 kB 240 kB/s Collecting gitdb<5,>=4.0.1 Downloading gitdb-4.0.12-py3-none-any.whl (62 kB) |████████████████████████████████| 62 kB 234 kB/s Collecting smmap<6,>=3.0.1 Downloading smmap-5.0.2-py3-none-any.whl (24 kB) Installing collected packages: smmap, urllib3, typing-extensions, soupsieve, idna, gitdb, charset-normalizer, certifi, requests, psutil, gitpython, beautifulsoup4 Successfully installed beautifulsoup4-4.13.4 certifi-2025.4.26 charset-normalizer-3.4.2 gitdb-4.0.12 gitpython-3.1.44 idna-3.10 psutil-7.0.0 requests-2.32.3 smmap-5.0.2 soupsieve-2.7 typing-extensions-4.13.2 urllib3-2.4.0 WARNING: You are using pip version 21.3.1; however, version 25.1.1 is available. You should consider upgrading via the '/home/user1/WhatWaf/venv/bin/python3 -m pip install --upgrade pip' command. (venv) [user1@localhost WhatWaf]$ |
試用
(venv) [user1@localhost WhatWaf]$ whatwaf -u https://192.168.128.144/dvwa/login.php bash: whatwaf: command not found... (venv) [user1@localhost WhatWaf]$ ./whatwaf -u https://192.168.128.144/dvwa/login.php [14:59:23][INFO] currently running on: linux ,------. ' .--. ' ,--. .--. ,--. .--.| | | | | | | | | | | |'--' | | | | | | | | | | __. | | |.'.| | | |.'.| | | .' | | | | |___| | ,'. |hat| ,'. |af .---. '--' '--' '--' '--' '---' %00/><script>alert("WhatWaf?<|>v2.1.6.3($dev)");</script> [14:59:23][INFO] attempting to update WhatWaf [14:59:24][INFO] WhatWaf is the newest version [14:59:24][WARN] it is highly advised to use a proxy when using WhatWaf. do so by passing the proxy flag (IE `--proxy http://127.0.0.1:9050`) or by passing the Tor flag (IE `--tor`) [14:59:24][INFO] using User-Agent 'whatwaf/2.1.6.3 (Language=3.9.21; Platform=Linux)' [14:59:24][INFO] using default payloads [14:59:24][INFO] testing connection to target URL before starting attack [14:59:24][SUCCESS] connection succeeded, continuing [14:59:24][INFO] running single web application 'https://192.168.128.144/dvwa/login.php' [14:59:24][WARN] URL does not appear to have a query (parameter), this may interfere with the detection results [14:59:24][INFO] request type: GET [14:59:24][INFO] gathering HTTP responses [14:59:24][INFO] gathering normal response to compare against [14:59:24][INFO] loading firewall detection scripts [14:59:24][INFO] running firewall detection checks [14:59:25][WARN] no protection identified on target, verifying [14:59:25][INFO] target seems to be behind some kind of protection for the following reasons: ------------------------------ [1] header values differ when a payload is provided [2] response status code differs when a payload is provided ------------------------------ [14:59:25][PROMPT] would you like to create an issue with the discovered unknown firewall to potentially get a detection script created for it[y/N]: [14:59:37][INFO] for further analysis the WAF fingerprint can be found in: '/home/user1/.whatwaf/fingerprints/www.192.168.128.144' [14:59:37][INFO] URL has been cached for future use [14:59:37][INFO] Skipping mining procedure (venv) [user1@localhost WhatWaf]$ ./whatwaf -u https://(遮蔽)/ [15:01:09][INFO] currently running on: linux ,------. ' .