下载漏洞扫描工具Nikto
Nikto是一个开源的WEB扫描评估软件,可以对Web服务器进行多项安全测试,能在230多种服务器上扫描出 2600多种有潜在危险的文件、CGI及其他问题。Nikto可以扫描指定主机的WEB类型、主机名、指定目录、特定CGI漏洞、返回主机允许的 http模式等。
安装部署了nginx+modsecurity以后,需要检查一下是否存在漏洞
因此,需要用到这款漏洞扫描工具
以下是Nikto的一些主要功能:
SSL支持(带有OpenSSL的Unix或带有ActiveState的Perl / NetSSL的Windows )
全面的HTTP代理支持
检查过时的服务器组件
以纯文本,XML,HTML,NBE或CSV保存报告
可使用模板自定义报告
扫描服务器上的多个端口,或者通过其他工具的输出(例如nmap)扫描多个服务器
LibWhisker的IDS编码技术
通过标题,网站图标和文件识别已安装的软件
使用Basic和NTLM进行主机身份验证
子域名猜测
Apache和cgiwrap用户名枚举
1、下载Nikto
[root@CetnOS-GUI /usr/local/src]# git clone https://github.com/sullo/nikto
Cloning into 'nikto'...
remote: Enumerating objects: 44, done.
remote: Counting objects: 100% (44/44), done.
remote: Compressing objects: 100% (33/33), done.
remote: Total 6136 (delta 22), reused 27 (delta 11), pack-reused 6092
Receiving objects: 100% (6136/6136), 4.09 MiB | 10.00 KiB/s, done.
Resolving deltas: 100% (4442/4442), done.
2、使用
[root@CetnOS-GUI /usr/local/src/nikto]# perl program/nikto.pl -h localhost
- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 127.0.0.1
+ Target Hostname: localhost
+ Target Port: 80
+ Message: Multiple IP addresses found: 127.0.0.1, 127.0.0.1
+ Start Time: 2020-12-22 14:17:39 (GMT8)
---------------------------------------------------------------------------
+ Server: nginx/1.16.1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ 7855 requests: 0 error(s) and 2 item(s) reported on remote host
+ End Time: 2020-12-22 14:18:35 (GMT8) (56 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
[root@CetnOS-GUI /usr/local/src/nikto]#
结果:7855 requests: 0 error(s) and 2 item(s) reported on remote host
有2个漏洞