Arachni是一个多功能、模块化、高性能的Ruby框架,旨在帮助安全测试人员和管理员评估web应用程序的安全性。同时Arachni开源免费,可安装在windows、linux以及mac系统上,并且可导出评估报告。
一、Arachni下载与启动,以LInux环境为例
下载地址:http://www.arachni-scanner.com/download/
解压文件arachni-1.5.1-0.5.12-darwin-x86_64.tar.gz,然后进入arachni-1.5.1-0.5.12目录下的bin文件夹,运行./arachni_web,随后浏览器访问http://localhost:9292
二、Arachni配置扫描
Arachni目录里有关于该工具的简单使用说明,也可以找到安装后的初始用户名和密码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
|
tdcqma:arachni
-
1.5
.
1
-
0.5
.
12
$ ls
LICENSE TROUBLESHOOTING
bin
README VERSION system
tdcqma:arachni
-
1.5
.
1
-
0.5
.
12
$ cat README
Arachni
-
Web Application Security Scanner Framework
Homepage
-
http:
/
/
arachni
-
scanner.com
Blog
-
http:
/
/
arachni
-
scanner.com
/
blog
Documentation
-
https:
/
/
github.com
/
Arachni
/
arachni
/
wiki
Support
-
http:
/
/
support.arachni
-
scanner.com
GitHub page
-
http:
/
/
github.com
/
Arachni
/
arachni
Code Documentation
-
http:
/
/
rubydoc.info
/
github
/
Arachni
/
arachni
Author
-
Tasos
"Zapotek"
Laskos (http:
/
/
twitter.com
/
Zap0tek)
Twitter
-
http:
/
/
twitter.com
/
ArachniScanner
Copyright
-
2010
-
2017
Sarosys LLC
License
-
Arachni Public Source License v1.
0
-
-
see LICENSE
file
)
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
To use Arachni run the executables under
"bin/"
.
To launch the Web interface:
bin
/
arachni_web
Default account details:
Administrator:
E
-
mail address: admin@admin.admin
Password: administrator
User:
E
-
mail address: user@user.user
Password: regular_user
For a quick scan: via the command
-
line interface:
bin
/
arachni http:
/
/
test.com
To see the available CLI options:
bin
/
arachni
-
h
For detailed documentation see:
http:
/
/
arachni
-
scanner.com
/
wiki
/
User
-
guide
Upgrading
/
migrating
-
-
-
-
-
-
-
-
-
-
-
-
-
-
To migrate your existing data into this new package please see:
https:
/
/
github.com
/
Arachni
/
arachni
-
ui
-
web
/
wiki
/
upgrading
Troubleshooting
-
-
-
-
-
-
-
-
-
-
-
-
-
-
See the included TROUBLESHOOTING
file
.
Disclaimer
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Arachni
is
free software
and
you are allowed to use it as you see fit.
However, I can't be held responsible
for
your actions
or
for
any
damage
caused by the use of this software.
Copying
-
-
-
-
-
-
-
-
-
-
-
-
-
-
For the Arachni license please see the LICENSE
file
.
The bundled PhantomJS (http:
/
/
phantomjs.org
/
) executable
is
distributed
under the BSD license:
https:
/
/
github.com
/
ariya
/
phantomjs
/
blob
/
master
/
LICENSE.BSD
tdcqma:arachni
-
1.5
.
1
-
0.5
.
12
$
|
浏览器访问http://localhost:9292,进入登录页面
登录后点击右上角的Administrator-》Edit account进行修改默认密码
新建扫描,Scans-》+New并配置扫描选项,安全策略包括XSS、SQL注入等,默认情况下选Default即可。
扫描结果分析,检出弱点总数及漏洞分类一览
点击awaiting review进入漏洞详细说明界面
报告导出,以HTML格式为例
查看报告,包括总结图表及漏洞详细说明
转载于:https://blog.51cto.com/yueying/2047896