--. ' ,--. .--. ,--. .--.| | | | | | | | | | | |'--' | | | | | | | | | | __. | | |.'.| | | |.'.| | | .' | | | | |___| | ,'. |hat| ,'. |af .---. '--' '--' '--' '--' '---' /><script>alert("WhatWaf?<|>v2.1.6.3($dev)");</script> [15:01:09][INFO] attempting to update WhatWaf [15:01:10][INFO] WhatWaf is the newest version [15:01:10][WARN] it is highly advised to use a proxy when using WhatWaf. do so by passing the proxy flag (IE `--proxy http://127.0.0.1:9050`) or by passing the Tor flag (IE `--tor`) [15:01:10][INFO] using User-Agent 'whatwaf/2.1.6.3 (Language=3.9.21; Platform=Linux)' [15:01:10][INFO] using default payloads [15:01:10][INFO] testing connection to target URL before starting attack [15:01:20][SUCCESS] connection succeeded, continuing [15:01:20][INFO] running single web application 'https://(遮蔽)/' [15:01:20][WARN] URL does not appear to have a query (parameter), this may interfere with the detection results [15:01:20][INFO] request type: GET [15:01:20][INFO] gathering HTTP responses [15:01:22][INFO] gathering normal response to compare against [15:01:22][INFO] loading firewall detection scripts [15:01:22][INFO] running firewall detection checks [15:01:23][WARN] no protection identified on target, verifying [15:01:24][SUCCESS] no protection identified on target [15:01:24][INFO] URL has been cached for future use [15:01:24][INFO] Skipping mining procedure (venv) [user1@localhost WhatWaf]$ ./whatwaf -u https://(遮蔽2)/ [15:01:32][INFO] currently running on: linux ,------. ' .--. ' ,--. .--. ,--. .--.| | | | | | | | | | | |'--' | | | | | | | | | | __. | | |.'.| | | |.'.| | | .' | | | | |___| | ,'. |hat| ,'. |af .---. '--' '--' '--' '--' '---' /*!00000/><script>alert("WhatWaf?<|>v2.1.6.3($dev)");</script>*/ [15:01:32][INFO] attempting to update WhatWaf [15:01:34][INFO] WhatWaf is the newest version [15:01:34][WARN] it is highly advised to use a proxy when using WhatWaf. do so by passing the proxy flag (IE `--proxy http://127.0.0.1:9050`) or by passing the Tor flag (IE `--tor`) [15:01:34][INFO] using User-Agent 'whatwaf/2.1.6.3 (Language=3.9.21; Platform=Linux)' [15:01:34][INFO] using default payloads [15:01:34][INFO] testing connection to target URL before starting attack [15:01:36][SUCCESS] connection succeeded, continuing [15:01:36][INFO] running single web application 'https://(遮蔽2)/' [15:01:36][WARN] URL does not appear to have a query (parameter), this may interfere with the detection results [15:01:36][INFO] request type: GET [15:01:36][INFO] gathering HTTP responses [15:02:35][INFO] gathering normal response to compare against [15:02:38][INFO] loading firewall detection scripts [15:02:38][INFO] running firewall detection checks [15:02:39][FIREWALL] CloudFlare Web Application Firewall (CloudFlare) [15:02:39][INFO] starting bypass analysis [15:02:39][INFO] loading payload tampering scripts [15:02:39][INFO] running tampering bypass checks ^C^C (執行太久,中斷了) [15:05:47][FATAL] user aborted scanning (venv) [user1@localhost WhatWaf]$ |
********************************************************************************
WhatWaf 是否只是單純判斷是否有 WAF ? 還是包含其他掃描 ?
ChatGPT 說:
WhatWaf 不只是單純判斷目標網站是否有部署 WAF(Web Application Firewall),它還包含一些額外的功能,屬於Web 應用程式防火牆指紋識別工具中功能較完整的之一。以下是它的主要功能:
✅ 主要功能說明:
1.WAF 檢測與識別(核心功能)
- 藉由送出特定的請求(如 payloads 或 headers)來觀察目標的回應行為。
- 比對回應與其資料庫中的 WAF 特徵,判斷是哪一種 WAF(如 Cloudflare、AWS WAF、F5 BIG-IP、Imperva 等)。
2.進階指紋比對與回應分析
- 分析 HTTP 回應碼、headers、錯誤訊息等細節。
- 使用「模糊測試」(fuzzing)方式加強識別精度。
3.掃描技術部分(有限度)
- WhatWaf 並不主打完整漏洞掃描或目標掃描功能,不像 Nikto、Wapiti 或 OWASP ZAP 那樣功能完整。
- 但它會嘗試送出多種 payload,以觸發 WAF 回應,這可以間接偵測出 WAF 對特定類型攻擊(如 XSS、SQLi)的反應方式。
4.輸出與整合支援
- 可將結果輸出成 JSON、TXT、或配合其他工具使用。
- 可用於管線(pipeline)中,搭配其他工具一同分析。
總結:
| 功能類型 | 是否支援 | 備註 |
| 判斷是否有 WAF | ✅ 是 | 主要功能 |
| 判斷是哪種 WAF | ✅ 是 | 支援多種 WAF 指紋 |
| 模糊測試 | ✅ 有部分支援 | 針對 WAF 偵測用 |
| 攻擊測試 | ⚠️ 僅限 WAF 反應測試 | 不是全面漏洞掃描 |
| 漏洞掃描 | ❌ 無 | 不屬於漏洞掃描器 |
| 整合支援 | ✅ 是 | 可搭配其他工具 |
********************************************************************************
如果只是單純想判斷是否有 WAF ,不做任何掃描,要加上甚麼參數 ?
ChatGPT 說:
如果你只想用 WhatWaf 單純判斷是否有 WAF(不做任何進一步模糊測試或攻擊測試),可以使用較保守且靜態的參數組合,避免觸發網站的防禦機制。
✅ 建議指令與參數:
whatwaf -u https://example.com --ra --skip-tls-validation --check-tor --no-tor --verify-num 1
註:實際測試出現 whatwaf: error: unrecognized arguments: --skip-tls-validation --no-tor
📌 各參數說明:
- 參數 功能說明
- -u https://example.com 指定目標 URL
- --ra 使用 random-agent,避免被封鎖
- --skip-tls-validation 忽略 SSL 憑證錯誤,避免中止掃描
- --check-tor 檢查是否在 TOR 節點上
- --no-tor 禁止使用 TOR(避免誤觸防禦)
- --verify-num 1 僅送出一次驗證請求,減少偵測干擾(輕量偵測)
❌ 不建議加入的參數(會加重偵測強度):
- 參數 原因
- --tamper-strings 會送出更多異常 payload,引發防禦反應
- --fuzzer 啟用 fuzz 測試,非靜態分析
- --tor 使用 TOR 出口節點,可能導致封鎖或誤判
🎯 總結:
如果你目的是安靜且快速地確認是否有 WAF 存在,建議使用基本的 -u 搭配 --ra --verify-num 1,並避免啟用強攻參數。WhatWaf 預設行為已會嘗試少量 payload,但不是掃描器那種深度攻擊測試。
********************************************************************************
說明
(venv) [user1@localhost WhatWaf]$ ./whatwaf -help
[15:35:44][INFO] currently running on: linux
usage: ./whatwaf -[u|l|b|g] VALUE|PATH|PATH|PATH [-p|--pl] PAYLOAD,..|PATH [--args]
optional arguments:
-h, --help show this help message and exit
mandatory arguments:
arguments that have to be passed for the program to run
-u URL, --url URL Pass a single URL to detect the protection
-l PATH, --list PATH, -f PATH, --file PATH
Pass a file containing URL's (one per line) to detect the protection
-b FILE-PATH, --burp FILE-PATH
Pass a Burp Suite request file to perform WAF evaluation
-g GOOGLER-JSON-FILE, --googler GOOGLER-JSON-FILE
Pass a JSON file from the Googler CMD line tool (IE googler -n 100 --json >> googler.json)
request arguments:
arguments that will control your requests
--pa USER-AGENT Provide your own personal agent to use it for the HTTP requests
--ra Use a random user-agent for the HTTP requests (*default=whatwaf/2.1.6.3 (Language=3.9.21; Platform=Linux))
-H HEADER=VALUE,HEADER:VALUE.., --headers HEADER=VALUE,HEADER:VALUE..
Add your own custom headers to the request. To use multiple separate headers by comma. Your headers need to be exact(IE: Set-Cookie=a345ddsswe,X-Forwarded-For:127.0.0.1) (*default=None)
--proxy PROXY Provide a proxy to run behind in the format type://address:port (IE socks5://10.54.127.4:1080) (*default=None)
--tor Use Tor as the proxy to run behind, must have Tor installed (*default=False)
--check-tor Check your Tor connection (default=False)
-p PAYLOADS, --payloads PAYLOADS
Provide your own payloads separated by a comma IE AND 1=1,AND 2=2
--pl PAYLOAD-LIST-PATH
Provide a file containing a list of payloads 1 per line
--force-ssl Force the assignment of HTTPS instead of HTTP while processing (*default=HTTP unless otherwise specified by URL)
--throttle THROTTLE-TIME (seconds)
Provide a sleep time per request (*default=0)
--timeout TIMEOUT Control the timeout time of the requests (*default=15)
-P, --post Send a POST request (*default=GET)
-D POST-STRING, --data POST-STRING
Send this data with the POST request (*default=random)
-t threaded, --threads threaded
Send requests in parallel (specify number of threads (*default=1)
-tP CONFIGTORPORT, --tor-port CONFIGTORPORT
Change the port that Tor runs on (*default=9050)
-T, --test Test the connection to the website before starting (*default=True)
encoding options:
arguments that control the encoding of payloads
-e PAYLOAD [TAMPER-SCRIPT-LOAD-PATH ...], --encode PAYLOAD [TAMPER-SCRIPT-LOAD-PATH ...]
Encode a provided payload using provided tamper script(s) you are able to payy multiple tamper script load paths to this argument and the payload will be tampered as requested
-el PATH TAMPER-SCRIPT-LOAD-PATH, --encode-list PATH TAMPER-SCRIPT-LOAD-PATH
Encode a file containing payloads (one per line) by passing the path and load path, files can only encoded using a single tamper script load path
output options:
arguments that control how WhatWaf handles output
-F, --format Format the output into a dict and display it
-J, --json Send the output to a JSON file
-Y, --yaml Send the output to a YAML file
-C, --csv Send the output to a CSV file
--fingerprint Save all fingerprints for further investigation
--tamper-int INT Control the amount of tampers that are displayed (*default=5)
--traffic FILENAME store all HTTP traffic headers into a file of your choice
--force-file Force the creation of a file even if there is no protection identified
-o DIR, --output DIR Save a copy of the file to an arbitrary directory
database arguments:
arguments that pertain to Whatwafs database
-c, --url-cache Check against URL's that have already been cached into the database before running them saves some time on scanning multiple (*default=False)
-uC, --view-url-cache
Display all the URL cache inside of the database, this includes the netlock, tamper scripts, webserver, and identified protections
-pC, --payload-cache View all payloads that have been cached inside of the database
-vC, --view-cache View all the cache in the database, everything from URLs to payloads
--export FILE-TYPE Export the already encoded payloads to a specified file type and save them under the home directory
wizard arguments:
arguemnts that have to do with building scripts
misc arguments:
arguments that don't fit in any other category
--verbose Run in verbose mode (more output)
--hide Hide the banner during the run
--update Update WhatWaf to the newest development version
--save FILENAME Save the encoded payloads into a file
--skip Skip checking for bypasses and just identify the firewall
--verify-num INT Change the request amount to verify if there really is not a WAF present(*default=5)
-W, --determine-webserver
Attempt to determine what web server is running on the backend (IE Apache, Nginx, etc.. *default=False)
--wafs Output a list of possible firewalls that can be detected by WhatWaf
--tampers Output a list of tamper script load paths with their description
(venv) [user1@localhost WhatWaf]$
|
感覺 Kali Linux 2025.3 的 wafw00f 2.3.1 檢測 WAF 較快些,參數沒那麼多。
(完)
相關
沒有留言:
張貼留言